Windows Clients Won't Do Kerberos - Kerberos

This is a discussion on Windows Clients Won't Do Kerberos - Kerberos ; I'm testing a Windows -> Apache Kerberos SSO product (see sig) with a customer and it's not working for them. The client is always asking for NTLM. It never even tries Kerberos. I know it's not browser settings because I ...

+ Reply to Thread
Results 1 to 12 of 12

Thread: Windows Clients Won't Do Kerberos

  1. Windows Clients Won't Do Kerberos

    I'm testing a Windows -> Apache Kerberos SSO product (see sig) with a
    customer and it's not working for them. The client is always asking for
    NTLM. It never even tries Kerberos. I know it's not browser settings
    because I wrote a simple wsh script and it too only tries NTLMSSP
    (whereas on my test network it works fine).

    Can anyone think of a reason why XP clients would refuse to try Kerberos
    when accessing services (e.g. HTTP)? I've been through all the usual
    reasons but we just can't get it to work. Is there some kind of mode
    that a Windows domain controller can run in that causes all clients not
    to do Kerberos at all? Can anyone recommend a diagnostic?

    Thanks,
    Mike

    --
    Michael B Allen
    PHP Extension for SSO w/ Windows Group Authorization
    http://www.ioplex.com/
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Windows Clients Won't Do Kerberos

    On Thu, 29 Jun 2006 16:12:22 -0500
    "Christopher D. Clausen" wrote:

    > Michael B Allen wrote:
    > > I'm testing a Windows -> Apache Kerberos SSO product (see sig) with a
    > > customer and it's not working for them. The client is always asking
    > > for NTLM. It never even tries Kerberos. I know it's not browser
    > > settings because I wrote a simple wsh script and it too only tries
    > > NTLMSSP (whereas on my test network it works fine).
    > >
    > > Can anyone think of a reason why XP clients would refuse to try
    > > Kerberos when accessing services (e.g. HTTP)? I've been through all
    > > the usual reasons but we just can't get it to work. Is there some
    > > kind of mode that a Windows domain controller can run in that causes
    > > all clients not to do Kerberos at all? Can anyone recommend a
    > > diagnostic?

    >
    > Are the users logged on to Windows with Domain credentials? Local
    > accounts would not have Kerberos credentials.
    >
    > Is the domain operating at the "Windows 2000" level? NT4 domains do not
    > support Kerberos.
    >
    > Is the website in the "Trusted Sites" zone in Internet Explorer
    > (assuming that you are trying with Internet Explorer.)
    >
    > Find and download klist.exe from Microsoft and use it to look at the
    > SSPI ticket cache. You should see a HTTP/fqdn.domain ticket show up
    > when the site in question is contacted if everything is working as it
    > should.


    Yes. Yes and yup. The customer ran kerbtray and he has tickets for all
    sorts of stuff.

    I don't think it has anything to do with IE because 1) the wsh script
    I provided generates the same error (GSS_S_BAD_MECH because we can't
    accept raw NTLMSSP tokens) and 2) he's never presented with a Network
    Password Dialog.

    I have confirmed with a packet capture that the client never tries
    Kerberos. It just tries raw NTLMSSP. No SPNEGO.

    Finally, the installer on the Linux machine validates the keytab
    credential with krb5_get_init_creds_keytab and then does a DCE/RPC group
    lookup against the DC. It was successful. So the SPN and it's credential
    is valid.

    It's like there's some kind of group policy getting in the way or maybe
    the Windows client is failing to get the ticket for some other reason.

    I'm so stumped.

    Mike

    --
    Michael B Allen
    PHP Extension for SSO w/ Windows Group Authorization
    http://www.ioplex.com/
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Windows Clients Won't Do Kerberos



    Note that you must configure the https url to be a trusted
    host by IE in order for IE to negotiate GSS-Negotiate via the
    HTTP Negotiate option.

    Jeffrey Altman

  4. Re: Windows Clients Won't Do Kerberos



    On Thursday, June 29, 2006 07:12:53 PM -0400 Michael B Allen
    wrote:

    > I have confirmed with a packet capture that the client never tries
    > Kerberos. It just tries raw NTLMSSP. No SPNEGO.
    >
    > Finally, the installer on the Linux machine validates the keytab
    > credential with krb5_get_init_creds_keytab and then does a DCE/RPC group
    > lookup against the DC. It was successful. So the SPN and it's credential
    > is valid.


    If it's never even trying negotiate, then one of these must be true:
    (1) It doesn't support it
    (2) It's configured not to use it
    (3) The server doesn't claim support it
    (4) It can't get a ticket

    Since you have another client which also fails, (1) and (2) seem unlikely.
    And, since you have other tickets, and you've demonstrated that the service
    principal exists, (4) also seems unlikely. So, I'm going to guess that
    your server is broken, and doesn't claim to support that mechanism.

    -- Jeffrey T. Hutzelman (N3NHS)
    Sr. Research Systems Programmer
    School of Computer Science - Research Computing Facility
    Carnegie Mellon University - Pittsburgh, PA

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: Windows Clients Won't Do Kerberos

    On Thu, 29 Jun 2006 21:04:29 -0400
    Jeffrey Hutzelman wrote:
    > On Thursday, June 29, 2006 07:12:53 PM -0400 Michael B Allen
    > wrote:
    >
    > > I have confirmed with a packet capture that the client never tries
    > > Kerberos. It just tries raw NTLMSSP. No SPNEGO.
    > >
    > > Finally, the installer on the Linux machine validates the keytab
    > > credential with krb5_get_init_creds_keytab and then does a DCE/RPC group
    > > lookup against the DC. It was successful. So the SPN and it's credential
    > > is valid.

    >
    > If it's never even trying negotiate, then one of these must be true:
    > (1) It doesn't support it
    > (2) It's configured not to use it
    > (3) The server doesn't claim support it
    > (4) It can't get a ticket
    >
    > Since you have another client which also fails, (1) and (2) seem unlikely.
    > And, since you have other tickets, and you've demonstrated that the service
    > principal exists, (4) also seems unlikely. So, I'm going to guess that
    > your server is broken, and doesn't claim to support that mechanism.


    But the server isn't even given a chance to present the mechanisms it
    supports. This form of HTTP authentication should look like the following
    (assuming single step Kerberos for now):

    1 C -> S GET /whatever
    2 C <- S 401 Unauthorized
    WWW-Authenticate: Negotiate

    3 C -> S GET /whatever
    Authorization: Negotiate
    4 C <- S 200 Success

    The problem that I'm seeing is that at step 3 IE is submitting a raw
    NTLMSSP token. It's not a SPNEGO token or a raw Kerberos token. So it's
    not even giving the server an opportunity to do Kerberos. Therefore I
    don't see how it could possibly be a problem with the server (3) since
    all the server does up to that point is return
    'WWW-Authenticate: Negotiate'.

    I doubt it's (1). At least I've never heard of XP not supporting HTTP
    authentication. XP Home edition perhaps but he's using XP Professional
    and has tickets for all sorts of stuff.

    It could be (2). But it's not specific to IE because the wsh script
    generates the same error and it just uses the WinHttpRequest interface. So
    it would have to be an machine level or "Global Policy" type of setting.

    It could be (4) if there's something wrong with the account. As per my
    instructions he created a Computer account and ran ktpass to generate
    an "RC4-HMAC-NT" keytab. Maybe he should have used a User account and
    DES? I've tested all of this with my very vanilla W2K3 KDC. Considering
    the keytab credential was used successfully by the installer to query
    an AD group I'm thinking this isn't the problem.

    So if *I* had to guess I would say it's (2). There's some mysterious
    security policy "GPO" or some odd MS thing I don't understand since I
    spend 90% of my time in vi :-<

    Mike

    --
    Michael B Allen
    PHP Extension for SSO w/ Windows Group Authorization
    http://www.ioplex.com/
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  6. Re: Windows Clients Won't Do Kerberos


    >So if *I* had to guess I would say it's (2). There's some mysterious
    >security policy "GPO" or some odd MS thing I don't understand since I
    >spend 90% of my time in vi :-<


    Try cranking up KerbDebugLevel and see if you can find out if the
    Kerberos SSP is being invoked.

    -- Luke

    --
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  7. Re: Windows Clients Won't Do Kerberos

    Michael B Allen wrote:

    > It could be (2). But it's not specific to IE because the wsh script
    > generates the same error and it just uses the WinHttpRequest interface. So
    > it would have to be an machine level or "Global Policy" type of setting.
    >
    > It could be (4) if there's something wrong with the account. As per my
    > instructions he created a Computer account and ran ktpass to generate
    > an "RC4-HMAC-NT" keytab. Maybe he should have used a User account and
    > DES? I've tested all of this with my very vanilla W2K3 KDC. Considering
    > the keytab credential was used successfully by the installer to query
    > an AD group I'm thinking this isn't the problem.


    Do you have a network monitor? If so, look for HTTP service ticket
    requests that are being denied. If you don't see them, then you most
    likely have not added the host url to the Trusted Sites list. This
    is required in order for WinHttpRequest or IE to perform Kerberos
    negotiate.

    Jeffrey Altman



  8. Re: Windows Clients Won't Do Kerberos

    Mike,

    We have seen this issues too. A couple of our XP machines don't want to do
    Kerberos via HTP. If you use SP2 then there are Hotfixes available, but I
    don't recall the Hotfix number right now. Check with Microsoft

    Regards
    Markus


    "Michael B Allen" wrote in message
    news:20060629163639.24745eec.mba2000@ioplex.com...
    > I'm testing a Windows -> Apache Kerberos SSO product (see sig) with a
    > customer and it's not working for them. The client is always asking for
    > NTLM. It never even tries Kerberos. I know it's not browser settings
    > because I wrote a simple wsh script and it too only tries NTLMSSP
    > (whereas on my test network it works fine).
    >
    > Can anyone think of a reason why XP clients would refuse to try Kerberos
    > when accessing services (e.g. HTTP)? I've been through all the usual
    > reasons but we just can't get it to work. Is there some kind of mode
    > that a Windows domain controller can run in that causes all clients not
    > to do Kerberos at all? Can anyone recommend a diagnostic?
    >
    > Thanks,
    > Mike
    >
    > --
    > Michael B Allen
    > PHP Extension for SSO w/ Windows Group Authorization
    > http://www.ioplex.com/
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >




    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  9. Re: Windows Clients Won't Do Kerberos

    On Fri, 30 Jun 2006 04:10:35 GMT
    Jeffrey Altman wrote:

    > Michael B Allen wrote:
    >
    > > It could be (2). But it's not specific to IE because the wsh script
    > > generates the same error and it just uses the WinHttpRequest interface. So
    > > it would have to be an machine level or "Global Policy" type of setting.
    > >
    > > It could be (4) if there's something wrong with the account. As per my
    > > instructions he created a Computer account and ran ktpass to generate
    > > an "RC4-HMAC-NT" keytab. Maybe he should have used a User account and
    > > DES? I've tested all of this with my very vanilla W2K3 KDC. Considering
    > > the keytab credential was used successfully by the installer to query
    > > an AD group I'm thinking this isn't the problem.

    >
    > Do you have a network monitor? If so, look for HTTP service ticket
    > requests that are being denied.


    Yeah. I just worked out exactly how to install netcap.exe on XP and
    get a capture. I think it is indeed something wrong with trying to
    acquire the HTTP sercice ticket. If I disable the Computer account in
    my environment I get exactly the same behavior as the customer. IE gets
    KRB5KDC_ERR_S_UNKNOWN_PRINCIPAL and falls back to NTLM.

    > If you don't see them, then you most
    > likely have not added the host url to the Trusted Sites list. This
    > is required in order for WinHttpRequest or IE to perform Kerberos
    > negotiate.


    Interesting. So that also affects WinHttpResuest. Regardless we've
    been over that twice already. The customer definitely has that
    set. Incedentially I think the proper method is to add the domain to
    the IntrAnet zone like 'http://*.foo.net'. I think the Trusted Sites list
    is more for IntErnet sites like http://download.microsoft.com, etc.

    Mike

    --
    Michael B Allen
    PHP Extension for SSO w/ Windows Group Authorization
    http://www.ioplex.com/
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  10. Re: Windows Clients Won't Do Kerberos

    On Fri, 30 Jun 2006 12:18:18 +1000
    Luke Howard wrote:

    >
    > >So if *I* had to guess I would say it's (2). There's some mysterious
    > >security policy "GPO" or some odd MS thing I don't understand since I
    > >spend 90% of my time in vi :-<

    >
    > Try cranking up KerbDebugLevel and see if you can find out if the
    > Kerberos SSP is being invoked.


    Unfortunately that only works on Windows 2003 Server and requires a
    reboot. Additionally I just tried this in my environment and it didn't
    log anything terribly interesting (although I only tried the standard
    log level of 0xc0000043).

    Apparently there is a netcap.exe packet capture program shipped on the
    XP CD as part of the Support Tools package [1]. I have tested installing
    and getting a capture and asked the customer to try it.

    Mike

    [1] http://support.microsoft.com/kb/306794/EN-US/

    --
    Michael B Allen
    PHP Extension for SSO w/ Windows Group Authorization
    http://www.ioplex.com/
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  11. Re: Windows Clients Won't Do Kerberos

    The mentioned is hotfix is http://support.microsoft.com/?kbid=906524 and
    will be available in SP3. It updates the Kerberos dll and solved for us the
    issue. Could you let me know if this solved your problem ?

    Regards
    Markus


    ""Markus Moeller"" wrote in message
    news:e82f8l$3bf$1@sea.gmane.org...
    > Mike,
    >
    > We have seen this issues too. A couple of our XP machines don't want to do
    > Kerberos via HTP. If you use SP2 then there are Hotfixes available, but I
    > don't recall the Hotfix number right now. Check with Microsoft
    >
    > Regards
    > Markus
    >
    >
    > "Michael B Allen" wrote in message
    > news:20060629163639.24745eec.mba2000@ioplex.com...
    >> I'm testing a Windows -> Apache Kerberos SSO product (see sig) with a
    >> customer and it's not working for them. The client is always asking for
    >> NTLM. It never even tries Kerberos. I know it's not browser settings
    >> because I wrote a simple wsh script and it too only tries NTLMSSP
    >> (whereas on my test network it works fine).
    >>
    >> Can anyone think of a reason why XP clients would refuse to try Kerberos
    >> when accessing services (e.g. HTTP)? I've been through all the usual
    >> reasons but we just can't get it to work. Is there some kind of mode
    >> that a Windows domain controller can run in that causes all clients not
    >> to do Kerberos at all? Can anyone recommend a diagnostic?
    >>
    >> Thanks,
    >> Mike
    >>
    >> --
    >> Michael B Allen
    >> PHP Extension for SSO w/ Windows Group Authorization
    >> http://www.ioplex.com/
    >> ________________________________________________
    >> Kerberos mailing list Kerberos@mit.edu
    >> https://mailman.mit.edu/mailman/listinfo/kerberos
    >>

    >
    >
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >




  12. Re: Windows Clients Won't Do Kerberos

    It overwrites the follwing patch
    http://support.microsoft.com/default...b;en-us;885887 which
    mentions Kerberos auth problems.

    Markus



    "Markus Moeller" wrote in message
    news:44a4ee4c$0$3516$ed2619ec@ptn-nntp-reader01.plus.net...
    > The mentioned is hotfix is http://support.microsoft.com/?kbid=906524 and
    > will be available in SP3. It updates the Kerberos dll and solved for us
    > the issue. Could you let me know if this solved your problem ?
    >
    > Regards
    > Markus
    >
    >
    > ""Markus Moeller"" wrote in message
    > news:e82f8l$3bf$1@sea.gmane.org...
    >> Mike,
    >>
    >> We have seen this issues too. A couple of our XP machines don't want to
    >> do Kerberos via HTP. If you use SP2 then there are Hotfixes available,
    >> but I don't recall the Hotfix number right now. Check with Microsoft
    >>
    >> Regards
    >> Markus
    >>
    >>
    >> "Michael B Allen" wrote in message
    >> news:20060629163639.24745eec.mba2000@ioplex.com...
    >>> I'm testing a Windows -> Apache Kerberos SSO product (see sig) with a
    >>> customer and it's not working for them. The client is always asking for
    >>> NTLM. It never even tries Kerberos. I know it's not browser settings
    >>> because I wrote a simple wsh script and it too only tries NTLMSSP
    >>> (whereas on my test network it works fine).
    >>>
    >>> Can anyone think of a reason why XP clients would refuse to try Kerberos
    >>> when accessing services (e.g. HTTP)? I've been through all the usual
    >>> reasons but we just can't get it to work. Is there some kind of mode
    >>> that a Windows domain controller can run in that causes all clients not
    >>> to do Kerberos at all? Can anyone recommend a diagnostic?
    >>>
    >>> Thanks,
    >>> Mike
    >>>
    >>> --
    >>> Michael B Allen
    >>> PHP Extension for SSO w/ Windows Group Authorization
    >>> http://www.ioplex.com/
    >>> ________________________________________________
    >>> Kerberos mailing list Kerberos@mit.edu
    >>> https://mailman.mit.edu/mailman/listinfo/kerberos
    >>>

    >>
    >>
    >>
    >> ________________________________________________
    >> Kerberos mailing list Kerberos@mit.edu
    >> https://mailman.mit.edu/mailman/listinfo/kerberos
    >>

    >
    >




+ Reply to Thread