I can't speak for FireFox, but IE will not use Kerberos for authentication if the site is in the Internet zone.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/O perations/6291dce1-4ea8-4b4f-a9c1-23926ab6e8dd.mspx The second common cause is that Internet Explorer 6.0 is attempting to access a site located in the Internet zone. Internet zone sites are prevented from using Integrated Windows authentication because these protocols do not typically work through Web proxies, among other reasons. If a site is located in the Internet zone, Internet Explorer 6.0 does not attempt to use Kerberos authentication, and automatically tries NTLM. In all versions of Internet Explorer, when accessing a Web site to which you want to use Kerberos authentication, you must verify that the Web site appears as being in the local intranet zone. An icon in the lower right corner of the Internet Explorer window indicates what zone a Web site is in. It displays "Internet" for the Internet zone and "Local Intranet" for the intranet zone. If the Web site appears as being in the Internet zone, you must manually add the site to the local intranet sites list. Jonathan Stephens [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Markus Moeller Sent: Friday, August 26, 2005 1:26 PM To: kerberos@mit.edu Subject: Re: windows browsers send ntlm instead of kerberos tokens Also can you do a kinit -k -t keytab HTTP/server successfully ? Markus "Julien ALLANOS" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Quoting Jeffrey Altman <[EMAIL PROTECTED]>: > >> Julien ALLANOS wrote: >> >>> Quoting Jeffrey Altman <[EMAIL PROTECTED]>: >>> >>>> Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos >>>> support. If you want them to have Kerberos credentials, Windows must >>>> obtain them for you when you login to Windows using an Active >>>> Directory account. >>>> >>>> Jeffrey Altman >>> >>> >>> OK, but how can I be certain that Windows did really obtain the >>> Kerberos credentials at login, that FF or IE might be able to use after? >> >> Since you have MIT KFW installed you can list the contents of the >> MSLSA ccache with >> >> klist -c MSLSA: >> >> Otherwise, you can install one of the Microsoft tools such as >> kerbtray.exe that are available from the Microsoft download web site. >> > > Thanks. > > Both klist -c MSLSA: and kerbtray tell me that the following tickets > are given to me at login (verified by purging, logout and login > again): > > * krbtgt/[EMAIL PROTECTED] > * ldap/host.my.domain.tld/[EMAIL PROTECTED] > * host/[EMAIL PROTECTED] > > However, IE or FF are still sending NTLM tickets. Any clue? > -- > Julien ALLANOS > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos