windows browsers send ntlm instead of kerberos tokens - Kerberos

This is a discussion on windows browsers send ntlm instead of kerberos tokens - Kerberos ; Hello, I'm experiencing a strange thing again. I have a Windows 2003 server with apache2 + mod_spnego + kfw-2.6.5. This is the only box on the domain. When I login as a simple user and type klist at the command ...

+ Reply to Thread
Results 1 to 14 of 14

Thread: windows browsers send ntlm instead of kerberos tokens

  1. windows browsers send ntlm instead of kerberos tokens

    Hello,

    I'm experiencing a strange thing again. I have a Windows 2003 server with
    apache2 + mod_spnego + kfw-2.6.5. This is the only box on the domain. When I
    login as a simple user and type klist at the command prompt, I can't see I have
    no TGT. From what I've understood about KRB5, a TGT should have been granted at
    user login, and thus should be visible with klist.

    Accessing the web server using a well configured Internet Explorer or Firefox, I
    can see the browsers are sending NTLM (beginning with NTLMSSP) instead of
    Kerberos tokens, in response to the Negotiate authentication the server is
    asking for.

    With kinit -5, I can get a TGT without a problem, as well as with Leash. But
    launching the browsers again after that, and requesting the web server URL
    again, leads to a failure.

    As I don't want to use NTLM but Kerberos5 and I don't really understand what is
    going on, I'm asking for help here. Is my client session isn't configured to
    ask for a TGT at login? Can't it find the KDC? Is it failing because client
    session is opened on the same box as the KDC?

    Thanks for any help.
    --
    Julien ALLANOS
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: windows browsers send ntlm instead of kerberos tokens

    Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos
    support. If you want them to have Kerberos credentials, Windows must
    obtain them for you when you login to Windows using an Active Directory
    account.

    Jeffrey Altman


    Julien ALLANOS wrote:
    > Hello,
    >
    > I'm experiencing a strange thing again. I have a Windows 2003 server with
    > apache2 + mod_spnego + kfw-2.6.5. This is the only box on the domain. When I
    > login as a simple user and type klist at the command prompt, I can't see I have
    > no TGT. From what I've understood about KRB5, a TGT should have been granted at
    > user login, and thus should be visible with klist.
    >
    > Accessing the web server using a well configured Internet Explorer or Firefox, I
    > can see the browsers are sending NTLM (beginning with NTLMSSP) instead of
    > Kerberos tokens, in response to the Negotiate authentication the server is
    > asking for.
    >
    > With kinit -5, I can get a TGT without a problem, as well as with Leash. But
    > launching the browsers again after that, and requesting the web server URL
    > again, leads to a failure.
    >
    > As I don't want to use NTLM but Kerberos5 and I don't really understand what is
    > going on, I'm asking for help here. Is my client session isn't configured to
    > ask for a TGT at login? Can't it find the KDC? Is it failing because client
    > session is opened on the same box as the KDC?
    >
    > Thanks for any help.


    --
    -----------------
    This e-mail account is not read on a regular basis.
    Please send private responses to jaltman at mit dot edu

  3. Re: windows browsers send ntlm instead of kerberos tokens

    Quoting Jeffrey Altman :

    > Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos
    > support. If you want them to have Kerberos credentials, Windows must
    > obtain them for you when you login to Windows using an Active Directory
    > account.
    >
    > Jeffrey Altman


    OK, but how can I be certain that Windows did really obtain the Kerberos
    credentials at login, that FF or IE might be able to use after?
    --
    Julien ALLANOS
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: windows browsers send ntlm instead of kerberos tokens

    Julien ALLANOS wrote:

    > Quoting Jeffrey Altman :
    >
    >> Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos
    >> support. If you want them to have Kerberos credentials, Windows must
    >> obtain them for you when you login to Windows using an Active Directory
    >> account.
    >>
    >> Jeffrey Altman

    >
    >
    > OK, but how can I be certain that Windows did really obtain the Kerberos
    > credentials at login, that FF or IE might be able to use after?


    Since you have MIT KFW installed you can list the contents of the
    MSLSA ccache with

    klist -c MSLSA:

    Otherwise, you can install one of the Microsoft tools such as
    kerbtray.exe that are available from the Microsoft download web site.

    Jeffrey Altman

    --
    -----------------
    This e-mail account is not read on a regular basis.
    Please send private responses to jaltman at mit dot edu

  5. Re: windows browsers send ntlm instead of kerberos tokens

    Quoting Jeffrey Altman :

    > Julien ALLANOS wrote:
    >
    >> Quoting Jeffrey Altman :
    >>
    >>> Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos
    >>> support. If you want them to have Kerberos credentials, Windows must
    >>> obtain them for you when you login to Windows using an Active Directory
    >>> account.
    >>>
    >>> Jeffrey Altman

    >>
    >>
    >> OK, but how can I be certain that Windows did really obtain the Kerberos
    >> credentials at login, that FF or IE might be able to use after?

