AW: AW: AW: Some Users get Basic Auth?

Markus Moeller huaraz at moeller.plus.com
Thu Jul 12 05:12:27 EDT 2007


Matthias,

how long is the user logged in on the machine and what are the ticket 
lifetime settings in AD ? Before you lock and unlock the PC can you check 
with kerbtray the tickets in the ticket cache ?  They may be expired and 
some application (e.g. IE) can not trigger a ticket renew, but a lock and 
unlock triggers a ticket renew.

Markus

"Djihangiroff, Matthias (KC-DD)" <Matthias.Djihangiroff at persona.de> wrote in 
message 
news:A4987E8FC1C6CD44805DDE5676EE262E015783DD at w2kmail.konzern.intern...
Hello,

I havent managed to grep a useful packet capture yet.

But ive noticed something:

Right after the users get the auth box, they can lock their computer, login 
again, and the problem is gone?
They get a new krbtgt-ticket, and all is running fine for some time.

-----Ursprüngliche Nachricht-----
Von: Michael B Allen [mailto:mba2000 at ioplex.com]
Gesendet: Donnerstag, 14. Juni 2007 17:46
An: Djihangiroff, Matthias (KC-DD)
Cc: kerberos at mit.edu
Betreff: Re: AW: AW: AW: Some Users get Basic Auth?

On Thu, 14 Jun 2007 15:19:59 +0200
"Djihangiroff, Matthias (KC-DD)" <Matthias.Djihangiroff at persona.de> wrote:

> Hello,
>
> We'have just created a new domain Account and voila, all is running fine.
> So somekind of settings in the userprofile are incorrect, so the auth box 
> popped up.
>
> Now we have another problem.
>
> SOME users are getting this basic auth box somtimes. IE is running in NTLM 
> mode..
> If you close the IE, and open it again, with the same URL, all is running 
> fine.
>
> What the hell is wrong with this IE thing :-(

Hi Matthias,

Honestly the best way to determine what's going on is to get a packet 
capture and do a network analysis. The problem with that is that clients 
cache both positive and negative Kerberos ticket request results so you 
basically have to reboot the client, start the capture, launch IE, try the 
page and if it fails restart the browser and if it then succeeds stop the 
capture. If it doesn't fail or if it doesn't succeed after failing you won't 
have to two conditions you need to compare and you have no choice but to 
reboot the client and repeat.

But if you do get a capture like that I'll look at it. Can't guarantee I'll 
find anything but I'm always interested in these sorts of failure 
conditions.

There is a decription of getting a capture with netcap.exe in the appendix 
of that document I pointed you to before.

Also, you might try to get this patch:

  http://support.microsoft.com/kb/885887

It does sound remotely like what you're seeing and some people have had 
success with it when experiencing unreliable behavior like you're 
describing.

Mike

> -----Ursprüngliche Nachricht-----
> Von: Michael B Allen [mailto:mba2000 at ioplex.com]
> Gesendet: Mittwoch, 13. Juni 2007 08:57
> An: Djihangiroff, Matthias (KC-DD)
> Cc: Todd Stecher; kerberos at mit.edu
> Betreff: Re: AW: AW: Some Users get Basic Auth?
>
> On Wed, 13 Jun 2007 08:25:51 +0200
> "Djihangiroff, Matthias (KC-DD)" <Matthias.Djihangiroff at persona.de> wrote:
>
> > Thanks.
> >
> > Than i dont know why IE is switching to NTLM.
> > It doesnt matter if i type http://someserver or with our domain
> > http://someserver.konzern.intern (thats although the registerd
> > machine account in the domain).
> > The auth box pop ups every time.
> >
> > I think, thats somekind of defect windows profile.
> > If i login with MY windows account, all is running perfect. If i
> > login with a user account, they get the auth box. (Both on the same
> > machine, the same domain)
> >
> > I'm informing our Windows admins and hope, they can make some brand
> > new windows account for me for testing purposes in that domain.
>
> Matthias,
>
> On this website:
>
>   http://www.ioplex.com/support.html
>
> You will find a document called the Plexcel Operator's Manual. The 
> document is mostly about our SSO product but of course the protocol is the 
> same so the "Possible Issues" section has information about 
> troubleshooting this sort of thing. In particular look at Issue 3 and 
> Issue 5.
>
> Mike
>
> > ________________________________
> >
> > Von: Todd Stecher [mailto:tstecher at qwest.net]
> > Gesendet: Mittwoch, 13. Juni 2007 08:18
> > An: Djihangiroff, Matthias (KC-DD)
> > Cc: Michael B Allen; kerberos at mit.edu
> > Betreff: Re: AW: Some Users get Basic Auth?
> >
> >
> >
> > On Jun 12, 2007, at 11:04 PM, Djihangiroff, Matthias (KC-DD) wrote:
> >
> >
> > I've checked the browser settings, Integrated Windows Auth is
> > checked.
> >
> >
> >
> >
> > Where can i configer the browser, that it use only Kerberos?
> >
> > I didnt find any option.
> >
> >
> > You can't.  A lot of it depends on the URL you present to IE, which
> > will in turn dictate what protocol is chosen under SPNEGO.
> >
> > When you type "http://someserver", then IE will present the kerberos
> > package on the client with the service principal name (SPN) of
> > http/someserver.  For kerberos to work, you need a service ticket
> > matching that SPN.  This will only be possible if the web server is
> > properly registered with a machine account in your client's domain,
> > or potentially another domain in the forest (assuming you're using AD).
> >
> > In some cases, IE will do a reverse lookup and expand the someserver
> > to http/someserver.domain.com, but the SPN lookup rule still applies.
> >
> > If kerberos can't find the SPN (for example if the target server
> > isn't registered in a trusted domain, or the client's KDC can't be
> > reached over the presently connected network), it will drop back to
> > NTLM (wrapped in SPNEGO tokens).  There's really no easy way to
> > guarantee Kerberos, and, in fact, NTLM is frequently the protocol
> > chosen for http auth.
> >
> > We tried, in the old days to get rid of NTLM, but that's not
> > possible w/o service interruptions unless you can *always* get a
> > service ticket to the server.
> >
> > Todd
> >
> > persona service Verwaltungs AG & Co. KG Freisenbergstra_e 31 _ 58513
> > L_denscheid
> > Tel.: (02351) 950-0 _ Fax: (02351) 950-222 Sitz L_denscheid _
> > Registergericht Iserlohn, HRA Nr. 2930
> >
> > pers_nlich haftende Gesellschafterin: persona service AG
> > Gartenstra_e
> > 93 _ CH-4002 Basel Handelsregister Basel, Nr. CH-270.3.012.836-8
> > diese vertreten durch den Verwaltungsrat:
> > Dipl.-Ing. Werner M_ller (Pr_sident) und Dr. Sebastian Burckhardt
> > www.persona.de
> >
>
>
> --
> Michael B Allen
> PHP Active Directory Kerberos SSO
> http://www.ioplex.com/
> persona service Verwaltungs AG & Co. KG Freisenbergstraße 31 * 58513
> Lüdenscheid
> Tel.: (02351) 950-0 * Fax: (02351) 950-222 Sitz Lüdenscheid *
> Registergericht Iserlohn, HRA Nr. 2930
>
> persönlich haftende Gesellschafterin: persona service AG Gartenstraße
> 93 * CH-4002 Basel Handelsregister Basel, Nr. CH-270.3.012.836-8 diese
> vertreten durch den Verwaltungsrat:
> Dipl.-Ing. Werner Müller (Präsident) und Dr. Sebastian Burckhardt
> www.persona.de
>


--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
persona service Verwaltungs AG & Co. KG
Freisenbergstraße 31 . 58513 Lüdenscheid
Tel.: (02351) 950-0 . Fax: (02351) 950-222
Sitz Lüdenscheid . Registergericht Iserlohn, HRA Nr. 2930

persönlich haftende Gesellschafterin: persona service AG
Gartenstraße 93 . CH-4002 Basel
Handelsregister Basel, Nr. CH-270.3.012.836-8
diese vertreten durch den Verwaltungsrat:
Dipl.-Ing. Werner Müller (Präsident) und Dr. Sebastian Burckhardt
www.persona.de

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos






More information about the Kerberos mailing list