Internet Explorer is using NTLM insted of Kerberos

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Internet Explorer is using NTLM insted of Kerberos

eitan-3
Hi,
Not sure if this is the correct place to post this question so I'm
sorry if it's not.

I've created in a test environment the following configuration:
- PC A: Running Windows 2003 as active directory domain controller.
- PC B: Windows XP Pro (that was added to the AD) logged on to the AD.
- PC C: Simply running a sniffer.

Now..
Having read this :
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/6291dce1-4ea8-4b4f-a9c1-23926ab6e8dd.mspx

I fixed what was stated in this article (added the AD server to the
correct zone on the XP client, and made sure that the Integrated logon
was checked)
After this setup I was ready to start the browser and post a request
for a simple "Hello world" page on the AD server (and yes , the URL was
constructed with the FQDN of the Ad and not it's IP)

When the TCP stream was decoded by the sniffer I found that the server
sent a single "Authorization" header to the client stating "Negotiate"
and the client sent an NTLM keys (decoded into "NTLMSSP" string)
no mater what I tried I keep getting those NTLM sessions and no
Kerberos.

Eitan.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Internet Explorer is using NTLM insted of Kerberos

Kent Wu
My experience is that IE has never used kerberos, it's always been NTLM
even though AD understands both Kerberos and NTLM (through SPNEGO).  

Hope this helps.

-Kent

On Thu, 2005-09-15 at 16:49 -0700, Eitan wrote:

> Hi,
> Not sure if this is the correct place to post this question so I'm
> sorry if it's not.
>
> I've created in a test environment the following configuration:
> - PC A: Running Windows 2003 as active directory domain controller.
> - PC B: Windows XP Pro (that was added to the AD) logged on to the AD.
> - PC C: Simply running a sniffer.
>
> Now..
> Having read this :
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/6291dce1-4ea8-4b4f-a9c1-23926ab6e8dd.mspx
>
> I fixed what was stated in this article (added the AD server to the
> correct zone on the XP client, and made sure that the Integrated logon
> was checked)
> After this setup I was ready to start the browser and post a request
> for a simple "Hello world" page on the AD server (and yes , the URL was
> constructed with the FQDN of the Ad and not it's IP)
>
> When the TCP stream was decoded by the sniffer I found that the server
> sent a single "Authorization" header to the client stating "Negotiate"
> and the client sent an NTLM keys (decoded into "NTLMSSP" string)
> no mater what I tried I keep getting those NTLM sessions and no
> Kerberos.
>
> Eitan.
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Kent Wu <[hidden email]>
XSIGO INC.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos