cross domain Integrated Windows Auth (aka SPNEGO)

Tim Alsop Tim.Alsop at CyberSafe.com
Thu Jun 4 15:00:49 EDT 2009


Hi,

One of our customers has a problem with Integrated Windows Authentication in IE browser. They have two AD domains which are part of different forests, so external trust is used. The workstation is joined to domain1 and user logs onto this domain, then opens browser to access web server which is on a server joined to domain2. This is not working, but if workstation on domain2 is used the logon works fine.

>From wireshark trace on workstation we can see a TGS-REQ being sent to domain1 for the HTTP/<hostname of webserver>@<DOMAIN1> and of course this principal is not found in domain1 so principal not found is returned - the browser then uses NTLM and attempts to authenticate, but the web server we are using does not support NTLM.

Is there any way we can configure workstation so that it knows which domain the webserver is in ? We found a section in registry which looks like it might be the correct place to configure this, but it didn't help :(

Thanks in advance for your help,

Tim




More information about the Kerberos mailing list