That sounds interesting. Note that the customer ran kerbtray and it shows he has tickets for stuff like cifs/[EMAIL PROTECTED] and host/[EMAIL PROTECTED] So it looks like the workstations CAN do Kerberos, they just don't want to do it with the HTTP SPN.
But the group policy thing sounds interesting. I'll check it out. Thanks, Mike On Thu, 29 Jun 2006 14:09:13 -0700 [EMAIL PROTECTED] wrote: > Turn off NTLM with Group Policy > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of [EMAIL PROTECTED] > Sent: Thursday, June 29, 2006 1:37 PM > To: kerberos@mit.edu > Subject: Windows Clients Won't Do Kerberos > > > I'm testing a Windows -> Apache Kerberos SSO product (see sig) with a > customer and it's not working for them. The client is always asking for > NTLM. It never even tries Kerberos. I know it's not browser settings > because I wrote a simple wsh script and it too only tries NTLMSSP (whereas > on my test network it works fine). > > Can anyone think of a reason why XP clients would refuse to try Kerberos > when accessing services (e.g. HTTP)? I've been through all the usual > reasons but we just can't get it to work. Is there some kind of mode that > a Windows domain controller can run in that causes all clients not to do > Kerberos at all? Can anyone recommend a diagnostic? > > Thanks, > Mike > > -- > Michael B Allen > PHP Extension for SSO w/ Windows Group Authorization > http://www.ioplex.com/ ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > -- Michael B Allen PHP Extension for SSO w/ Windows Group Authorization http://www.ioplex.com/ ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
