Re: Question about freeing memory when using krb5_get_credentials - Kerberos

This is a discussion on Re: Question about freeing memory when using krb5_get_credentials - Kerberos ; My capath looks like: [capaths] SUSE.HOME = { XEN.HOME = WINDOWS2003.HOME WINDOWS2003.HOME = . } XEN.HOME = { SUSE.HOME = WINDOWS2003.HOME } WINDOWS2003.HOME = { SUSE.HOME = . } "Tom Yu" wrote in message news:ldvlkeql2f5.fsf@cathode-dark-space.mit.edu... >>>>>> "Markus" == Markus Moeller ...

+ Reply to Thread
Results 1 to 19 of 19

Thread: Re: Question about freeing memory when using krb5_get_credentials

  1. Re: Question about freeing memory when using krb5_get_credentials

    My capath looks like:


    [capaths]
    SUSE.HOME = {
    XEN.HOME = WINDOWS2003.HOME
    WINDOWS2003.HOME = .
    }
    XEN.HOME = {
    SUSE.HOME = WINDOWS2003.HOME
    }
    WINDOWS2003.HOME = {
    SUSE.HOME = .
    }



    "Tom Yu" wrote in message
    news:ldvlkeql2f5.fsf@cathode-dark-space.mit.edu...
    >>>>>> "Markus" == Markus Moeller writes:

    >
    > Markus> It was release 1.6.1
    >
    > This may actually be a bug in krb5_walk_realm_tree(). What does the
    > [capaths] section of your krb5.conf look like?
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >




    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Some Users get Basic Auth?

    Hi, i have a huge problem.

    Some of our Users get randomly the Basic Auth Box, some get it ALWAYS.

    I sniffed the HTTP Trafic:

    "
    GET /edv HTTP/1.0^M
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
    application/x-shockwave-flash, application/msword,
    application/vnd.ms-excel, application/vnd.ms-powerpoint, */*^M
    Accept-Language: de-ch^M
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)^M
    Host: gandalf^M
    Connection: Keep-Alive^M
    ^M

    HTTP/1.1 401 Authorization Required^M
    Date: Tue, 12 Jun 2007 07:22:07 GMT^M
    Server: Apache/2.0.55 (Unix) mod_ssl/2.0.55 OpenSSL/0.9.8a PHP/4.4.6
    PHP/5.1.1 mod_auth_kerb/5.3^M
    WWW-Authenticate: Negotiate^M
    WWW-Authenticate: Basic realm="^M
    Content-Length: 540^M
    Keep-Alive: timeout=15, max=100^M
    Connection: Keep-Alive^M
    Content-Type: text/html; charset=iso-8859-1^M
    ^M


    401 Authorization Required

    Authorization Required


    This server could not verify that you
    are authorized to access the document
    requested. Either you supplied the wrong
    credentials (e.g., bad password), or your
    browser doesn't understand how to supply
    the credentials required.




    Apache/2.0.55 (Unix) mod_ssl/2.0.55 OpenSSL/0.9.8a PHP/4.4.6
    PHP/5.1.1 mod_auth_kerb/5.3 Server at gandalf Port 80



    GET /edv HTTP/1.0^M
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
    application/x-shockwave-flash, application/msword,
    application/vnd.ms-excel, application/vnd.ms-powerpoint, */*^M
    Accept-Language: de-ch^M
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)^M
    Host: gandalf^M
    Connection: Keep-Alive^M
    Authorization: Negotiate
    TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAA AADw==^M
    ^M

    HTTP/1.1 401 Authorization Required^M
    Date: Tue, 12 Jun 2007 07:22:07 GMT^M
    Server: Apache/2.0.55 (Unix) mod_ssl/2.0.55 OpenSSL/0.9.8a PHP/4.4.6
    PHP/5.1.1 mod_auth_kerb/5.3^M
    WWW-Authenticate: Basic realm="^M
    Content-Length: 540^M
    Keep-Alive: timeout=15, max=99^M
    Connection: Keep-Alive^M
    Content-Type: text/html; charset=iso-8859-1^M

    "

    So the interesting line is "Authorization: Negotiate
    TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAA AADw=="

    That doesnt look like a Kerberos Service Ticket? Is that NTLM?
    With best regards

    M.Djihangiroff
    persona service Verwaltungs AG & Co. KG
    Freisenbergstraße 31 • 58513 Lüdenscheid
    Tel.: (02351) 950-0 • Fax: (02351) 950-222
    Sitz Lüdenscheid • Registergericht Iserlohn, HRA Nr. 2930

    persönlich haftende Gesellschafterin: persona service AG
    Gartenstraße 93 • CH-4002 Basel
    Handelsregister Basel, Nr. CH-270.3.012.836-8
    diese vertreten durch den Verwaltungsrat:
    Dipl.-Ing. Werner Müller (Präsident) und Dr. Sebastian Burckhardt
    www.persona.de


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Some Users get Basic Auth?

    In article
    ,
    Matthias.Djihangiroff@persona.de ("Djihangiroff, Matthias (KC-DD)")
    wrote:

    > Hi, i have a huge problem.
    >
    > Some of our Users get randomly the Basic Auth Box, some get it ALWAYS.
    >
    > I sniffed the HTTP Trafic:

    ....
    > HTTP/1.1 401 Authorization Required^M
    > Date: Tue, 12 Jun 2007 07:22:07 GMT^M
    > Server: Apache/2.0.55 (Unix) mod_ssl/2.0.55 OpenSSL/0.9.8a PHP/4.4.6
    > PHP/5.1.1 mod_auth_kerb/5.3^M
    > WWW-Authenticate: Negotiate^M
    > WWW-Authenticate: Basic realm="^M
    > Content-Length: 540^M


    Is that exactly how it looks?

    WWW-Authenticate: Basic realm="

    I've seen : Basic realm="KRB5 "

    I was delighted to see the http service specify its native
    realm - if that's what it's doing - because the aomain/realm
    mapping alternative doesn't work out very well. More services
    should do this.

    > So the interesting line is "Authorization: Negotiate
    > TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAA AADw=="
    >
    > That doesnt look like a Kerberos Service Ticket? Is that NTLM?


    Yes, at least that's more or less how NTLM looks to me. You
    could look at the Apache error_log, which I expect would
    confirm this. I really have no idea how to make IE support
    Kerberos authentication, but the instructions I've seen
    mention the term "intranet" as though it really matters, so
    that might be something to look at.

    Donn Cave, donn@u.washington.edu

  4. Re: Some Users get Basic Auth?

    On Tue, 12 Jun 2007 10:10:15 +0200
    "Djihangiroff, Matthias (KC-DD)" wrote:

    > Hi, i have a huge problem.
    >
    > Some of our Users get randomly the Basic Auth Box, some get it ALWAYS.
    >
    > I sniffed the HTTP Trafic:
    >
    > So the interesting line is "Authorization: Negotiate
    > TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAA AADw=="
    >
    > That doesnt look like a Kerberos Service Ticket? Is that NTLM?


    00000: 4e 54 4c 4d 53 53 50 00 01 00 00 00 07 82 08 a2 |NTLMSSP.........|
    00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
    00020: 05 01 28 0a 00 00 00 0f |..(..... |

    This is raw NTLMSSP. Check your browser settings.

    Mike

    --
    Michael B Allen
    PHP Active Directory Kerberos SSO
    http://www.ioplex.com/
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. AW: Some Users get Basic Auth?

    I've checked the browser settings, Integrated Windows Auth is checked.

    Where can i configer the browser, that it use only Kerberos?
    I didnt find any option.



    -----Ursprüngliche Nachricht-----
    Von: Michael B Allen [mailto:mba2000@ioplex.com]
    Gesendet: Dienstag, 12. Juni 2007 19:18
    An: Djihangiroff, Matthias (KC-DD)
    Cc: kerberos@mit.edu
    Betreff: Re: Some Users get Basic Auth?

    On Tue, 12 Jun 2007 10:10:15 +0200
    "Djihangiroff, Matthias (KC-DD)" wrote:

    > Hi, i have a huge problem.
    >
    > Some of our Users get randomly the Basic Auth Box, some get it ALWAYS.
    >
    > I sniffed the HTTP Trafic:
    >
    > So the interesting line is "Authorization: Negotiate
    > TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAFASgKAA AADw=="
    >
    > That doesnt look like a Kerberos Service Ticket? Is that NTLM?


    00000: 4e 54 4c 4d 53 53 50 00 01 00 00 00 07 82 08 a2 |NTLMSSP.........|
    00010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
    00020: 05 01 28 0a 00 00 00 0f |..(..... |

    This is raw NTLMSSP. Check your browser settings.

    Mike

    --
    Michael B Allen
    PHP Active Directory Kerberos SSO
    http://www.ioplex.com/
    persona service Verwaltungs AG & Co. KG
    Freisenbergstraße 31 • 58513 Lüdenscheid
    Tel.: (02351) 950-0 • Fax: (02351) 950-222
    Sitz Lüdenscheid • Registergericht Iserlohn, HRA Nr. 2930

    persönlich haftende Gesellschafterin: persona service AG
    Gartenstraße 93 • CH-4002 Basel
    Handelsregister Basel, Nr. CH-270.3.012.836-8
    diese vertreten durch den Verwaltungsrat:
    Dipl.-Ing. Werner Müller (Präsident) und Dr. Sebastian Burckhardt
    www.persona.de

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  6. Re: AW: Some Users get Basic Auth?


    On Jun 12, 2007, at 11:04 PM, Djihangiroff, Matthias (KC-DD) wrote:

    > I've checked the browser settings, Integrated Windows Auth is checked.
    >
    > Where can i configer the browser, that it use only Kerberos?
    > I didnt find any option.


    You can't. A lot of it depends on the URL you present to IE, which
    will in turn dictate what protocol is chosen under SPNEGO.

    When you type "http://someserver", then IE will present the kerberos
    package on the client with the service principal name (SPN) of http/
    someserver. For kerberos to work, you need a service ticket matching
    that SPN. This will only be possible if the web server is properly
    registered with a machine account in your client's domain, or
    potentially another domain in the forest (assuming you're using AD).

    In some cases, IE will do a reverse lookup and expand the someserver
    to http/someserver.domain.com, but the SPN lookup rule still applies.

    If kerberos can't find the SPN (for example if the target server
    isn't registered in a trusted domain, or the client's KDC can't be
    reached over the presently connected network), it will drop back to
    NTLM (wrapped in SPNEGO tokens). There's really no easy way to
    guarantee Kerberos, and, in fact, NTLM is frequently the protocol
    chosen for http auth.

    We tried, in the old days to get rid of NTLM, but that's not possible
    w/o service interruptions unless you can *always* get a service
    ticket to the server.

    Todd
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  7. AW: AW: Some Users get Basic Auth?

    Thanks.

    Than i dont know why IE is switching to NTLM.
    It doesnt matter if i type http://someserver or with our domain
    http://someserver.konzern.intern (thats although the registerd machine
    account in the domain).
    The auth box pop ups every time.

    I think, thats somekind of defect windows profile.
    If i login with MY windows account, all is running perfect. If i login
    with a user account, they get the auth box. (Both on the same machine,
    the same domain)

    I'm informing our Windows admins and hope, they can make some brand new
    windows account for me for testing purposes in that domain.

    Matthias

    ________________________________

    Von: Todd Stecher [mailto:tstecher@qwest.net]
    Gesendet: Mittwoch, 13. Juni 2007 08:18
    An: Djihangiroff, Matthias (KC-DD)
    Cc: Michael B Allen; kerberos@mit.edu
    Betreff: Re: AW: Some Users get Basic Auth?



    On Jun 12, 2007, at 11:04 PM, Djihangiroff, Matthias (KC-DD) wrote:


    I've checked the browser settings, Integrated Windows Auth is
    checked.




    Where can i configer the browser, that it use only Kerberos?

    I didnt find any option.


    You can't. A lot of it depends on the URL you present to IE, which will
    in turn dictate what protocol is chosen under SPNEGO.

    When you type "http://someserver", then IE will present the kerberos
    package on the client with the service principal name (SPN) of
    http/someserver. For kerberos to work, you need a service ticket
    matching that SPN. This will only be possible if the web server is
    properly registered with a machine account in your client's domain, or
    potentially another domain in the forest (assuming you're using AD).

    In some cases, IE will do a reverse lookup and expand the someserver to
    http/someserver.domain.com, but the SPN lookup rule still applies.

    If kerberos can't find the SPN (for example if the target server isn't
    registered in a trusted domain, or the client's KDC can't be reached
    over the presently connected network), it will drop back to NTLM
    (wrapped in SPNEGO tokens). There's really no easy way to guarantee
    Kerberos, and, in fact, NTLM is frequently the protocol chosen for http
    auth.

    We tried, in the old days to get rid of NTLM, but that's not possible
    w/o service interruptions unless you can *always* get a service ticket
    to the server.

    Todd

    persona service Verwaltungs AG & Co. KG
    Freisenbergstraße 31 • 58513 Lüdenscheid
    Tel.: (02351) 950-0 • Fax: (02351) 950-222
    Sitz Lüdenscheid • Registergericht Iserlohn, HRA Nr. 2930

    persönlich haftende Gesellschafterin: persona service AG
    Gartenstraße 93 • CH-4002 Basel
    Handelsregister Basel, Nr. CH-270.3.012.836-8
    diese vertreten durch den Verwaltungsrat:
    Dipl.-Ing. Werner Müller (Präsident) und Dr. Sebastian Burckhardt
    www.persona.de

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  8. Re: AW: AW: Some Users get Basic Auth?


    On Jun 12, 2007, at 11:25 PM, Djihangiroff, Matthias ((KC-DD)) wrote:

    > If i login with MY windows account, all is running perfect. If i
    > login with a user account, they get the auth box. (Both on the same
    > machine, the same domain)
    >


    Which user account? A domain account, right?

    Also note that IE policy will disallow some forms of integrated auth
    to untrusted / internet zones, which can cause it to fall back to
    basic auth. This is a per-user setting, and may have relevance
    here. Also, IE's stoopid - if it sees a . in the URL, it assumes its
    something in the internet zone, and won't allow integrated auth by
    default.

    (I'm getting a bit rusty in this area, so let me know what you find -
    too much time on Mac and FreeBSD lately).

    Todd

  9. Re: AW: AW: Some Users get Basic Auth?

    On Wed, 13 Jun 2007 08:25:51 +0200
    "Djihangiroff, Matthias (KC-DD)" wrote:

    > Thanks.
    >
    > Than i dont know why IE is switching to NTLM.
    > It doesnt matter if i type http://someserver or with our domain
    > http://someserver.konzern.intern (thats although the registerd machine
    > account in the domain).
    > The auth box pop ups every time.
    >
    > I think, thats somekind of defect windows profile.
    > If i login with MY windows account, all is running perfect. If i login
    > with a user account, they get the auth box. (Both on the same machine,
    > the same domain)
    >
    > I'm informing our Windows admins and hope, they can make some brand new
    > windows account for me for testing purposes in that domain.


    Matthias,

    On this website:

    http://www.ioplex.com/support.html

    You will find a document called the Plexcel Operator's Manual. The
    document is mostly about our SSO product but of course the protocol
    is the same so the "Possible Issues" section has information about
    troubleshooting this sort of thing. In particular look at Issue 3 and
    Issue 5.

    Mike

    > ________________________________
    >
    > Von: Todd Stecher [mailto:tstecher@qwest.net]
    > Gesendet: Mittwoch, 13. Juni 2007 08:18
    > An: Djihangiroff, Matthias (KC-DD)
    > Cc: Michael B Allen; kerberos@mit.edu
    > Betreff: Re: AW: Some Users get Basic Auth?
    >
    >
    >
    > On Jun 12, 2007, at 11:04 PM, Djihangiroff, Matthias (KC-DD) wrote:
    >
    >
    > I've checked the browser settings, Integrated Windows Auth is
    > checked.
    >
    >
    >
    >
    > Where can i configer the browser, that it use only Kerberos?
    >
    > I didnt find any option.
    >
    >
    > You can't. A lot of it depends on the URL you present to IE, which will
    > in turn dictate what protocol is chosen under SPNEGO.
    >
    > When you type "http://someserver", then IE will present the kerberos
    > package on the client with the service principal name (SPN) of
    > http/someserver. For kerberos to work, you need a service ticket
    > matching that SPN. This will only be possible if the web server is
    > properly registered with a machine account in your client's domain, or
    > potentially another domain in the forest (assuming you're using AD).
    >
    > In some cases, IE will do a reverse lookup and expand the someserver to
    > http/someserver.domain.com, but the SPN lookup rule still applies.
    >
    > If kerberos can't find the SPN (for example if the target server isn't
    > registered in a trusted domain, or the client's KDC can't be reached
    > over the presently connected network), it will drop back to NTLM
    > (wrapped in SPNEGO tokens). There's really no easy way to guarantee
    > Kerberos, and, in fact, NTLM is frequently the protocol chosen for http
    > auth.
    >
    > We tried, in the old days to get rid of NTLM, but that's not possible
    > w/o service interruptions unless you can *always* get a service ticket
    > to the server.
    >
    > Todd
    >
    > persona service Verwaltungs AG & Co. KG
    > Freisenbergstra_e 31 _ 58513 L_denscheid
    > Tel.: (02351) 950-0 _ Fax: (02351) 950-222
    > Sitz L_denscheid _ Registergericht Iserlohn, HRA Nr. 2930
    >
    > pers_nlich haftende Gesellschafterin: persona service AG
    > Gartenstra_e 93 _ CH-4002 Basel
    > Handelsregister Basel, Nr. CH-270.3.012.836-8
    > diese vertreten durch den Verwaltungsrat:
    > Dipl.-Ing. Werner M_ller (Pr_sident) und Dr. Sebastian Burckhardt
    > www.persona.de
    >



    --
    Michael B Allen
    PHP Active Directory Kerberos SSO
    http://www.ioplex.com/

  10. Re: AW: AW: Some Users get Basic Auth?


    On Jun 12, 2007, at 11:25 PM, Djihangiroff, Matthias ((KC-DD)) wrote:

    > If i login with MY windows account, all is running perfect. If i
    > login with a user account, they get the auth box. (Both on the same
    > machine, the same domain)
    >


    Which user account? A domain account, right?

    Also note that IE policy will disallow some forms of integrated auth
    to untrusted / internet zones, which can cause it to fall back to
    basic auth. This is a per-user setting, and may have relevance
    here. Also, IE's stoopid - if it sees a . in the URL, it assumes its
    something in the internet zone, and won't allow integrated auth by
    default.

    (I'm getting a bit rusty in this area, so let me know what you find -
    too much time on Mac and FreeBSD lately).

    Todd
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  11. Re: AW: AW: Some Users get Basic Auth?

    On Wed, 13 Jun 2007 08:25:51 +0200
    "Djihangiroff, Matthias (KC-DD)" wrote:

    > Thanks.
    >
    > Than i dont know why IE is switching to NTLM.
    > It doesnt matter if i type http://someserver or with our domain
    > http://someserver.konzern.intern (thats although the registerd machine
    > account in the domain).
    > The auth box pop ups every time.
    >
    > I think, thats somekind of defect windows profile.
    > If i login with MY windows account, all is running perfect. If i login
    > with a user account, they get the auth box. (Both on the same machine,
    > the same domain)
    >
    > I'm informing our Windows admins and hope, they can make some brand new
    > windows account for me for testing purposes in that domain.


    Matthias,

    On this website:

    http://www.ioplex.com/support.html

    You will find a document called the Plexcel Operator's Manual. The
    document is mostly about our SSO product but of course the protocol
    is the same so the "Possible Issues" section has information about
    troubleshooting this sort of thing. In particular look at Issue 3 and
    Issue 5.

    Mike

    > ________________________________
    >
    > Von: Todd Stecher [mailto:tstecher@qwest.net]
    > Gesendet: Mittwoch, 13. Juni 2007 08:18
    > An: Djihangiroff, Matthias (KC-DD)
    > Cc: Michael B Allen; kerberos@mit.edu
    > Betreff: Re: AW: Some Users get Basic Auth?
    >
    >
    >
    > On Jun 12, 2007, at 11:04 PM, Djihangiroff, Matthias (KC-DD) wrote:
    >
    >
    > I've checked the browser settings, Integrated Windows Auth is
    > checked.
    >
    >
    >
    >
    > Where can i configer the browser, that it use only Kerberos?
    >
    > I didnt find any option.
    >
    >
    > You can't. A lot of it depends on the URL you present to IE, which will
    > in turn dictate what protocol is chosen under SPNEGO.
    >
    > When you type "http://someserver", then IE will present the kerberos
    > package on the client with the service principal name (SPN) of
    > http/someserver. For kerberos to work, you need a service ticket
    > matching that SPN. This will only be possible if the web server is
    > properly registered with a machine account in your client's domain, or
    > potentially another domain in the forest (assuming you're using AD).
    >
    > In some cases, IE will do a reverse lookup and expand the someserver to
    > http/someserver.domain.com, but the SPN lookup rule still applies.
    >
    > If kerberos can't find the SPN (for example if the target server isn't
    > registered in a trusted domain, or the client's KDC can't be reached
    > over the presently connected network), it will drop back to NTLM
    > (wrapped in SPNEGO tokens). There's really no easy way to guarantee
    > Kerberos, and, in fact, NTLM is frequently the protocol chosen for http
    > auth.
    >
    > We tried, in the old days to get rid of NTLM, but that's not possible
    > w/o service interruptions unless you can *always* get a service ticket
    > to the server.
    >
    > Todd
    >
    > persona service Verwaltungs AG & Co. KG
    > Freisenbergstra_e 31 _ 58513 L_denscheid
    > Tel.: (02351) 950-0 _ Fax: (02351) 950-222
    > Sitz L_denscheid _ Registergericht Iserlohn, HRA Nr. 2930
    >
    > pers_nlich haftende Gesellschafterin: persona service AG
    > Gartenstra_e 93 _ CH-4002 Basel
    > Handelsregister Basel, Nr. CH-270.3.012.836-8
    > diese vertreten durch den Verwaltungsrat:
    > Dipl.-Ing. Werner M_ller (Pr_sident) und Dr. Sebastian Burckhardt
    > www.persona.de
    >



    --
    Michael B Allen
    PHP Active Directory Kerberos SSO
    http://www.ioplex.com/
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  12. AW: AW: AW: Some Users get Basic Auth?

    Hello,

    We'have just created a new domain Account and voila, all is running fine.
    So somekind of settings in the userprofile are incorrect, so the auth box popped up.

    Now we have another problem.

    SOME users are getting this basic auth box somtimes. IE is running in NTLM mode..
    If you close the IE, and open it again, with the same URL, all is running fine.

    What the hell is wrong with this IE thing :-(

    -----Ursprüngliche Nachricht-----
    Von: Michael B Allen [mailto:mba2000@ioplex.com]
    Gesendet: Mittwoch, 13. Juni 2007 08:57
    An: Djihangiroff, Matthias (KC-DD)
    Cc: Todd Stecher; kerberos@mit.edu
    Betreff: Re: AW: AW: Some Users get Basic Auth?

    On Wed, 13 Jun 2007 08:25:51 +0200
    "Djihangiroff, Matthias (KC-DD)" wrote:

    > Thanks.
    >
    > Than i dont know why IE is switching to NTLM.
    > It doesnt matter if i type http://someserver or with our domain
    > http://someserver.konzern.intern (thats although the registerd machine
    > account in the domain).
    > The auth box pop ups every time.
    >
    > I think, thats somekind of defect windows profile.
    > If i login with MY windows account, all is running perfect. If i login
    > with a user account, they get the auth box. (Both on the same machine,
    > the same domain)
    >
    > I'm informing our Windows admins and hope, they can make some brand
    > new windows account for me for testing purposes in that domain.


    Matthias,

    On this website:

    http://www.ioplex.com/support.html

    You will find a document called the Plexcel Operator's Manual. The document is mostly about our SSO product but of course the protocol is the same so the "Possible Issues" section has information about troubleshooting this sort of thing. In particular look at Issue 3 and Issue 5.

    Mike

    > ________________________________
    >
    > Von: Todd Stecher [mailto:tstecher@qwest.net]
    > Gesendet: Mittwoch, 13. Juni 2007 08:18
    > An: Djihangiroff, Matthias (KC-DD)
    > Cc: Michael B Allen; kerberos@mit.edu
    > Betreff: Re: AW: Some Users get Basic Auth?
    >
    >
    >
    > On Jun 12, 2007, at 11:04 PM, Djihangiroff, Matthias (KC-DD) wrote:
    >
    >
    > I've checked the browser settings, Integrated Windows Auth is
    > checked.
    >
    >
    >
    >
    > Where can i configer the browser, that it use only Kerberos?
    >
    > I didnt find any option.
    >
    >
    > You can't. A lot of it depends on the URL you present to IE, which
    > will in turn dictate what protocol is chosen under SPNEGO.
    >
    > When you type "http://someserver", then IE will present the kerberos
    > package on the client with the service principal name (SPN) of
    > http/someserver. For kerberos to work, you need a service ticket
    > matching that SPN. This will only be possible if the web server is
    > properly registered with a machine account in your client's domain, or
    > potentially another domain in the forest (assuming you're using AD).
    >
    > In some cases, IE will do a reverse lookup and expand the someserver
    > to http/someserver.domain.com, but the SPN lookup rule still applies.
    >
    > If kerberos can't find the SPN (for example if the target server isn't
    > registered in a trusted domain, or the client's KDC can't be reached
    > over the presently connected network), it will drop back to NTLM
    > (wrapped in SPNEGO tokens). There's really no easy way to guarantee
    > Kerberos, and, in fact, NTLM is frequently the protocol chosen for
    > http auth.
    >
    > We tried, in the old days to get rid of NTLM, but that's not possible
    > w/o service interruptions unless you can *always* get a service ticket
    > to the server.
    >
    > Todd
    >
    > persona service Verwaltungs AG & Co. KG Freisenbergstra_e 31 _ 58513
    > L_denscheid
    > Tel.: (02351) 950-0 _ Fax: (02351) 950-222 Sitz L_denscheid _
    > Registergericht Iserlohn, HRA Nr. 2930
    >
    > pers_nlich haftende Gesellschafterin: persona service AG Gartenstra_e
    > 93 _ CH-4002 Basel Handelsregister Basel, Nr. CH-270.3.012.836-8 diese
    > vertreten durch den Verwaltungsrat:
    > Dipl.-Ing. Werner M_ller (Pr_sident) und Dr. Sebastian Burckhardt
    > www.persona.de
    >



    --
    Michael B Allen
    PHP Active Directory Kerberos SSO
    http://www.ioplex.com/
    persona service Verwaltungs AG & Co. KG
    Freisenbergstraße 31 • 58513 Lüdenscheid
    Tel.: (02351) 950-0 • Fax: (02351) 950-222
    Sitz Lüdenscheid • Registergericht Iserlohn, HRA Nr. 2930

    persönlich haftende Gesellschafterin: persona service AG
    Gartenstraße 93 • CH-4002 Basel
    Handelsregister Basel, Nr. CH-270.3.012.836-8
    diese vertreten durch den Verwaltungsrat:
    Dipl.-Ing. Werner Müller (Präsident) und Dr. Sebastian Burckhardt
    www.persona.de

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  13. Re: AW: AW: AW: Some Users get Basic Auth?

    On Thu, 14 Jun 2007 15:19:59 +0200
    "Djihangiroff, Matthias (KC-DD)" wrote:

    > Hello,
    >
    > We'have just created a new domain Account and voila, all is running fine.
    > So somekind of settings in the userprofile are incorrect, so the auth box popped up.
    >
    > Now we have another problem.
    >
    > SOME users are getting this basic auth box somtimes. IE is running in NTLM mode..
    > If you close the IE, and open it again, with the same URL, all is running fine.
    >
    > What the hell is wrong with this IE thing :-(


    Hi Matthias,

    Honestly the best way to determine what's going on is to get a packet
    capture and do a network analysis. The problem with that is that clients
    cache both positive and negative Kerberos ticket request results so you
    basically have to reboot the client, start the capture, launch IE, try
    the page and if it fails restart the browser and if it then succeeds
    stop the capture. If it doesn't fail or if it doesn't succeed after
    failing you won't have to two conditions you need to compare and you
    have no choice but to reboot the client and repeat.

    But if you do get a capture like that I'll look at it. Can't guarantee
    I'll find anything but I'm always interested in these sorts of failure
    conditions.

    There is a decription of getting a capture with netcap.exe in the appendix
    of that document I pointed you to before.

    Also, you might try to get this patch:

    http://support.microsoft.com/kb/885887

    It does sound remotely like what you're seeing and some people have
    had success with it when experiencing unreliable behavior like you're
    describing.

    Mike

    > -----Ursprüngliche Nachricht-----
    > Von: Michael B Allen [mailto:mba2000@ioplex.com]
    > Gesendet: Mittwoch, 13. Juni 2007 08:57
    > An: Djihangiroff, Matthias (KC-DD)
    > Cc: Todd Stecher; kerberos@mit.edu
    > Betreff: Re: AW: AW: Some Users get Basic Auth?
    >
    > On Wed, 13 Jun 2007 08:25:51 +0200
    > "Djihangiroff, Matthias (KC-DD)" wrote:
    >
    > > Thanks.
    > >
    > > Than i dont know why IE is switching to NTLM.
    > > It doesnt matter if i type http://someserver or with our domain
    > > http://someserver.konzern.intern (thats although the registerd machine
    > > account in the domain).
    > > The auth box pop ups every time.
    > >
    > > I think, thats somekind of defect windows profile.
    > > If i login with MY windows account, all is running perfect. If i login
    > > with a user account, they get the auth box. (Both on the same machine,
    > > the same domain)
    > >
    > > I'm informing our Windows admins and hope, they can make some brand
    > > new windows account for me for testing purposes in that domain.

    >
    > Matthias,
    >
    > On this website:
    >
    > http://www.ioplex.com/support.html
    >
    > You will find a document called the Plexcel Operator's Manual. The document is mostly about our SSO product but of course the protocol is the same so the "Possible Issues" section has information about troubleshooting this sort of thing. In particular look at Issue 3 and Issue 5.
    >
    > Mike
    >
    > > ________________________________
    > >
    > > Von: Todd Stecher [mailto:tstecher@qwest.net]
    > > Gesendet: Mittwoch, 13. Juni 2007 08:18
    > > An: Djihangiroff, Matthias (KC-DD)
    > > Cc: Michael B Allen; kerberos@mit.edu
    > > Betreff: Re: AW: Some Users get Basic Auth?
    > >
    > >
    > >
    > > On Jun 12, 2007, at 11:04 PM, Djihangiroff, Matthias (KC-DD) wrote:
    > >
    > >
    > > I've checked the browser settings, Integrated Windows Auth is
    > > checked.
    > >
    > >
    > >
    > >
    > > Where can i configer the browser, that it use only Kerberos?
    > >
    > > I didnt find any option.
    > >
    > >
    > > You can't. A lot of it depends on the URL you present to IE, which
    > > will in turn dictate what protocol is chosen under SPNEGO.
    > >
    > > When you type "http://someserver", then IE will present the kerberos
    > > package on the client with the service principal name (SPN) of
    > > http/someserver. For kerberos to work, you need a service ticket
    > > matching that SPN. This will only be possible if the web server is
    > > properly registered with a machine account in your client's domain, or
    > > potentially another domain in the forest (assuming you're using AD).
    > >
    > > In some cases, IE will do a reverse lookup and expand the someserver
    > > to http/someserver.domain.com, but the SPN lookup rule still applies.
    > >
    > > If kerberos can't find the SPN (for example if the target server isn't
    > > registered in a trusted domain, or the client's KDC can't be reached
    > > over the presently connected network), it will drop back to NTLM
    > > (wrapped in SPNEGO tokens). There's really no easy way to guarantee
    > > Kerberos, and, in fact, NTLM is frequently the protocol chosen for
    > > http auth.
    > >
    > > We tried, in the old days to get rid of NTLM, but that's not possible
    > > w/o service interruptions unless you can *always* get a service ticket
    > > to the server.
    > >
    > > Todd
    > >
    > > persona service Verwaltungs AG & Co. KG Freisenbergstra_e 31 _ 58513
    > > L_denscheid
    > > Tel.: (02351) 950-0 _ Fax: (02351) 950-222 Sitz L_denscheid _
    > > Registergericht Iserlohn, HRA Nr. 2930
    > >
    > > pers_nlich haftende Gesellschafterin: persona service AG Gartenstra_e
    > > 93 _ CH-4002 Basel Handelsregister Basel, Nr. CH-270.3.012.836-8 diese
    > > vertreten durch den Verwaltungsrat:
    > > Dipl.-Ing. Werner M_ller (Pr_sident) und Dr. Sebastian Burckhardt
    > > www.persona.de
    > >

    >
    >
    > --
    > Michael B Allen
    > PHP Active Directory Kerberos SSO
    > http://www.ioplex.com/
    > persona service Verwaltungs AG & Co. KG
    > Freisenbergstraße 31 • 58513 Lüdenscheid
    > Tel.: (02351) 950-0 • Fax: (02351) 950-222
    > Sitz Lüdenscheid • Registergericht Iserlohn, HRA Nr. 2930
    >
    > persönlich haftende Gesellschafterin: persona service AG
    > Gartenstraße 93 • CH-4002 Basel
    > Handelsregister Basel, Nr. CH-270.3.012.836-8
    > diese vertreten durch den Verwaltungsrat:
    > Dipl.-Ing. Werner Müller (Präsident) und Dr. Sebastian Burckhardt
    > www.persona.de
    >



    --
    Michael B Allen
    PHP Active Directory Kerberos SSO
    http://www.ioplex.com/


  14. Re: AW: AW: AW: Some Users get Basic Auth?

    On Thu, 14 Jun 2007 15:19:59 +0200
    "Djihangiroff, Matthias (KC-DD)" wrote:

    > Hello,
    >
    > We'have just created a new domain Account and voila, all is running fine.
    > So somekind of settings in the userprofile are incorrect, so the auth box popped up.
    >
    > Now we have another problem.
    >
    > SOME users are getting this basic auth box somtimes. IE is running in NTLM mode..
    > If you close the IE, and open it again, with the same URL, all is running fine.
    >
    > What the hell is wrong with this IE thing :-(


    Hi Matthias,

    Honestly the best way to determine what's going on is to get a packet
    capture and do a network analysis. The problem with that is that clients
    cache both positive and negative Kerberos ticket request results so you
    basically have to reboot the client, start the capture, launch IE, try
    the page and if it fails restart the browser and if it then succeeds
    stop the capture. If it doesn't fail or if it doesn't succeed after
    failing you won't have to two conditions you need to compare and you
    have no choice but to reboot the client and repeat.

    But if you do get a capture like that I'll look at it. Can't guarantee
    I'll find anything but I'm always interested in these sorts of failure
    conditions.

    There is a decription of getting a capture with netcap.exe in the appendix
    of that document I pointed you to before.

    Also, you might try to get this patch:

    http://support.microsoft.com/kb/885887

    It does sound remotely like what you're seeing and some people have
    had success with it when experiencing unreliable behavior like you're
    describing.

    Mike

    > -----Ursprüngliche Nachricht-----
    > Von: Michael B Allen [mailto:mba2000@ioplex.com]
    > Gesendet: Mittwoch, 13. Juni 2007 08:57
    > An: Djihangiroff, Matthias (KC-DD)
    > Cc: Todd Stecher; kerberos@mit.edu
    > Betreff: Re: AW: AW: Some Users get Basic Auth?
    >
    > On Wed, 13 Jun 2007 08:25:51 +0200
    > "Djihangiroff, Matthias (KC-DD)" wrote:
    >
    > > Thanks.
    > >
    > > Than i dont know why IE is switching to NTLM.
    > > It doesnt matter if i type http://someserver or with our domain
    > > http://someserver.konzern.intern (thats although the registerd machine
    > > account in the domain).
    > > The auth box pop ups every time.
    > >
    > > I think, thats somekind of defect windows profile.
    > > If i login with MY windows account, all is running perfect. If i login
    > > with a user account, they get the auth box. (Both on the same machine,
    > > the same domain)
    > >
    > > I'm informing our Windows admins and hope, they can make some brand
    > > new windows account for me for testing purposes in that domain.

    >
    > Matthias,
    >
    > On this website:
    >
    > http://www.ioplex.com/support.html
    >
    > You will find a document called the Plexcel Operator's Manual. The document is mostly about our SSO product but of course the protocol is the same so the "Possible Issues" section has information about troubleshooting this sort of thing. In particular look at Issue 3 and Issue 5.
    >
    > Mike
    >
    > > ________________________________
    > >
    > > Von: Todd Stecher [mailto:tstecher@qwest.net]
    > > Gesendet: Mittwoch, 13. Juni 2007 08:18
    > > An: Djihangiroff, Matthias (KC-DD)
    > > Cc: Michael B Allen; kerberos@mit.edu
    > > Betreff: Re: AW: Some Users get Basic Auth?
    > >
    > >
    > >
    > > On Jun 12, 2007, at 11:04 PM, Djihangiroff, Matthias (KC-DD) wrote:
    > >
    > >
    > > I've checked the browser settings, Integrated Windows Auth is
    > > checked.
    > >
    > >
    > >
    > >
    > > Where can i configer the browser, that it use only Kerberos?
    > >
    > > I didnt find any option.
    > >
    > >
    > > You can't. A lot of it depends on the URL you present to IE, which
    > > will in turn dictate what protocol is chosen under SPNEGO.
    > >
    > > When you type "http://someserver", then IE will present the kerberos
    > > package on the client with the service principal name (SPN) of
    > > http/someserver. For kerberos to work, you need a service ticket
    > > matching that SPN. This will only be possible if the web server is
    > > properly registered with a machine account in your client's domain, or
    > > potentially another domain in the forest (assuming you're using AD).
    > >
    > > In some cases, IE will do a reverse lookup and expand the someserver
    > > to http/someserver.domain.com, but the SPN lookup rule still applies.
    > >
    > > If kerberos can't find the SPN (for example if the target server isn't
    > > registered in a trusted domain, or the client's KDC can't be reached
    > > over the presently connected network), it will drop back to NTLM
    > > (wrapped in SPNEGO tokens). There's really no easy way to guarantee
    > > Kerberos, and, in fact, NTLM is frequently the protocol chosen for
    > > http auth.
    > >
    > > We tried, in the old days to get rid of NTLM, but that's not possible
    > > w/o service interruptions unless you can *always* get a service ticket
    > > to the server.
    > >
    > > Todd
    > >
    > > persona service Verwaltungs AG & Co. KG Freisenbergstra_e 31 _ 58513
    > > L_denscheid
    > > Tel.: (02351) 950-0 _ Fax: (02351) 950-222 Sitz L_denscheid _
    > > Registergericht Iserlohn, HRA Nr. 2930
    > >
    > > pers_nlich haftende Gesellschafterin: persona service AG Gartenstra_e
    > > 93 _ CH-4002 Basel Handelsregister Basel, Nr. CH-270.3.012.836-8 diese
    > > vertreten durch den Verwaltungsrat:
    > > Dipl.-Ing. Werner M_ller (Pr_sident) und Dr. Sebastian Burckhardt
    > > www.persona.de
    > >

    >
    >
    > --
    > Michael B Allen
    > PHP Active Directory Kerberos SSO
    > http://www.ioplex.com/
    > persona service Verwaltungs AG & Co. KG
    > Freisenbergstraße 31 • 58513 Lüdenscheid
    > Tel.: (02351) 950-0 • Fax: (02351) 950-222
    > Sitz Lüdenscheid • Registergericht Iserlohn, HRA Nr. 2930
    >
    > persönlich haftende Gesellschafterin: persona service AG
    > Gartenstraße 93 • CH-4002 Basel
    > Handelsregister Basel, Nr. CH-270.3.012.836-8
    > diese vertreten durch den Verwaltungsrat:
    > Dipl.-Ing. Werner Müller (Präsident) und Dr. Sebastian Burckhardt
    > www.persona.de
    >



    --
    Michael B Allen
    PHP Active Directory Kerberos SSO
    http://www.ioplex.com/

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  15. Re: Question about freeing memory when using krb5_get_credentials

    >>>>> "Markus" == Markus Moeller writes:

    Markus> My capath looks like:
    Markus> [capaths]
    Markus> SUSE.HOME = {
    Markus> XEN.HOME = WINDOWS2003.HOME
    Markus> WINDOWS2003.HOME = .
    Markus> }
    Markus> XEN.HOME = {
    Markus> SUSE.HOME = WINDOWS2003.HOME
    Markus> }
    Markus> WINDOWS2003.HOME = {
    Markus> SUSE.HOME = .
    Markus> }

    I assume that you are attempting to authenticate between two realms
    which are listed in your capaths as directly connected. Please try
    the following patch and let me know if it stops the leak. Basically
    it looks like a pointer is getting overwritten and thereby leaking a
    string allocated by the profile library.

    === src/lib/krb5/krb/walk_rtree.c
    ================================================== ================
    --- src/lib/krb5/krb/walk_rtree.c (revision 20062)
    +++ src/lib/krb5/krb/walk_rtree.c (local)
    @@ -167,6 +167,9 @@
    links++;
    }
    }
    + if (cap_nodes[links] != NULL)
    + krb5_xfree(cap_nodes[links]);
    +
    cap_nodes[links] = cap_server; /* put server on end of list */
    /* this simplifies the code later and make */
    /* cleanup eaiser as well */


  16. Re: Question about freeing memory when using krb5_get_credentials

    >>>>> "Markus" == Markus Moeller writes:

    Markus> My capath looks like:
    Markus> [capaths]
    Markus> SUSE.HOME = {
    Markus> XEN.HOME = WINDOWS2003.HOME
    Markus> WINDOWS2003.HOME = .
    Markus> }
    Markus> XEN.HOME = {
    Markus> SUSE.HOME = WINDOWS2003.HOME
    Markus> }
    Markus> WINDOWS2003.HOME = {
    Markus> SUSE.HOME = .
    Markus> }

    I assume that you are attempting to authenticate between two realms
    which are listed in your capaths as directly connected. Please try
    the following patch and let me know if it stops the leak. Basically
    it looks like a pointer is getting overwritten and thereby leaking a
    string allocated by the profile library.

    === src/lib/krb5/krb/walk_rtree.c
    ================================================== ================
    --- src/lib/krb5/krb/walk_rtree.c (revision 20062)
    +++ src/lib/krb5/krb/walk_rtree.c (local)
    @@ -167,6 +167,9 @@
    links++;
    }
    }
    + if (cap_nodes[links] != NULL)
    + krb5_xfree(cap_nodes[links]);
    +
    cap_nodes[links] = cap_server; /* put server on end of list */
    /* this simplifies the code later and make */
    /* cleanup eaiser as well */

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  17. Re: Question about freeing memory when using krb5_get_credentials

    Tom,

    yes your fix is solving my issue.

    Thank you
    Markus

    "Tom Yu" wrote in message
    news:ldv1wge2msr.fsf@cathode-dark-space.mit.edu...
    >>>>>> "Markus" == Markus Moeller writes:

    >
    > Markus> My capath looks like:
    > Markus> [capaths]
    > Markus> SUSE.HOME = {
    > Markus> XEN.HOME = WINDOWS2003.HOME
    > Markus> WINDOWS2003.HOME = .
    > Markus> }
    > Markus> XEN.HOME = {
    > Markus> SUSE.HOME = WINDOWS2003.HOME
    > Markus> }
    > Markus> WINDOWS2003.HOME = {
    > Markus> SUSE.HOME = .
    > Markus> }
    >
    > I assume that you are attempting to authenticate between two realms
    > which are listed in your capaths as directly connected. Please try
    > the following patch and let me know if it stops the leak. Basically
    > it looks like a pointer is getting overwritten and thereby leaking a
    > string allocated by the profile library.
    >
    > === src/lib/krb5/krb/walk_rtree.c
    > ================================================== ================
    > --- src/lib/krb5/krb/walk_rtree.c (revision 20062)
    > +++ src/lib/krb5/krb/walk_rtree.c (local)
    > @@ -167,6 +167,9 @@
    > links++;
    > }
    > }
    > + if (cap_nodes[links] != NULL)
    > + krb5_xfree(cap_nodes[links]);
    > +
    > cap_nodes[links] = cap_server; /* put server on end of list */
    > /* this simplifies the code later and make */
    > /* cleanup eaiser as well */
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >





  18. Re: Question about freeing memory when using krb5_get_credentials

    Tom,

    yes your fix is solving my issue.

    Thank you
    Markus

    "Tom Yu" wrote in message
    news:ldv1wge2msr.fsf@cathode-dark-space.mit.edu...
    >>>>>> "Markus" == Markus Moeller writes:

    >
    > Markus> My capath looks like:
    > Markus> [capaths]
    > Markus> SUSE.HOME = {
    > Markus> XEN.HOME = WINDOWS2003.HOME
    > Markus> WINDOWS2003.HOME = .
    > Markus> }
    > Markus> XEN.HOME = {
    > Markus> SUSE.HOME = WINDOWS2003.HOME
    > Markus> }
    > Markus> WINDOWS2003.HOME = {
    > Markus> SUSE.HOME = .
    > Markus> }
    >
    > I assume that you are attempting to authenticate between two realms
    > which are listed in your capaths as directly connected. Please try
    > the following patch and let me know if it stops the leak. Basically
    > it looks like a pointer is getting overwritten and thereby leaking a
    > string allocated by the profile library.
    >
    > === src/lib/krb5/krb/walk_rtree.c
    > ================================================== ================
    > --- src/lib/krb5/krb/walk_rtree.c (revision 20062)
    > +++ src/lib/krb5/krb/walk_rtree.c (local)
    > @@ -167,6 +167,9 @@
    > links++;
    > }
    > }
    > + if (cap_nodes[links] != NULL)
    > + krb5_xfree(cap_nodes[links]);
    > +
    > cap_nodes[links] = cap_server; /* put server on end of list */
    > /* this simplifies the code later and make */
    > /* cleanup eaiser as well */
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >




    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  19. Re: AW: AW: AW: Some Users get Basic Auth?

    Matthias,

    how long is the user logged in on the machine and what are the ticket
    lifetime settings in AD ? Before you lock and unlock the PC can you check
    with kerbtray the tickets in the ticket cache ? They may be expired and
    some application (e.g. IE) can not trigger a ticket renew, but a lock and
    unlock triggers a ticket renew.

    Markus

    "Djihangiroff, Matthias (KC-DD)" wrote in
    message
    news:A4987E8FC1C6CD44805DDE5676EE262E015783DD@w2km ail.konzern.intern...
    Hello,

    I havent managed to grep a useful packet capture yet.

    But ive noticed something:

    Right after the users get the auth box, they can lock their computer, login
    again, and the problem is gone?
    They get a new krbtgt-ticket, and all is running fine for some time.

    -----Ursprüngliche Nachricht-----
    Von: Michael B Allen [mailto:mba2000@ioplex.com]
    Gesendet: Donnerstag, 14. Juni 2007 17:46
    An: Djihangiroff, Matthias (KC-DD)
    Cc: kerberos@mit.edu
    Betreff: Re: AW: AW: AW: Some Users get Basic Auth?

    On Thu, 14 Jun 2007 15:19:59 +0200
    "Djihangiroff, Matthias (KC-DD)" wrote:

    > Hello,
    >
    > We'have just created a new domain Account and voila, all is running fine.
    > So somekind of settings in the userprofile are incorrect, so the auth box
    > popped up.
    >
    > Now we have another problem.
    >
    > SOME users are getting this basic auth box somtimes. IE is running in NTLM
    > mode..
    > If you close the IE, and open it again, with the same URL, all is running
    > fine.
    >
    > What the hell is wrong with this IE thing :-(


    Hi Matthias,

    Honestly the best way to determine what's going on is to get a packet
    capture and do a network analysis. The problem with that is that clients
    cache both positive and negative Kerberos ticket request results so you
    basically have to reboot the client, start the capture, launch IE, try the
    page and if it fails restart the browser and if it then succeeds stop the
    capture. If it doesn't fail or if it doesn't succeed after failing you won't
    have to two conditions you need to compare and you have no choice but to
    reboot the client and repeat.

    But if you do get a capture like that I'll look at it. Can't guarantee I'll
    find anything but I'm always interested in these sorts of failure
    conditions.

    There is a decription of getting a capture with netcap.exe in the appendix
    of that document I pointed you to before.

    Also, you might try to get this patch:

    http://support.microsoft.com/kb/885887

    It does sound remotely like what you're seeing and some people have had
    success with it when experiencing unreliable behavior like you're
    describing.

    Mike

    > -----Ursprüngliche Nachricht-----
    > Von: Michael B Allen [mailto:mba2000@ioplex.com]
    > Gesendet: Mittwoch, 13. Juni 2007 08:57
    > An: Djihangiroff, Matthias (KC-DD)
    > Cc: Todd Stecher; kerberos@mit.edu
    > Betreff: Re: AW: AW: Some Users get Basic Auth?
    >
    > On Wed, 13 Jun 2007 08:25:51 +0200
    > "Djihangiroff, Matthias (KC-DD)" wrote:
    >
    > > Thanks.
    > >
    > > Than i dont know why IE is switching to NTLM.
    > > It doesnt matter if i type http://someserver or with our domain
    > > http://someserver.konzern.intern (thats although the registerd
    > > machine account in the domain).
    > > The auth box pop ups every time.
    > >
    > > I think, thats somekind of defect windows profile.
    > > If i login with MY windows account, all is running perfect. If i
    > > login with a user account, they get the auth box. (Both on the same
    > > machine, the same domain)
    > >
    > > I'm informing our Windows admins and hope, they can make some brand
    > > new windows account for me for testing purposes in that domain.

    >
    > Matthias,
    >
    > On this website:
    >
    > http://www.ioplex.com/support.html
    >
    > You will find a document called the Plexcel Operator's Manual. The
    > document is mostly about our SSO product but of course the protocol is the
    > same so the "Possible Issues" section has information about
    > troubleshooting this sort of thing. In particular look at Issue 3 and
    > Issue 5.
    >
    > Mike
    >
    > > ________________________________
    > >
    > > Von: Todd Stecher [mailto:tstecher@qwest.net]
    > > Gesendet: Mittwoch, 13. Juni 2007 08:18
    > > An: Djihangiroff, Matthias (KC-DD)
    > > Cc: Michael B Allen; kerberos@mit.edu
    > > Betreff: Re: AW: Some Users get Basic Auth?
    > >
    > >
    > >
    > > On Jun 12, 2007, at 11:04 PM, Djihangiroff, Matthias (KC-DD) wrote:
    > >
    > >
    > > I've checked the browser settings, Integrated Windows Auth is
    > > checked.
    > >
    > >
    > >
    > >
    > > Where can i configer the browser, that it use only Kerberos?
    > >
    > > I didnt find any option.
    > >
    > >
    > > You can't. A lot of it depends on the URL you present to IE, which
    > > will in turn dictate what protocol is chosen under SPNEGO.
    > >
    > > When you type "http://someserver", then IE will present the kerberos
    > > package on the client with the service principal name (SPN) of
    > > http/someserver. For kerberos to work, you need a service ticket
    > > matching that SPN. This will only be possible if the web server is
    > > properly registered with a machine account in your client's domain,
    > > or potentially another domain in the forest (assuming you're using AD).
    > >
    > > In some cases, IE will do a reverse lookup and expand the someserver
    > > to http/someserver.domain.com, but the SPN lookup rule still applies.
    > >
    > > If kerberos can't find the SPN (for example if the target server
    > > isn't registered in a trusted domain, or the client's KDC can't be
    > > reached over the presently connected network), it will drop back to
    > > NTLM (wrapped in SPNEGO tokens). There's really no easy way to
    > > guarantee Kerberos, and, in fact, NTLM is frequently the protocol
    > > chosen for http auth.
    > >
    > > We tried, in the old days to get rid of NTLM, but that's not
    > > possible w/o service interruptions unless you can *always* get a
    > > service ticket to the server.
    > >
    > > Todd
    > >
    > > persona service Verwaltungs AG & Co. KG Freisenbergstra_e 31 _ 58513
    > > L_denscheid
    > > Tel.: (02351) 950-0 _ Fax: (02351) 950-222 Sitz L_denscheid _
    > > Registergericht Iserlohn, HRA Nr. 2930
    > >
    > > pers_nlich haftende Gesellschafterin: persona service AG
    > > Gartenstra_e
    > > 93 _ CH-4002 Basel Handelsregister Basel, Nr. CH-270.3.012.836-8
    > > diese vertreten durch den Verwaltungsrat:
    > > Dipl.-Ing. Werner M_ller (Pr_sident) und Dr. Sebastian Burckhardt
    > > www.persona.de
    > >

    >
    >
    > --
    > Michael B Allen
    > PHP Active Directory Kerberos SSO
    > http://www.ioplex.com/
    > persona service Verwaltungs AG & Co. KG Freisenbergstraße 31 * 58513
    > Lüdenscheid
    > Tel.: (02351) 950-0 * Fax: (02351) 950-222 Sitz Lüdenscheid *
    > Registergericht Iserlohn, HRA Nr. 2930
    >
    > persönlich haftende Gesellschafterin: persona service AG Gartenstraße
    > 93 * CH-4002 Basel Handelsregister Basel, Nr. CH-270.3.012.836-8 diese
    > vertreten durch den Verwaltungsrat:
    > Dipl.-Ing. Werner Müller (Präsident) und Dr. Sebastian Burckhardt
    > www.persona.de
    >



    --
    Michael B Allen
    PHP Active Directory Kerberos SSO
    http://www.ioplex.com/
    persona service Verwaltungs AG & Co. KG
    Freisenbergstraße 31 . 58513 Lüdenscheid
    Tel.: (02351) 950-0 . Fax: (02351) 950-222
    Sitz Lüdenscheid . Registergericht Iserlohn, HRA Nr. 2930

    persönlich haftende Gesellschafterin: persona service AG
    Gartenstraße 93 . CH-4002 Basel
    Handelsregister Basel, Nr. CH-270.3.012.836-8
    diese vertreten durch den Verwaltungsrat:
    Dipl.-Ing. Werner Müller (Präsident) und Dr. Sebastian Burckhardt
    www.persona.de

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos




+ Reply to Thread