Re: Fwd: NTLM vs Kerberos again - Kerberos

This is a discussion on Re: Fwd: NTLM vs Kerberos again - Kerberos ; Although the page below was written for mod_auth_gss_krb5, I believe the IE6 settings remain the same. - Single Sign-on for your web applications with Apache and Kerberos http://www.onlamp.com/pub/a/onlamp/2...os.html?page=1 Regards, Sung. Sergey Koulik Sent by: kerberos-bounces@mit.edu 03/11/2005 12:22 PM To: kerberos@mit.edu ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Re: Fwd: NTLM vs Kerberos again

  1. Re: Fwd: NTLM vs Kerberos again

    Although the page below was written for mod_auth_gss_krb5, I believe the
    IE6 settings remain the same.

    - Single Sign-on for your web applications with Apache and Kerberos
    http://www.onlamp.com/pub/a/onlamp/2...os.html?page=1


    Regards,

    Sung.




    Sergey Koulik
    Sent by: kerberos-bounces@mit.edu
    03/11/2005 12:22 PM


    To: kerberos@mit.edu
    cc:
    Subject: Fwd: NTLM vs Kerberos again


    Hi all,

    I am forwarding the message to kerberos mail list, because my problem is
    somehow related with kerberos. I am not sure anyone in the list is
    familiar
    with apache module mod_auth_kerb I am talking about, but I hope anyone is
    and he could help me.
    My problem is that windows client (for exasmple MS IE) chooses to talk
    NTLM
    when it receives WWW-Authentificate: Negotiate HTTP header. I know that IE
    could talk Kerberos as well but for some reason it does not and I don't
    know
    how to configure it to talk Kerberos.


    ---------- Forwarded message ----------
    From: Sergey Koulik
    Date: 03.11.2005 14:13
    Subject: NTLM vs Kerberos again
    To: modauthkerb-help@lists.sourceforge.net

    Hi all,

    I have examined mail archive. But I still don't see correct solution.
    I want to force my windows clients to use Kerberos authentification
    instead
    of NTLM when contacting web server kerberized with mod_auth_kerb. I use
    MIT
    kerberos KDC located at lunux machine. My windows XP machine is not
    connected to any domain.
    Did anyone get it work?
    Does anyone have step-by-step documentation how to configure MIT KDC,
    mod_auth_kerb and clients to use Kerberos instead of NTLM?

    --
    Sincerely,
    Sergey Koulik

    --
    Sincerely,
    Sergey Koulik
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Fwd: NTLM vs Kerberos again

    Thank you for your reply. But my problem is that I do not either use Active
    Directory or connected to microsoft domain. What I want is to made browser
    send kerberos tickets to MIT KDC and not fallback to NTLM authentification.

    2005/11/3, Sung Ho Jee :
    >
    >
    > Although the page below was written for mod_auth_gss_krb5, I believe the
    > IE6 settings remain the same.
    >
    > - Single Sign-on for your web applications with Apache and Kerberos
    > http://www.onlamp.com/pub/a/onlamp/2...os.html?page=1
    >
    >
    > Regards,
    >
    > Sung.
    >
    >
    >
    > *Sergey Koulik *
    > Sent by: kerberos-bounces@mit.edu
    >
    > 03/11/2005 12:22 PM
    >
    > To: kerberos@mit.edu
    > cc:
    > Subject: Fwd: NTLM vs Kerberos again
    >
    >
    > Hi all,
    >
    > I am forwarding the message to kerberos mail list, because my problem is
    > somehow related with kerberos. I am not sure anyone in the list is
    > familiar
    > with apache module mod_auth_kerb I am talking about, but I hope anyone is
    > and he could help me.
    > My problem is that windows client (for exasmple MS IE) chooses to talk
    > NTLM
    > when it receives WWW-Authentificate: Negotiate HTTP header. I know that IE
    > could talk Kerberos as well but for some reason it does not and I don't
    > know
    > how to configure it to talk Kerberos.
    >
    >
    > ---------- Forwarded message ----------
    > From: Sergey Koulik
    > Date: 03.11.2005 14:13
    > Subject: NTLM vs Kerberos again
    > To: modauthkerb-help@lists.sourceforge.net
    >
    > Hi all,
    >
    > I have examined mail archive. But I still don't see correct solution.
    > I want to force my windows clients to use Kerberos authentification
    > instead
    > of NTLM when contacting web server kerberized with mod_auth_kerb. I use
    > MIT
    > kerberos KDC located at lunux machine. My windows XP machine is not
    > connected to any domain.
    > Did anyone get it work?
    > Does anyone have step-by-step documentation how to configure MIT KDC,
    > mod_auth_kerb and clients to use Kerberos instead of NTLM?
    >
    > --
    > Sincerely,
    > Sergey Koulik
    >
    > --
    > Sincerely,
    > Sergey Koulik
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >
    >



    --
    Sincerely,
    Sergey Koulik
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Fwd: NTLM vs Kerberos again



    Sergey Koulik wrote:

    > Thank you for your reply. But my problem is that I do not either use Active
    > Directory or connected to microsoft domain. What I want is to made browser
    > send kerberos tickets to MIT KDC and not fallback to NTLM authentification.


    Have you run ksetup on the client so Windows knows about Kerberos?

    Do you then login to the workstation using Kerberos?

    The point is IE would only use Kerberos if the ser has tickets in its cache.
    You can use the kerbtray and the klist commands to see the tickets.
    ksetup, kerbtray and klist are Micrsoft commands in resource ket, I believe.



    >
    > 2005/11/3, Sung Ho Jee :
    >
    >>
    >>Although the page below was written for mod_auth_gss_krb5, I believe the
    >>IE6 settings remain the same.
    >>
    >>- Single Sign-on for your web applications with Apache and Kerberos
    >>http://www.onlamp.com/pub/a/onlamp/2...os.html?page=1
    >>
    >>
    >>Regards,
    >>
    >>Sung.
    >>
    >>
    >>
    >>*Sergey Koulik *
    >>Sent by: kerberos-bounces@mit.edu
    >>
    >>03/11/2005 12:22 PM
    >>
    >>To: kerberos@mit.edu
    >>cc:
    >>Subject: Fwd: NTLM vs Kerberos again
    >>
    >>
    >>Hi all,
    >>
    >>I am forwarding the message to kerberos mail list, because my problem is
    >>somehow related with kerberos. I am not sure anyone in the list is
    >>familiar
    >>with apache module mod_auth_kerb I am talking about, but I hope anyone is
    >>and he could help me.
    >>My problem is that windows client (for exasmple MS IE) chooses to talk
    >>NTLM
    >>when it receives WWW-Authentificate: Negotiate HTTP header. I know that IE
    >>could talk Kerberos as well but for some reason it does not and I don't
    >>know
    >>how to configure it to talk Kerberos.
    >>
    >>
    >>---------- Forwarded message ----------
    >>From: Sergey Koulik
    >>Date: 03.11.2005 14:13
    >>Subject: NTLM vs Kerberos again
    >>To: modauthkerb-help@lists.sourceforge.net
    >>
    >>Hi all,
    >>
    >>I have examined mail archive. But I still don't see correct solution.
    >>I want to force my windows clients to use Kerberos authentification
    >>instead
    >>of NTLM when contacting web server kerberized with mod_auth_kerb. I use
    >>MIT
    >>kerberos KDC located at lunux machine. My windows XP machine is not
    >>connected to any domain.
    >>Did anyone get it work?
    >>Does anyone have step-by-step documentation how to configure MIT KDC,
    >>mod_auth_kerb and clients to use Kerberos instead of NTLM?
    >>
    >>--
    >>Sincerely,
    >>Sergey Koulik
    >>
    >>--
    >>Sincerely,
    >>Sergey Koulik
    >>________________________________________________
    >>Kerberos mailing list Kerberos@mit.edu
    >>https://mailman.mit.edu/mailman/listinfo/kerberos
    >>
    >>
    >>

    >
    >
    >
    > --
    > Sincerely,
    > Sergey Koulik
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Fwd: NTLM vs Kerberos again

    IE browser can only access MS kerberos ticket cache and which can only be
    initialized in login screen. Microsoft has documented how to support
    standalone (workgroup) client using third party KDC thru ksetup as doug
    suggested. Furthermore, the web server must be in "local intranet" zone
    before IE do kerberos authentication.

    -peter huang


    ""Douglas E. Engert"" wrote in message
    news:436A2CF0.1060807@anl.gov...
    >
    >
    > Sergey Koulik wrote:
    >
    >> Thank you for your reply. But my problem is that I do not either use
    >> Active
    >> Directory or connected to microsoft domain. What I want is to made
    >> browser
    >> send kerberos tickets to MIT KDC and not fallback to NTLM
    >> authentification.