    >
    > Since you have MIT KFW installed you can list the contents of the
    > MSLSA ccache with
    >
    > klist -c MSLSA:
    >
    > Otherwise, you can install one of the Microsoft tools such as
    > kerbtray.exe that are available from the Microsoft download web site.
    >


    Thanks.

    Both klist -c MSLSA: and kerbtray tell me that the following tickets are given
    to me at login (verified by purging, logout and login again):

    * krbtgt/MY.DOMAIN.TLD@MY.DOMAIN.TLD
    * ldap/host.my.domain.tld/my.domain.tld@MY.DOMAIN.TLD
    * host/host.my.domain.tld@MY.DOMAIN.TLD

    However, IE or FF are still sending NTLM tickets. Any clue?
    --
    Julien ALLANOS
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  6. Re: windows browsers send ntlm instead of kerberos tokens

    Have you created a HTTP/server principal and configured IE with integrated
    windows authentication and FF as follows ?

    select URL about:config
    in the filter write nego
    You should see two entries double click on them and and the domains for
    which you want to have SPNEGO e.g. test.com

    I hope these are not too basic questions.

    Regards
    Markus

    "Julien ALLANOS" wrote in message
    news:20050826172317.ta37izpe744kosc8@webmail.aql.f r...
    > Quoting Jeffrey Altman :
    >
    >> Julien ALLANOS wrote:
    >>
    >>> Quoting Jeffrey Altman :
    >>>
    >>>> Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos
    >>>> support. If you want them to have Kerberos credentials, Windows must
    >>>> obtain them for you when you login to Windows using an Active Directory
    >>>> account.
    >>>>
    >>>> Jeffrey Altman
    >>>
    >>>
    >>> OK, but how can I be certain that Windows did really obtain the Kerberos
    >>> credentials at login, that FF or IE might be able to use after?

    >>
    >> Since you have MIT KFW installed you can list the contents of the
    >> MSLSA ccache with
    >>
    >> klist -c MSLSA:
    >>
    >> Otherwise, you can install one of the Microsoft tools such as
    >> kerbtray.exe that are available from the Microsoft download web site.
    >>

    >
    > Thanks.
    >
    > Both klist -c MSLSA: and kerbtray tell me that the following tickets are
    > given
    > to me at login (verified by purging, logout and login again):
    >
    > * krbtgt/MY.DOMAIN.TLD@MY.DOMAIN.TLD
    > * ldap/host.my.domain.tld/my.domain.tld@MY.DOMAIN.TLD
    > * host/host.my.domain.tld@MY.DOMAIN.TLD
    >
    > However, IE or FF are still sending NTLM tickets. Any clue?
    > --
    > Julien ALLANOS
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >




    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  7. Re: windows browsers send ntlm instead of kerberos tokens

    Also can you do a kinit -k -t keytab HTTP/server successfully ?

    Markus


    "Julien ALLANOS" wrote in message
    news:20050826172317.ta37izpe744kosc8@webmail.aql.f r...
    > Quoting Jeffrey Altman :
    >
    >> Julien ALLANOS wrote:
    >>
    >>> Quoting Jeffrey Altman :
    >>>
    >>>> Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos
    >>>> support. If you want them to have Kerberos credentials, Windows must
    >>>> obtain them for you when you login to Windows using an Active Directory
    >>>> account.
    >>>>
    >>>> Jeffrey Altman
    >>>
    >>>
    >>> OK, but how can I be certain that Windows did really obtain the Kerberos
    >>> credentials at login, that FF or IE might be able to use after?

    >>
    >> Since you have MIT KFW installed you can list the contents of the
    >> MSLSA ccache with
    >>
    >> klist -c MSLSA:
    >>
    >> Otherwise, you can install one of the Microsoft tools such as
    >> kerbtray.exe that are available from the Microsoft download web site.
    >>

    >
    > Thanks.
    >
    > Both klist -c MSLSA: and kerbtray tell me that the following tickets are
    > given
    > to me at login (verified by purging, logout and login again):
    >
    > * krbtgt/MY.DOMAIN.TLD@MY.DOMAIN.TLD
    > * ldap/host.my.domain.tld/my.domain.tld@MY.DOMAIN.TLD
    > * host/host.my.domain.tld@MY.DOMAIN.TLD
    >
    > However, IE or FF are still sending NTLM tickets. Any clue?
    > --
    > Julien ALLANOS
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >




    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  8. Kerberos support in Firefox/Thunderbird (was Re: windows browserssend ntlm instead of kerberos tokens)

    Jeffrey Altman wrote:
    > Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos
    > support.


    Just because this comment reminded me...

    As of this week, Firefox and Thunderbird nightly builds (and the
    eventual 1.5 release) support using either SSPI or KFW, according to the
    value of the hidden preference network.auth.use-sspi

    Thunderbird also now has support for Kerberos authentication with the
    POP3, IMAP and SMTP protocols.

    Cheers,

    Simon.

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  9. Re: windows browsers send ntlm instead of kerberos tokens

    Probably silly question ... Have you enabled "windows integrated
    authentication" in IE? Is your http server in the "trusted zone"?

    best regards, vadim tarassov.

    On Fri, 2005-08-26 at 17:23 +0200, Julien ALLANOS wrote:
    > Quoting Jeffrey Altman :
    >
    > > Julien ALLANOS wrote:
    > >
    > >> Quoting Jeffrey Altman :
    > >>
    > >>> Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos
    > >>> support. If you want them to have Kerberos credentials, Windows must
    > >>> obtain them for you when you login to Windows using an Active Directory
    > >>> account.
    > >>>
    > >>> Jeffrey Altman
    > >>
    > >>
    > >> OK, but how can I be certain that Windows did really obtain the Kerberos
    > >> credentials at login, that FF or IE might be able to use after?

    > >
    > > Since you have MIT KFW installed you can list the contents of the
    > > MSLSA ccache with
    > >
    > > klist -c MSLSA:
    > >
    > > Otherwise, you can install one of the Microsoft tools such as
    > > kerbtray.exe that are available from the Microsoft download web site.
    > >

    >
    > Thanks.
    >
    > Both klist -c MSLSA: and kerbtray tell me that the following tickets are given
    > to me at login (verified by purging, logout and login again):
    >
    > * krbtgt/MY.DOMAIN.TLD@MY.DOMAIN.TLD
    > * ldap/host.my.domain.tld/my.domain.tld@MY.DOMAIN.TLD
    > * host/host.my.domain.tld@MY.DOMAIN.TLD
    >
    > However, IE or FF are still sending NTLM tickets. Any clue?

    --
    vadim

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  10. Re: windows browsers send ntlm instead of kerberos tokens


    By default, Firefox will only perform GSSAPI (negotiate-auth) authentication
    when the protocol is 'https://'.

    Check the "network.negotiate-auth.delegation-uris" and
    "network.negotiate-auth.trusted-uris" parameters (under "about:config") and
    make sure that you allow "http://" as well as "https://" if you are
    accessing
    non-SSL protected sites.

    network.negotiate-auth.delegation-uris = "https://,http://"
    network.negotiate-auth.trusted-uris = "https://,http://"

    -Wyllys


    Julien ALLANOS wrote:

    > Quoting Jeffrey Altman :
    >
    >> Julien ALLANOS wrote:
    >>
    >>> Quoting Jeffrey Altman :
    >>>
    >>>> Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos
    >>>> support. If you want them to have Kerberos credentials, Windows must
    >>>> obtain them for you when you login to Windows using an Active
    >>>> Directory
    >>>> account.
    >>>>
    >>>> Jeffrey Altman
    >>>
    >>>
    >>>
    >>> OK, but how can I be certain that Windows did really obtain the
    >>> Kerberos
    >>> credentials at login, that FF or IE might be able to use after?

    >>
    >>
    >> Since you have MIT KFW installed you can list the contents of the
    >> MSLSA ccache with
    >>
    >> klist -c MSLSA:
    >>
    >> Otherwise, you can install one of the Microsoft tools such as
    >> kerbtray.exe that are available from the Microsoft download web site.
    >>


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  11. Re: windows browsers send ntlm instead of kerberos tokens



    On Monday, August 29, 2005 10:28:35 -0400 Wyllys Ingersoll
    wrote:

    >
    > By default, Firefox will only perform GSSAPI (negotiate-auth)
    > authentication
    > when the protocol is 'https://'.
    >
    > Check the "network.negotiate-auth.delegation-uris" and
    > "network.negotiate-auth.trusted-uris" parameters (under "about:config")
    > and
    > make sure that you allow "http://" as well as "https://" if you are
    > accessing
    > non-SSL protected sites.
    >
    > network.negotiate-auth.delegation-uris = "https://,http://"
    > network.negotiate-auth.trusted-uris = "https://,http://"


    Aaaa! No! Don't do this unless you _absolutely_ need this ability.

    Running HTTP negotiate over a plaintext connection is _not secure_. It
    provides no integrity protection and is subject to a relatively easy
    man-in-the-middle attack.


    If the problem is indeed that the connection is not using SSL, the correct
    solution is to change that service to use SSL.

    If you absolutely must use HTTP negotiate with a service that is not using
    SSL and which you do not control, then turning on negotiate support for
    non-SSL connections may be your only choice.

    -- Jeffrey T. Hutzelman (N3NHS)
    Sr. Research Systems Programmer
    School of Computer Science - Research Computing Facility
    Carnegie Mellon University - Pittsburgh, PA

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  12. Re: windows browsers send ntlm instead of kerberos tokens

    Jeffrey Hutzelman wrote:

    >>
    >> By default, Firefox will only perform GSSAPI (negotiate-auth)
    >> authentication
    >> when the protocol is 'https://'.
    >>
    >> Check the "network.negotiate-auth.delegation-uris" and
    >> "network.negotiate-auth.trusted-uris" parameters (under "about:config")
    >> and
    >> make sure that you allow "http://" as well as "https://" if you are
    >> accessing
    >> non-SSL protected sites.
    >>
    >> network.negotiate-auth.delegation-uris = "https://,http://"
    >> network.negotiate-auth.trusted-uris = "https://,http://"

    >
    >
    > Aaaa! No! Don't do this unless you _absolutely_ need this ability.
    >
    > Running HTTP negotiate over a plaintext connection is _not secure_.
    > It provides no integrity protection and is subject to a relatively
    > easy man-in-the-middle attack.



    I totally agree with Jeff, that is why SSL is the default setting for
    Firefox. I was just pointing
    out one possible reason why the test was not working for the original
    poster.

    -Wyllys

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  13. Re: windows browsers send ntlm instead of kerberos tokens

    Quoting Markus Moeller :

    > Also can you do a kinit -k -t keytab HTTP/server successfully ?
    >
    > Markus
    >
    >
    > "Julien ALLANOS" wrote in message
    > news:20050826172317.ta37izpe744kosc8@webmail.aql.f r...
    >> Quoting Jeffrey Altman :
    >>
    >>> Julien ALLANOS wrote:
    >>>
    >>>> Quoting Jeffrey Altman :
    >>>>
    >>>>> Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos
    >>>>> support. If you want them to have Kerberos credentials, Windows must
    >>>>> obtain them for you when you login to Windows using an Active Directory
    >>>>> account.
    >>>>>
    >>>>> Jeffrey Altman
    >>>>
    >>>>
    >>>> OK, but how can I be certain that Windows did really obtain the Kerberos
    >>>> credentials at login, that FF or IE might be able to use after?
    >>>
    >>> Since you have MIT KFW installed you can list the contents of the
    >>> MSLSA ccache with
    >>>
    >>> klist -c MSLSA:
    >>>
    >>> Otherwise, you can install one of the Microsoft tools such as
    >>> kerbtray.exe that are available from the Microsoft download web site.
    >>>

    >>
    >> Thanks.
    >>
    >> Both klist -c MSLSA: and kerbtray tell me that the following tickets are
    >> given
    >> to me at login (verified by purging, logout and login again):
    >>
    >> * krbtgt/MY.DOMAIN.TLD@MY.DOMAIN.TLD
    >> * ldap/host.my.domain.tld/my.domain.tld@MY.DOMAIN.TLD
    >> * host/host.my.domain.tld@MY.DOMAIN.TLD
    >>
    >> However, IE or FF are still sending NTLM tickets. Any clue?


    OK guys, thanks for your answsers.

    Yes, my browsers are correctly configured.

    Actually it might be a hostname issue: the domain is my.domain.tld, my
    webserver/AD/KDC is host.my.domain.tld and has a CNAME for my.domain.tld. I
    also want to access the webserver via http://my.domain.tld/. The keytab was
    generated for the HTTP/host.my.domain.tld@MY.DOMAIN.TLD principal, that's why:

    kinit -5 -k -t keytab HTTP/host.my.domain.tld@MY.DOMAIN.TLD

    works, but not:

    kinit -5 -k -t keytab HTTP/my.domain.tld@MY.DOMAIN.TLD

    The strange thing is that I've added another box to the domain, added both
    hostnames to FF's auto nego parameters and tried to access both URLs from this
    new box, but I get the same thing (a NTLM token is sent), and ethereal doesn't
    show any traffic on TCP port 88.

    Any help please?
    --
    Julien ALLANOS
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  14. Re: windows browsers send ntlm instead of kerberos tokens

    Quoting Markus :

    > Julien,
    >
    > as far as I am aware you can not use cnames. Normally the
    > client/server uses a call to gss_import_name which canonicalises the
    > hostname from the cname to the A record. If you capture the traffic
    > on port 88 on the client you should see a TGS-REQ for
    > HTTP/host.my.domain.tld although your URL was http://my.domain.tld.
    >
    > Regards
    > Markus
    >


    As I've already said before, I see no traffic between the client and
    the server
    (port 88). The client immediately send a NTLM token.

    If I could make Kerberos working, do you think a keytab with
    HTTP/host.my.domain.tld@MY.DOMAIN.TLD would be enough?
    --
    Julien ALLANOS
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread