kerberos/spnego sso closer

John User johnuser755 at yahoo.com
Wed Sep 6 01:30:33 EDT 2006 

Maybe a step closer:
when running ktpass used crypto type des-crc-md5
There is now a session ticket avaiable to both IE and
firefox. 

(Now the issue is to undo all the changes that were
attempted in tracing this issue)

--- Michael B Allen <mba2000 at ioplex.com> wrote:

> On Tue, 5 Sep 2006 16:38:24 -0700 (PDT)
> John User <johnuser755 at yahoo.com> wrote:
> 
> > > > Neither IE nor firefox make any attempt to get
> a
> > > > session ticket, - though they do send
> something
> > > > encrtpted back in response.
> > > 
> > > The client probably already had the ticket so no
> > > comm. with KDC was
> > > necessary. You should see the client submit
> > > 'Authorization: Negotiate
> > > YIIExka83jsmd...more base64 encoded data'.
> > >
> >  
> > klist on client shows no ticket to HTTP/hostname
> 
> This sounds like a problem I had. I never figured it
> out. I concluded
> that dispite have asked the user to check various
> settings multiple times,
> they must have simply been incorrect.
> 
> Go through the various sites lists and eradicate all
> applicable
> entries. There should be only one entry in the
> IntrAnet sites list. It
> must be in a form like:
> 
>   http://*.domain.com
> 
> If you're using a proxy, try temporarily disabling
> the proxy settings
> (or add the target site to the proxy exclusion
> list).
> 
> > If run under IE I get a logon screen. Under
> Firefox I
> > get nothing. 
> > I am assuming that the client is defaulting and
> > returning not spnego/kerberos, but spnego/NTLM.
> 
> Install WireShark, reboot, start WireShark, and
> visit the site. Send me
> the capture if you're not certain about what to look
> for.
> 
> > One question I have is whether WebLogic needs to
> add
> > anything to "Negotiate"? Is this sufficient for IE
> to
> > run the default spnego/kerberos packets?
> 
> Nope. The initial HTTP response header is simply:
> 
>   WWW-Authenticate: Negotiate
> 
> and nothing more. That is all that should be
> necessary for IE to initiate
> a Kerberos authentication. It should try to get a
> ticket for the target
> SPN and then submit a base64 encoded token in a
> header that looks like:
> 
>   Authorization: Negotiate
> YIIjasJSHjS<snipbase64encodedstuff>kSJSjSf==
> 
> Please let us know what you find either way. Like I
> said, I had one
> customer that was completely stumped by this. If I
> were better at VB
> I would write a little script to check all the
> necessary settings, try
> to get a service ticket, and do a simple
> authenticated HTTP request as
> a diagnostic.
> 
> Mike
> 
> -- 
> Michael B Allen
> PHP Active Directory SSO
> http://www.ioplex.com/
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the Kerberos mailing list