RE: Windows Clients Won't Do Kerberos - Kerberos

This is a discussion on RE: Windows Clients Won't Do Kerberos - Kerberos ; Turn off NTLM with Group Policy -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of mba2000@ioplex.com Sent: Thursday, June 29, 2006 1:37 PM To: kerberos@mit.edu Subject: Windows Clients Won't Do Kerberos I'm testing a Windows -> Apache Kerberos SSO product (see ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: RE: Windows Clients Won't Do Kerberos

  1. RE: Windows Clients Won't Do Kerberos

    Turn off NTLM with Group Policy

    -----Original Message-----
    From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf
    Of mba2000@ioplex.com
    Sent: Thursday, June 29, 2006 1:37 PM
    To: kerberos@mit.edu
    Subject: Windows Clients Won't Do Kerberos


    I'm testing a Windows -> Apache Kerberos SSO product (see sig) with a
    customer and it's not working for them. The client is always asking for
    NTLM. It never even tries Kerberos. I know it's not browser settings
    because I wrote a simple wsh script and it too only tries NTLMSSP (whereas
    on my test network it works fine).

    Can anyone think of a reason why XP clients would refuse to try Kerberos
    when accessing services (e.g. HTTP)? I've been through all the usual
    reasons but we just can't get it to work. Is there some kind of mode that
    a Windows domain controller can run in that causes all clients not to do
    Kerberos at all? Can anyone recommend a diagnostic?

    Thanks,
    Mike

    --
    Michael B Allen
    PHP Extension for SSO w/ Windows Group Authorization
    http://www.ioplex.com/ ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Windows Clients Won't Do Kerberos

    That sounds interesting. Note that the customer ran kerbtray and
    it shows he has tickets for stuff like cifs/server@REALM.NET and
    host/whatever@REALM.NET. So it looks like the workstations CAN do
    Kerberos, they just don't want to do it with the HTTP SPN.

    But the group policy thing sounds interesting. I'll check it out.

    Thanks,
    Mike

    On Thu, 29 Jun 2006 14:09:13 -0700
    chris.rowland@areva-td.com wrote:

    > Turn off NTLM with Group Policy
    >
    > -----Original Message-----
    > From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf
    > Of mba2000@ioplex.com
    > Sent: Thursday, June 29, 2006 1:37 PM
    > To: kerberos@mit.edu
    > Subject: Windows Clients Won't Do Kerberos
    >
    >
    > I'm testing a Windows -> Apache Kerberos SSO product (see sig) with a
    > customer and it's not working for them. The client is always asking for
    > NTLM. It never even tries Kerberos. I know it's not browser settings
    > because I wrote a simple wsh script and it too only tries NTLMSSP (whereas
    > on my test network it works fine).
    >
    > Can anyone think of a reason why XP clients would refuse to try Kerberos
    > when accessing services (e.g. HTTP)? I've been through all the usual
    > reasons but we just can't get it to work. Is there some kind of mode that
    > a Windows domain controller can run in that causes all clients not to do
    > Kerberos at all? Can anyone recommend a diagnostic?
    >
    > Thanks,
    > Mike
    >
    > --
    > Michael B Allen
    > PHP Extension for SSO w/ Windows Group Authorization
    > http://www.ioplex.com/ ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >



    --
    Michael B Allen
    PHP Extension for SSO w/ Windows Group Authorization
    http://www.ioplex.com/
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread