Windows Clients Won't Do Kerberos

Michael B Allen mba2000 at
Fri Jun 30 02:47:19 EDT 2006

On Fri, 30 Jun 2006 04:10:35 GMT
Jeffrey Altman <jaltman2 at> wrote:

> Michael B Allen wrote:
> > It could be (2). But it's not specific to IE because the wsh script
> > generates the same error and it just uses the WinHttpRequest interface. So
> > it would have to be an machine level or "Global Policy" type of setting.
> > 
> > It could be (4) if there's something wrong with the account. As per my
> > instructions he created a Computer account and ran ktpass to generate
> > an "RC4-HMAC-NT" keytab. Maybe he should have used a User account and
> > DES? I've tested all of this with my very vanilla W2K3 KDC. Considering
> > the keytab credential was used successfully by the installer to query
> > an AD group I'm thinking this isn't the problem.
> Do you have a network monitor?  If so, look for HTTP service ticket
> requests that are being denied.

Yeah. I just worked out exactly how to install netcap.exe on XP and
get a capture. I think it is indeed something wrong with trying to
acquire the HTTP sercice ticket. If I disable the Computer account in
my environment I get exactly the same behavior as the customer. IE gets

> If you don't see them, then you most
> likely have not added the host url to the Trusted Sites list.  This
> is required in order for WinHttpRequest or IE to perform Kerberos
> negotiate.

Interesting. So that also affects WinHttpResuest. Regardless we've
been over that twice already. The customer definitely has that
set. Incedentially I think the proper method is to add the domain to
the IntrAnet zone like 'http://*'. I think the Trusted Sites list
is more for IntErnet sites like, etc.


Michael B Allen
PHP Extension for SSO w/ Windows Group Authorization

More information about the Kerberos mailing list