    >
    > Have you run ksetup on the client so Windows knows about Kerberos?
    >
    > Do you then login to the workstation using Kerberos?
    >
    > The point is IE would only use Kerberos if the ser has tickets in its
    > cache.
    > You can use the kerbtray and the klist commands to see the tickets.
    > ksetup, kerbtray and klist are Micrsoft commands in resource ket, I
    > believe.
    >
    >
    >
    >>
    >> 2005/11/3, Sung Ho Jee :
    >>
    >>>
    >>>Although the page below was written for mod_auth_gss_krb5, I believe the
    >>>IE6 settings remain the same.
    >>>
    >>>- Single Sign-on for your web applications with Apache and Kerberos
    >>>http://www.onlamp.com/pub/a/onlamp/2...os.html?page=1
    >>>
    >>>
    >>>Regards,
    >>>
    >>>Sung.
    >>>
    >>>
    >>>
    >>>*Sergey Koulik *
    >>>Sent by: kerberos-bounces@mit.edu
    >>>
    >>>03/11/2005 12:22 PM
    >>>
    >>>To: kerberos@mit.edu
    >>>cc:
    >>>Subject: Fwd: NTLM vs Kerberos again
    >>>
    >>>
    >>>Hi all,
    >>>
    >>>I am forwarding the message to kerberos mail list, because my problem is
    >>>somehow related with kerberos. I am not sure anyone in the list is
    >>>familiar
    >>>with apache module mod_auth_kerb I am talking about, but I hope anyone is
    >>>and he could help me.
    >>>My problem is that windows client (for exasmple MS IE) chooses to talk
    >>>NTLM
    >>>when it receives WWW-Authentificate: Negotiate HTTP header. I know that
    >>>IE
    >>>could talk Kerberos as well but for some reason it does not and I don't
    >>>know
    >>>how to configure it to talk Kerberos.
    >>>
    >>>
    >>>---------- Forwarded message ----------
    >>>From: Sergey Koulik
    >>>Date: 03.11.2005 14:13
    >>>Subject: NTLM vs Kerberos again
    >>>To: modauthkerb-help@lists.sourceforge.net
    >>>
    >>>Hi all,
    >>>
    >>>I have examined mail archive. But I still don't see correct solution.
    >>>I want to force my windows clients to use Kerberos authentification
    >>>instead
    >>>of NTLM when contacting web server kerberized with mod_auth_kerb. I use
    >>>MIT
    >>>kerberos KDC located at lunux machine. My windows XP machine is not
    >>>connected to any domain.
    >>>Did anyone get it work?
    >>>Does anyone have step-by-step documentation how to configure MIT KDC,
    >>>mod_auth_kerb and clients to use Kerberos instead of NTLM?
    >>>
    >>>--
    >>>Sincerely,
    >>>Sergey Koulik
    >>>
    >>>--
    >>>Sincerely,
    >>>Sergey Koulik
    >>>________________________________________________
    >>>Kerberos mailing list Kerberos@mit.edu
    >>>https://mailman.mit.edu/mailman/listinfo/kerberos
    >>>
    >>>
    >>>

    >>
    >>
    >>
    >> --
    >> Sincerely,
    >> Sergey Koulik
    >> ________________________________________________
    >> Kerberos mailing list Kerberos@mit.edu
    >> https://mailman.mit.edu/mailman/listinfo/kerberos
    >>
    >>

    >
    > --
    >
    > Douglas E. Engert
    > Argonne National Laboratory
    > 9700 South Cass Avenue
    > Argonne, Illinois 60439
    > (630) 252-5444
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >




  5. Re: Fwd: NTLM vs Kerberos again



    peter huang wrote:

    > IE browser can only access MS kerberos ticket cache and which can only be
    > initialized in login screen. Microsoft has documented how to support
    > standalone (workgroup) client using third party KDC thru ksetup as doug
    > suggested. Furthermore, the web server must be in "local intranet" zone
    > before IE do kerberos authentication.


