On Mon, Nov 10, 2008 at 4:06 PM, Jobo wrote:
> IE (6) and Kerberos
>
> At some (actually one) locations in our network (which is spread all
> over the Netherlands) we have the problem that IE6 randomly falls back
> to NTLM, while FF keeps on working flawlessly.
>
> Does anybody has a clou what is happening? Tickets are valid and
> available, and when a new instance of IE is opened, everything works OK
> again.
>
> The facts:
> Server: SLES 10 + Apache + mod_auth_kerb (Kerberos 5 release 1.4.3)
> Client: IE6 on XP
> Tickets are served by Active Directory.

In the past there have been a few bugs in cache handling on XP:

http://support.microsoft.com/kb/906524
http://support.microsoft.com/kb/885887

Check your kerberos DLLs.

But I haven't seen anyone complain about these sorts of things in a
while so I'm not sure if the bugs described in these KBs are really
relevant anymore.

Note that FF can exhibit different behavior depending on how it's
configured. Note that for some strange reason, FF on Linux actually
requests a service ticket with each HTTP request even though it has a
perfectly good one in the cache. So make sure you're testing FF on
Windows if you want a fair comparison.

Mike

--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

>>>>> "Jobo" == Jobo writes:

Jobo> IE (6) and Kerberos At some (actually one) locations in our
Jobo> network (which is spread all over the Netherlands) we have the
Jobo> problem that IE6 randomly falls back to NTLM, while FF keeps on
Jobo> working flawlessly.

Jobo> Does anybody has a clou what is happening? Tickets are valid and
Jobo> available, and when a new instance of IE is opened, everything
Jobo> works OK again.

Jobo> The facts: Server: SLES 10 + Apache + mod_auth_kerb (Kerberos 5
Jobo> release 1.4.3) Client: IE6 on XP Tickets are served by Active
Jobo> Directory.

Jobo> Thanks in advance, Johan Bosma (j.bosma (at) mindef.nl)

Is the name you're giving the browser for the webserver perhaps a DNS
alias (CNAME RR)? Bizarre and pointless as it is, Microsoft "doesn't like
CNAMEs" (direct quote from a Microsoft engineer), and I've seen it behave
like this.

--
Richard Silverman
res@qoxp.net

Michael B Allen schreef:
> On Mon, Nov 10, 2008 at 4:06 PM, Jobo wrote:
>> IE (6) and Kerberos
>>
>> At some (actually one) locations in our network (which is spread all
>> over the Netherlands) we have the problem that IE6 randomly falls back
>> to NTLM, while FF keeps on working flawlessly.
>>
>> Does anybody has a clou what is happening? Tickets are valid and
>> available, and when a new instance of IE is opened, everything works OK
>> again.
>>
>> The facts:
>> Server: SLES 10 + Apache + mod_auth_kerb (Kerberos 5 release 1.4.3)
>> Client: IE6 on XP
>> Tickets are served by Active Directory.
>
> In the past there have been a few bugs in cache handling on XP:
>
> http://support.microsoft.com/kb/906524
> http://support.microsoft.com/kb/885887
>
> Check your kerberos DLLs.
>
> But I haven't seen anyone complain about these sorts of things in a
> while so I'm not sure if the bugs described in these KBs are really
> relevant anymore.
>
> Note that FF can exhibit different behavior depending on how it's
> configured. Note that for some strange reason, FF on Linux actually
> requests a service ticket with each HTTP request even though it has a
> perfectly good one in the cache. So make sure you're testing FF on
> Windows if you want a fair comparison.
>
> Mike
>
Actually we had these problems, and solved them with the
AllowTgtSessionKey registry setting. FF is also on Windows.
Thnx anyway, I read all the ioplex stuff.

Richard E. Silverman schreef:
>>>>>> "Jobo" == Jobo writes:
>
> Jobo> IE (6) and Kerberos At some (actually one) locations in our
> Jobo> network (which is spread all over the Netherlands) we have the
> Jobo> problem that IE6 randomly falls back to NTLM, while FF keeps on
> Jobo> working flawlessly.
>
> Jobo> Does anybody has a clou what is happening? Tickets are valid and
> Jobo> available, and when a new instance of IE is opened, everything
> Jobo> works OK again.
>
> Jobo> The facts: Server: SLES 10 + Apache + mod_auth_kerb (Kerberos 5
> Jobo> release 1.4.3) Client: IE6 on XP Tickets are served by Active
> Jobo> Directory.
>
> Jobo> Thanks in advance, Johan Bosma (j.bosma (at) mindef.nl)
>
> Is the name you're giving the browser for the webserver perhaps a DNS
> alias (CNAME RR)? Bizarre and pointless as it is, Microsoft "doesn't like
> CNAMEs" (direct quote from a Microsoft engineer), and I've seen it behave
> like this.
>
Thanks, a CNAME it is!
I gonna try your solution, it will take a couple or days, but I wil be back.