IE using NTLM instead of Kerberos? - Kerberos

This is a discussion on IE using NTLM instead of Kerberos? - Kerberos ; Hello. I have installed the Kerberos MIT package and am using mod_auth_kerb to authenticate to my apache server via Internet Explorer. The KDC is a Windows 2003, which also acts as our Domain Controller in a Active Directory network. Below ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: IE using NTLM instead of Kerberos?

  1. IE using NTLM instead of Kerberos?

    Hello.

    I have installed the Kerberos MIT package and am using mod_auth_kerb to
    authenticate to my apache server via Internet Explorer. The KDC is a
    Windows 2003, which also acts as our Domain Controller in a Active
    Directory network.

    Below is the log snipet I keep getting when I hit the protected web site
    with Internet Explorer on a XP workstation that is authenticated to the
    domain.

    [Fri Feb 17 17:04:01 2006] [debug] src/mod_auth_kerb.c(1322): [client
    10.30.200.24] kerb_authenticate_user entered with user (NULL) and
    auth_type Kerberos
    [Fri Feb 17 17:04:01 2006] [debug] src/mod_auth_kerb.c(1322): [client
    10.30.200.24] kerb_authenticate_user entered with user (NULL) and
    auth_type Kerberos
    [Fri Feb 17 17:04:01 2006] [debug] src/mod_auth_kerb.c(1023): [client
    10.30.200.24] Acquiring creds for HTTP/rt.vitamix.com@VITAMIX.COM
    [Fri Feb 17 17:04:01 2006] [debug] src/mod_auth_kerb.c(1152): [client
    10.30.200.24] Verifying client data using KRB5 GSS-API
    [Fri Feb 17 17:04:01 2006] [debug] src/mod_auth_kerb.c(1168): [client
    10.30.200.24] Verification returned code 589824
    [Fri Feb 17 17:04:01 2006] [debug] src/mod_auth_kerb.c(1194): [client
    10.30.200.24] Warning: received token seems to be NTLM, which isn't
    supported by the Kerberos module. Check your IE configuration.
    [Fri Feb 17 17:04:01 2006] [error] [client 10.30.200.24]
    gss_accept_sec_context() failed: A token was invalid (Token header is
    malformed or corrupt)

    I have followed these instruction completely:
    http://www.grolmsnet.de/kerbtut/

    The research I have done so far shows that IE will try kerberos first,
    and then fail over to NTLM. So I assume that my kerberos with MIT's
    package is failing for some reason. Does any one have any idea on what
    may be causing this? This SPN and the keytab file all look fine. I'm
    really stumped. Any one up for a challenge and want to help me out here?

    Thanks in advance!

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: IE using NTLM instead of Kerberos?

    On Friday 17 February 2006 23:08, Jason Fenner wrote:

    > I have followed these instruction completely:
    > http://www.grolmsnet.de/kerbtut/
    >
    > The research I have done so far shows that IE will try kerberos first,
    > and then fail over to NTLM.


    please run

    kvno HTTP/rt.vitamix.com

    to see if the Kerberos principal exists.

    The mod_auth_kerb mailinglist is

    modauthkerb-help@lists.sourceforge.net


    Achim

    --
    using mod_auth_kerb and Windows 2000/2003 as KDC:

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: IE using NTLM instead of Kerberos?

    Ok,

    I ran that command and go the following:
    kvno: No credentials cache found while getting client principal name

    I notice that it says "client principal name", does this mean that I
    also need a key called:
    host/rt.vitamix.com

    Or does "client" just refer to the principal name that I queried?

    What does this message indicate?

    Here is my /etc/krb5.conf file too:

    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
    clockskew = 300

    [libdefaults]
    ticket_lifetime = 24000
    default_realm = DOMAIN.COM
    dns_lookup_realm = false
    dns_lookup_kdc = false


    [realms]
    VITAMIX.COM = {
    kdc = dc1.domain.com:88
    admin_server = dc1.domain.com

    }

    GOLDENEYE = {
    kdc = dc1.vitamix.com
    admin_server = dc1.domain.com
    default_domain = DOMAIN.COM
    }

    [domain_realm]
    rt.vitamix.com = DOMAIN.COM

    #[kdc]
    # profile = /var/kerberos/krb5kdc/kdc.conf

    [appdefaults]
    pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
    }

    [logging]
    FILE=/var/krb5/kdc.log


    Achim Grolms wrote:

    >On Friday 17 February 2006 23:08, Jason Fenner wrote:
    >
    >
    >
    >>I have followed these instruction completely:
    >>http://www.grolmsnet.de/kerbtut/
    >>
    >>The research I have done so far shows that IE will try kerberos first,
    >>and then fail over to NTLM.
    >>
    >>

    >
    >please run
    >
    >kvno HTTP/rt.vitamix.com
    >
    >to see if the Kerberos principal exists.
    >
    >The mod_auth_kerb mailinglist is
    >
    >modauthkerb-help@lists.sourceforge.net
    >
    >
    >Achim
    >
    >
    >



    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: IE using NTLM instead of Kerberos?

    As an update, I ran:
    kinit HTTP/rt.vitamix.com

    and supplied the requested password. This was successful.
    However, when running:
    kvno HTTP/rt.vitamix.com

    I got:
    HTTP/rt.vitamix.com@VITAMIX.COM: Server not found in Kerberos database
    while getting credentials

    klist had this output:
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: HTTP/rt.vitamix.com@VITAMIX.COM

    Valid starting Expires Service principal
    02/20/06 09:33:59 02/20/06 19:33:59 krbtgt/VITAMIX.COM@VITAMIX.COM
    renew until 02/21/06 09:33:59


    Kerberos 4 ticket cache: /tmp/tkt0
    klist: You have no tickets cached


    Jason Fenner wrote:

    >Ok,
    >
    >I ran that command and go the following:
    >kvno: No credentials cache found while getting client principal name
    >
    >I notice that it says "client principal name", does this mean that I
    >also need a key called:
    >host/rt.vitamix.com
    >
    >Or does "client" just refer to the principal name that I queried?
    >
    >What does this message indicate?
    >
    >Here is my /etc/krb5.conf file too:
    >
    >[logging]
    > default = FILE:/var/log/krb5libs.log
    > kdc = FILE:/var/log/krb5kdc.log
    > admin_server = FILE:/var/log/kadmind.log
    > clockskew = 300
    >
    >[libdefaults]
    > ticket_lifetime = 24000
    > default_realm = DOMAIN.COM
    > dns_lookup_realm = false
    > dns_lookup_kdc = false
    >
    >
    >[realms]
    > VITAMIX.COM = {
    > kdc = dc1.domain.com:88
    > admin_server = dc1.domain.com
    >
    > }
    >
    > GOLDENEYE = {
    > kdc = dc1.vitamix.com
    > admin_server = dc1.domain.com
    > default_domain = DOMAIN.COM
    >}
    >
    >[domain_realm]
    > rt.vitamix.com = DOMAIN.COM
    >
    >#[kdc]
    ># profile = /var/kerberos/krb5kdc/kdc.conf
    >
    >[appdefaults]
    > pam = {
    > debug = false
    > ticket_lifetime = 36000
    > renew_lifetime = 36000
    > forwardable = true
    > krb4_convert = false
    > }
    >
    >[logging]
    >FILE=/var/krb5/kdc.log
    >
    >
    >Achim Grolms wrote:
    >
    >
    >
    >>On Friday 17 February 2006 23:08, Jason Fenner wrote:
    >>
    >>
    >>
    >>
    >>
    >>>I have followed these instruction completely:
    >>>http://www.grolmsnet.de/kerbtut/
    >>>
    >>>The research I have done so far shows that IE will try kerberos first,
    >>>and then fail over to NTLM.
    >>>
    >>>
    >>>
    >>>

    >>please run
    >>
    >>kvno HTTP/rt.vitamix.com
    >>
    >>to see if the Kerberos principal exists.
    >>
    >>The mod_auth_kerb mailinglist is
    >>
    >>modauthkerb-help@lists.sourceforge.net
    >>
    >>
    >>Achim
    >>
    >>
    >>
    >>
    >>

    >
    >
    >________________________________________________
    >Kerberos mailing list Kerberos@mit.edu
    >https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >
    >



    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread