Julien ALLANOS said: > I've just installed ethereal on the client, but I want to know which > ports do I > have to listen to to get KDC messages (cause a lot of packets are catched up > without using a filter, and filtering on port 80 only isn't sufficient I > believe to see dialogs between client SSPI layer and KDC. Actually, I have the > same box for the client (web browser), the web server and the KDC, maybe the > problem comes from that... > > So why my web browsers are sending NTLM tokens in the Authroziation header, > instead of SPNEGO tokens?
For IE, follow the directions on http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-1.asp (I think someone has already made this point), including shutting down ALL instances of IE and restarting IE. Check your IE version. Microsoft claims IE 5.01 and later support SPNEGO. I have always used IE 6.0 and recommend you upgrade to 6.0 (if necessary). I have seen IE send NTLM tokens under the following circumstances: 1. web server sends IE the following: HTTP/1.1 401 Authorization Required ... WWW-Authenticate: NTLM ... 2. IE is NOT configured as above and web server sends IE the following: HTTP/1.1 401 Authorization Required ... WWW-Authenticate: Negotiate ... mod_spnego sends WWW-Authenticate: Negotiate. So if you are using mod_spnego, read Microsoft's directions very carefully. Sniff the following traffic: HTTP between IE and web server (usually port 80) Kerberos between IE and KDC (usually port 88) Frank ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos