IE6 Fallback to NTLM - Kerberos

This is a discussion on IE6 Fallback to NTLM - Kerberos ; IE (6) and Kerberos At some (actually one) locations in our network (which is spread all over the Netherlands) we have the problem that IE6 randomly falls back to NTLM, while FF keeps on working flawlessly. Does anybody has a ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: IE6 Fallback to NTLM

  1. IE6 Fallback to NTLM

    IE (6) and Kerberos

    At some (actually one) locations in our network (which is spread all
    over the Netherlands) we have the problem that IE6 randomly falls back
    to NTLM, while FF keeps on working flawlessly.

    Does anybody has a clou what is happening? Tickets are valid and
    available, and when a new instance of IE is opened, everything works OK
    again.

    The facts:
    Server: SLES 10 + Apache + mod_auth_kerb (Kerberos 5 release 1.4.3)
    Client: IE6 on XP
    Tickets are served by Active Directory.

    Thanks in advance, Johan Bosma (j.bosma (at) mindef.nl)

  2. Re: IE6 Fallback to NTLM

    On Mon, Nov 10, 2008 at 4:06 PM, Jobo wrote:
    > IE (6) and Kerberos
    >
    > At some (actually one) locations in our network (which is spread all
    > over the Netherlands) we have the problem that IE6 randomly falls back
    > to NTLM, while FF keeps on working flawlessly.
    >
    > Does anybody has a clou what is happening? Tickets are valid and
    > available, and when a new instance of IE is opened, everything works OK
    > again.
    >
    > The facts:
    > Server: SLES 10 + Apache + mod_auth_kerb (Kerberos 5 release 1.4.3)
    > Client: IE6 on XP
    > Tickets are served by Active Directory.


    In the past there have been a few bugs in cache handling on XP:

    http://support.microsoft.com/kb/906524
    http://support.microsoft.com/kb/885887

    Check your kerberos DLLs.

    But I haven't seen anyone complain about these sorts of things in a
    while so I'm not sure if the bugs described in these KBs are really
    relevant anymore.

    Note that FF can exhibit different behavior depending on how it's
    configured. Note that for some strange reason, FF on Linux actually
    requests a service ticket with each HTTP request even though it has a
    perfectly good one in the cache. So make sure you're testing FF on
    Windows if you want a fair comparison.

    Mike

    --
    Michael B Allen
    PHP Active Directory SPNEGO SSO
    http://www.ioplex.com/

  3. Re: IE6 Fallback to NTLM

    >>>>> "Jobo" == Jobo writes:

    Jobo> IE (6) and Kerberos At some (actually one) locations in our
    Jobo> network (which is spread all over the Netherlands) we have the
    Jobo> problem that IE6 randomly falls back to NTLM, while FF keeps on
    Jobo> working flawlessly.

    Jobo> Does anybody has a clou what is happening? Tickets are valid and
    Jobo> available, and when a new instance of IE is opened, everything
    Jobo> works OK again.

    Jobo> The facts: Server: SLES 10 + Apache + mod_auth_kerb (Kerberos 5
    Jobo> release 1.4.3) Client: IE6 on XP Tickets are served by Active
    Jobo> Directory.

    Jobo> Thanks in advance, Johan Bosma (j.bosma (at) mindef.nl)

    Is the name you're giving the browser for the webserver perhaps a DNS
    alias (CNAME RR)? Bizarre and pointless as it is, Microsoft "doesn't like
    CNAMEs" (direct quote from a Microsoft engineer), and I've seen it behave
    like this.

    --
    Richard Silverman
    res@qoxp.net


  4. Re: IE6 Fallback to NTLM

    Michael B Allen schreef:
    > On Mon, Nov 10, 2008 at 4:06 PM, Jobo wrote:
    >> IE (6) and Kerberos
    >>
    >> At some (actually one) locations in our network (which is spread all
    >> over the Netherlands) we have the problem that IE6 randomly falls back
    >> to NTLM, while FF keeps on working flawlessly.
    >>
    >> Does anybody has a clou what is happening? Tickets are valid and
    >> available, and when a new instance of IE is opened, everything works OK
    >> again.
    >>
    >> The facts:
    >> Server: SLES 10 + Apache + mod_auth_kerb (Kerberos 5 release 1.4.3)
    >> Client: IE6 on XP
    >> Tickets are served by Active Directory.

    >
    > In the past there have been a few bugs in cache handling on XP:
    >
    > http://support.microsoft.com/kb/906524
    > http://support.microsoft.com/kb/885887
    >
    > Check your kerberos DLLs.
    >
    > But I haven't seen anyone complain about these sorts of things in a
    > while so I'm not sure if the bugs described in these KBs are really
    > relevant anymore.
    >
    > Note that FF can exhibit different behavior depending on how it's
    > configured. Note that for some strange reason, FF on Linux actually
    > requests a service ticket with each HTTP request even though it has a
    > perfectly good one in the cache. So make sure you're testing FF on
    > Windows if you want a fair comparison.
    >
    > Mike
    >

    Actually we had these problems, and solved them with the
    AllowTgtSessionKey registry setting. FF is also on Windows.
    Thnx anyway, I read all the ioplex stuff.

  5. Re: IE6 Fallback to NTLM

    Richard E. Silverman schreef:
    >>>>>> "Jobo" == Jobo writes:

    >
    > Jobo> IE (6) and Kerberos At some (actually one) locations in our
    > Jobo> network (which is spread all over the Netherlands) we have the
    > Jobo> problem that IE6 randomly falls back to NTLM, while FF keeps on
    > Jobo> working flawlessly.
    >
    > Jobo> Does anybody has a clou what is happening? Tickets are valid and
    > Jobo> available, and when a new instance of IE is opened, everything
    > Jobo> works OK again.
    >
    > Jobo> The facts: Server: SLES 10 + Apache + mod_auth_kerb (Kerberos 5
    > Jobo> release 1.4.3) Client: IE6 on XP Tickets are served by Active
    > Jobo> Directory.
    >
    > Jobo> Thanks in advance, Johan Bosma (j.bosma (at) mindef.nl)
    >
    > Is the name you're giving the browser for the webserver perhaps a DNS
    > alias (CNAME RR)? Bizarre and pointless as it is, Microsoft "doesn't like
    > CNAMEs" (direct quote from a Microsoft engineer), and I've seen it behave
    > like this.
    >

    Thanks, a CNAME it is!
    I gonna try your solution, it will take a couple or days, but I wil be back.

+ Reply to Thread