Thanks. Than i dont know why IE is switching to NTLM. It doesnt matter if i type http://someserver or with our domain http://someserver.konzern.intern (thats although the registerd machine account in the domain). The auth box pop ups every time. I think, thats somekind of defect windows profile. If i login with MY windows account, all is running perfect. If i login with a user account, they get the auth box. (Both on the same machine, the same domain) I'm informing our Windows admins and hope, they can make some brand new windows account for me for testing purposes in that domain. Matthias
________________________________ Von: Todd Stecher [mailto:[EMAIL PROTECTED] Gesendet: Mittwoch, 13. Juni 2007 08:18 An: Djihangiroff, Matthias (KC-DD) Cc: Michael B Allen; [email protected] Betreff: Re: AW: Some Users get Basic Auth? On Jun 12, 2007, at 11:04 PM, Djihangiroff, Matthias (KC-DD) wrote: I've checked the browser settings, Integrated Windows Auth is checked. Where can i configer the browser, that it use only Kerberos? I didnt find any option. You can't. A lot of it depends on the URL you present to IE, which will in turn dictate what protocol is chosen under SPNEGO. When you type "http://someserver";, then IE will present the kerberos package on the client with the service principal name (SPN) of http/someserver. For kerberos to work, you need a service ticket matching that SPN. This will only be possible if the web server is properly registered with a machine account in your client's domain, or potentially another domain in the forest (assuming you're using AD). In some cases, IE will do a reverse lookup and expand the someserver to http/someserver.domain.com, but the SPN lookup rule still applies. If kerberos can't find the SPN (for example if the target server isn't registered in a trusted domain, or the client's KDC can't be reached over the presently connected network), it will drop back to NTLM (wrapped in SPNEGO tokens). There's really no easy way to guarantee Kerberos, and, in fact, NTLM is frequently the protocol chosen for http auth. We tried, in the old days to get rid of NTLM, but that's not possible w/o service interruptions unless you can *always* get a service ticket to the server. Todd persona service Verwaltungs AG & Co. KG Freisenbergstraße 31 58513 Lüdenscheid Tel.: (02351) 950-0 Fax: (02351) 950-222 Sitz Lüdenscheid Registergericht Iserlohn, HRA Nr. 2930 persönlich haftende Gesellschafterin: persona service AG Gartenstraße 93 CH-4002 Basel Handelsregister Basel, Nr. CH-270.3.012.836-8 diese vertreten durch den Verwaltungsrat: Dipl.-Ing. Werner Müller (Präsident) und Dr. Sebastian Burckhardt www.persona.de
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
