Quoting Markus Moeller <[EMAIL PROTECTED]>:
Also can you do a kinit -k -t keytab HTTP/server successfully ?
Markus
"Julien ALLANOS" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
Quoting Jeffrey Altman <[EMAIL PROTECTED]>:
Julien ALLANOS wrote:
Quoting Jeffrey Altman <[EMAIL PROTECTED]>:
Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos
support. If you want them to have Kerberos credentials, Windows must
obtain them for you when you login to Windows using an Active Directory
account.
Jeffrey Altman
OK, but how can I be certain that Windows did really obtain the Kerberos
credentials at login, that FF or IE might be able to use after?
Since you have MIT KFW installed you can list the contents of the
MSLSA ccache with
klist -c MSLSA:
Otherwise, you can install one of the Microsoft tools such as
kerbtray.exe that are available from the Microsoft download web site.
Thanks.
Both klist -c MSLSA: and kerbtray tell me that the following tickets are
given
to me at login (verified by purging, logout and login again):
* krbtgt/[EMAIL PROTECTED]
* ldap/host.my.domain.tld/[EMAIL PROTECTED]
* host/[EMAIL PROTECTED]
However, IE or FF are still sending NTLM tickets. Any clue?
OK guys, thanks for your answsers.
Yes, my browsers are correctly configured.
Actually it might be a hostname issue: the domain is my.domain.tld, my
webserver/AD/KDC is host.my.domain.tld and has a CNAME for my.domain.tld. I
also want to access the webserver via http://my.domain.tld/. The keytab was
generated for the HTTP/[EMAIL PROTECTED] principal, that's why:
kinit -5 -k -t keytab HTTP/[EMAIL PROTECTED]
works, but not:
kinit -5 -k -t keytab HTTP/[EMAIL PROTECTED]
The strange thing is that I've added another box to the domain, added both
hostnames to FF's auto nego parameters and tried to access both URLs from this
new box, but I get the same thing (a NTLM token is sent), and ethereal doesn't
show any traffic on TCP port 88.
Any help please?
--
Julien ALLANOS
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