    You might also be able to start it from:
    runas /netonly /user:@ "C:\Program Files\Internet Explorer\IEXPLORE.EXE"


    >
    > -peter huang
    >
    >
    > ""Douglas E. Engert"" wrote in message
    > news:436A2CF0.1060807@anl.gov...
    >
    >>
    >>Sergey Koulik wrote:
    >>
    >>
    >>>Thank you for your reply. But my problem is that I do not either use
    >>>Active
    >>>Directory or connected to microsoft domain. What I want is to made
    >>>browser
    >>>send kerberos tickets to MIT KDC and not fallback to NTLM
    >>>authentification.

    >>
    >>Have you run ksetup on the client so Windows knows about Kerberos?
    >>
    >>Do you then login to the workstation using Kerberos?
    >>
    >>The point is IE would only use Kerberos if the ser has tickets in its
    >>cache.
    >>You can use the kerbtray and the klist commands to see the tickets.
    >>ksetup, kerbtray and klist are Micrsoft commands in resource ket, I
    >>believe.
    >>
    >>
    >>
    >>
    >>>2005/11/3, Sung Ho Jee :
    >>>
    >>>
    >>>>Although the page below was written for mod_auth_gss_krb5, I believe the
    >>>>IE6 settings remain the same.
    >>>>
    >>>>- Single Sign-on for your web applications with Apache and Kerberos
    >>>>http://www.onlamp.com/pub/a/onlamp/2...os.html?page=1
    >>>>
    >>>>
    >>>>Regards,
    >>>>
    >>>>Sung.
    >>>>
    >>>>
    >>>>
    >>>>*Sergey Koulik *
    >>>>Sent by: kerberos-bounces@mit.edu
    >>>>
    >>>>03/11/2005 12:22 PM
    >>>>
    >>>>To: kerberos@mit.edu
    >>>>cc:
    >>>>Subject: Fwd: NTLM vs Kerberos again
    >>>>
    >>>>
    >>>>Hi all,
    >>>>
    >>>>I am forwarding the message to kerberos mail list, because my problem is
    >>>>somehow related with kerberos. I am not sure anyone in the list is
    >>>>familiar
    >>>>with apache module mod_auth_kerb I am talking about, but I hope anyone is
    >>>>and he could help me.
    >>>>My problem is that windows client (for exasmple MS IE) chooses to talk
    >>>>NTLM
    >>>>when it receives WWW-Authentificate: Negotiate HTTP header. I know that
    >>>>IE
    >>>>could talk Kerberos as well but for some reason it does not and I don't
    >>>>know
    >>>>how to configure it to talk Kerberos.
    >>>>
    >>>>
    >>>>---------- Forwarded message ----------
    >>>>From: Sergey Koulik
    >>>>Date: 03.11.2005 14:13
    >>>>Subject: NTLM vs Kerberos again
    >>>>To: modauthkerb-help@lists.sourceforge.net
    >>>>
    >>>>Hi all,
    >>>>
    >>>>I have examined mail archive. But I still don't see correct solution.
    >>>>I want to force my windows clients to use Kerberos authentification
    >>>>instead
    >>>>of NTLM when contacting web server kerberized with mod_auth_kerb. I use
    >>>>MIT
    >>>>kerberos KDC located at lunux machine. My windows XP machine is not
    >>>>connected to any domain.
    >>>>Did anyone get it work?
    >>>>Does anyone have step-by-step documentation how to configure MIT KDC,
    >>>>mod_auth_kerb and clients to use Kerberos instead of NTLM?
    >>>>
    >>>>--
    >>>>Sincerely,
    >>>>Sergey Koulik
    >>>>
    >>>>--
    >>>>Sincerely,
    >>>>Sergey Koulik
    >>>>________________________________________________
    >>>>Kerberos mailing list Kerberos@mit.edu
    >>>>https://mailman.mit.edu/mailman/listinfo/kerberos
    >>>>
    >>>>
    >>>>
    >>>
    >>>
    >>>
    >>>--
    >>>Sincerely,
    >>>Sergey Koulik
    >>>________________________________________________
    >>>Kerberos mailing list Kerberos@mit.edu
    >>>https://mailman.mit.edu/mailman/listinfo/kerberos
    >>>
    >>>

    >>
    >>--
    >>
    >> Douglas E. Engert
    >> Argonne National Laboratory
    >> 9700 South Cass Avenue
    >> Argonne, Illinois 60439
    >> (630) 252-5444
    >>________________________________________________
    >>Kerberos mailing list Kerberos@mit.edu
    >>https://mailman.mit.edu/mailman/listinfo/kerberos
    >>

    >
    >
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >


    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread