windows browsers send ntlm instead of kerberos tokens

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

windows browsers send ntlm instead of kerberos tokens

Julien ALLANOS
Hello,

I'm experiencing a strange thing again. I have a Windows 2003 server with
apache2 + mod_spnego + kfw-2.6.5. This is the only box on the domain. When I
login as a simple user and type klist at the command prompt, I can't see I have
no TGT. From what I've understood about KRB5, a TGT should have been granted at
user login, and thus should be visible with klist.

Accessing the web server using a well configured Internet Explorer or Firefox, I
can see the browsers are sending NTLM (beginning with NTLMSSP) instead of
Kerberos tokens, in response to the Negotiate authentication the server is
asking for.

With kinit -5, I can get a TGT without a problem, as well as with Leash. But
launching the browsers again after that, and requesting the web server URL
again, leads to a failure.

As I don't want to use NTLM but Kerberos5 and I don't really understand what is
going on, I'm asking for help here. Is my client session isn't configured to
ask for a TGT at login? Can't it find the KDC? Is it failing because client
session is opened on the same box as the KDC?

Thanks for any help.
--
Julien ALLANOS
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: windows browsers send ntlm instead of kerberos tokens

Jeffrey Altman-3
Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos
support.   If you want them to have Kerberos credentials, Windows must
obtain them for you when you login to Windows using an Active Directory
account.

Jeffrey Altman


Julien ALLANOS wrote:

> Hello,
>
> I'm experiencing a strange thing again. I have a Windows 2003 server with
> apache2 + mod_spnego + kfw-2.6.5. This is the only box on the domain. When I
> login as a simple user and type klist at the command prompt, I can't see I have
> no TGT. From what I've understood about KRB5, a TGT should have been granted at
> user login, and thus should be visible with klist.
>
> Accessing the web server using a well configured Internet Explorer or Firefox, I
> can see the browsers are sending NTLM (beginning with NTLMSSP) instead of
> Kerberos tokens, in response to the Negotiate authentication the server is
> asking for.
>
> With kinit -5, I can get a TGT without a problem, as well as with Leash. But
> launching the browsers again after that, and requesting the web server URL
> again, leads to a failure.
>
> As I don't want to use NTLM but Kerberos5 and I don't really understand what is
> going on, I'm asking for help here. Is my client session isn't configured to
> ask for a TGT at login? Can't it find the KDC? Is it failing because client
> session is opened on the same box as the KDC?
>
> Thanks for any help.

--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: windows browsers send ntlm instead of kerberos tokens

Julien ALLANOS
Quoting Jeffrey Altman <[hidden email]>:

> Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos
> support.   If you want them to have Kerberos credentials, Windows must
> obtain them for you when you login to Windows using an Active Directory
> account.
>
> Jeffrey Altman

OK, but how can I be certain that Windows did really obtain the Kerberos
credentials at login, that FF or IE might be able to use after?
--
Julien ALLANOS
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: windows browsers send ntlm instead of kerberos tokens

Jeffrey Altman-3
Julien ALLANOS wrote:

> Quoting Jeffrey Altman <[hidden email]>:
>
>> Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos
>> support.   If you want them to have Kerberos credentials, Windows must
>> obtain them for you when you login to Windows using an Active Directory
>> account.
>>
>> Jeffrey Altman
>
>
> OK, but how can I be certain that Windows did really obtain the Kerberos
> credentials at login, that FF or IE might be able to use after?

Since you have MIT KFW installed you can list the contents of the
MSLSA ccache with

        klist -c MSLSA:

Otherwise, you can install one of the Microsoft tools such as
kerbtray.exe that are available from the Microsoft download web site.

Jeffrey Altman

--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: windows browsers send ntlm instead of kerberos tokens

Julien ALLANOS
Quoting Jeffrey Altman <[hidden email]>:

> Julien ALLANOS wrote:
>
>> Quoting Jeffrey Altman <[hidden email]>:
>>
>>> Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos
>>> support.   If you want them to have Kerberos credentials, Windows must
>>> obtain them for you when you login to Windows using an Active Directory
>>> account.
>>>
>>> Jeffrey Altman
>>
>>
>> OK, but how can I be certain that Windows did really obtain the Kerberos
>> credentials at login, that FF or IE might be able to use after?
>
> Since you have MIT KFW installed you can list the contents of the
> MSLSA ccache with
>
> klist -c MSLSA:
>
> Otherwise, you can install one of the Microsoft tools such as
> kerbtray.exe that are available from the Microsoft download web site.
>

Thanks.

Both klist -c MSLSA: and kerbtray tell me that the following tickets are given
to me at login (verified by purging, logout and login again):

* krbtgt/[hidden email]
* ldap/host.my.domain.tld/[hidden email]
* host/[hidden email]

However, IE or FF are still sending NTLM tickets. Any clue?
--
Julien ALLANOS
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: windows browsers send ntlm instead of kerberos tokens

Markus Moeller
Have you created a HTTP/server principal and configured IE with integrated
windows authentication and FF as follows ?

select URL about:config
in the filter write nego
You should see two entries double click on them and and the domains for
which you want to have SPNEGO e.g. test.com

I hope these are not too basic  questions.

Regards
Markus

"Julien ALLANOS" <[hidden email]> wrote in message
news:[hidden email]...

> Quoting Jeffrey Altman <[hidden email]>:
>
>> Julien ALLANOS wrote:
>>
>>> Quoting Jeffrey Altman <[hidden email]>:
>>>
>>>> Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos
>>>> support.   If you want them to have Kerberos credentials, Windows must
>>>> obtain them for you when you login to Windows using an Active Directory
>>>> account.
>>>>
>>>> Jeffrey Altman
>>>
>>>
>>> OK, but how can I be certain that Windows did really obtain the Kerberos
>>> credentials at login, that FF or IE might be able to use after?
>>
>> Since you have MIT KFW installed you can list the contents of the
>> MSLSA ccache with
>>
>> klist -c MSLSA:
>>
>> Otherwise, you can install one of the Microsoft tools such as
>> kerbtray.exe that are available from the Microsoft download web site.
>>
>
> Thanks.
>
> Both klist -c MSLSA: and kerbtray tell me that the following tickets are
> given
> to me at login (verified by purging, logout and login again):
>
> * krbtgt/[hidden email]
> * ldap/host.my.domain.tld/[hidden email]
> * host/[hidden email]
>
> However, IE or FF are still sending NTLM tickets. Any clue?
> --
> Julien ALLANOS
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: windows browsers send ntlm instead of kerberos tokens

Markus Moeller
In reply to this post by Julien ALLANOS
Also can you do a kinit -k -t keytab HTTP/server successfully ?

Markus


"Julien ALLANOS" <[hidden email]> wrote in message
news:[hidden email]...

> Quoting Jeffrey Altman <[hidden email]>:
>
>> Julien ALLANOS wrote:
>>
>>> Quoting Jeffrey Altman <[hidden email]>:
>>>
>>>> Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos
>>>> support.   If you want them to have Kerberos credentials, Windows must
>>>> obtain them for you when you login to Windows using an Active Directory
>>>> account.
>>>>
>>>> Jeffrey Altman
>>>
>>>
>>> OK, but how can I be certain that Windows did really obtain the Kerberos
>>> credentials at login, that FF or IE might be able to use after?
>>
>> Since you have MIT KFW installed you can list the contents of the
>> MSLSA ccache with
>>
>> klist -c MSLSA:
>>
>> Otherwise, you can install one of the Microsoft tools such as
>> kerbtray.exe that are available from the Microsoft download web site.
>>
>
> Thanks.
>
> Both klist -c MSLSA: and kerbtray tell me that the following tickets are
> given
> to me at login (verified by purging, logout and login again):
>
> * krbtgt/[hidden email]
> * ldap/host.my.domain.tld/[hidden email]
> * host/[hidden email]
>
> However, IE or FF are still sending NTLM tickets. Any clue?
> --
> Julien ALLANOS
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Kerberos support in Firefox/Thunderbird (was Re: windows browsers send ntlm instead of kerberos tokens)

Simon Wilkinson
In reply to this post by Jeffrey Altman-3
Jeffrey Altman wrote:
> Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos
> support.

Just because this comment reminded me...

As of this week, Firefox and Thunderbird nightly builds (and the
eventual 1.5 release) support using either SSPI or KFW, according to the
value of the hidden preference network.auth.use-sspi

Thunderbird also now has support for Kerberos authentication with the
POP3, IMAP and SMTP protocols.

Cheers,

Simon.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: windows browsers send ntlm instead of kerberos tokens

Jonathan Stephens
In reply to this post by Julien ALLANOS
I can't speak for FireFox, but IE will not use Kerberos for
authentication if the site is in the Internet zone.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/O
perations/6291dce1-4ea8-4b4f-a9c1-23926ab6e8dd.mspx

The second common cause is that Internet Explorer 6.0 is attempting to
access a site located in the Internet zone. Internet zone sites are
prevented from using Integrated Windows authentication because these
protocols do not typically work through Web proxies, among other
reasons. If a site is located in the Internet zone, Internet Explorer
6.0 does not attempt to use Kerberos authentication, and automatically
tries NTLM. In all versions of Internet Explorer, when accessing a Web
site to which you want to use Kerberos authentication, you must verify
that the Web site appears as being in the local intranet zone. An icon
in the lower right corner of the Internet Explorer window indicates what
zone a Web site is in. It displays "Internet" for the Internet zone and
"Local Intranet" for the intranet zone. If the Web site appears as being
in the Internet zone, you must manually add the site to the local
intranet sites list.


Jonathan Stephens [MS]
--
This posting is provided "AS IS" with no warranties, and confers no
rights.

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Markus Moeller
Sent: Friday, August 26, 2005 1:26 PM
To: [hidden email]
Subject: Re: windows browsers send ntlm instead of kerberos tokens

Also can you do a kinit -k -t keytab HTTP/server successfully ?

Markus


"Julien ALLANOS" <[hidden email]> wrote in message
news:[hidden email]...
> Quoting Jeffrey Altman <[hidden email]>:
>
>> Julien ALLANOS wrote:
>>
>>> Quoting Jeffrey Altman <[hidden email]>:
>>>
>>>> Neither Internet Explorer nor FireFox 1.0 use KFW for their
Kerberos
>>>> support.   If you want them to have Kerberos credentials, Windows
must
>>>> obtain them for you when you login to Windows using an Active
>>>> Directory account.
>>>>
>>>> Jeffrey Altman
>>>
>>>
>>> OK, but how can I be certain that Windows did really obtain the
>>> Kerberos credentials at login, that FF or IE might be able to use
after?

>>
>> Since you have MIT KFW installed you can list the contents of the
>> MSLSA ccache with
>>
>> klist -c MSLSA:
>>
>> Otherwise, you can install one of the Microsoft tools such as
>> kerbtray.exe that are available from the Microsoft download web site.
>>
>
> Thanks.
>
> Both klist -c MSLSA: and kerbtray tell me that the following tickets
> are given to me at login (verified by purging, logout and login
> again):
>
> * krbtgt/[hidden email]
> * ldap/host.my.domain.tld/[hidden email]
> * host/[hidden email]
>
> However, IE or FF are still sending NTLM tickets. Any clue?
> --
> Julien ALLANOS
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: windows browsers send ntlm instead of kerberos tokens

Vadim-8
In reply to this post by Julien ALLANOS
Probably silly question ... Have you enabled "windows integrated
authentication" in IE? Is your http server in the "trusted zone"?

best regards, vadim tarassov.

On Fri, 2005-08-26 at 17:23 +0200, Julien ALLANOS wrote:

> Quoting Jeffrey Altman <[hidden email]>:
>
> > Julien ALLANOS wrote:
> >
> >> Quoting Jeffrey Altman <[hidden email]>:
> >>
> >>> Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos
> >>> support.   If you want them to have Kerberos credentials, Windows must
> >>> obtain them for you when you login to Windows using an Active Directory
> >>> account.
> >>>
> >>> Jeffrey Altman
> >>
> >>
> >> OK, but how can I be certain that Windows did really obtain the Kerberos
> >> credentials at login, that FF or IE might be able to use after?
> >
> > Since you have MIT KFW installed you can list the contents of the
> > MSLSA ccache with
> >
> > klist -c MSLSA:
> >
> > Otherwise, you can install one of the Microsoft tools such as
> > kerbtray.exe that are available from the Microsoft download web site.
> >
>
> Thanks.
>
> Both klist -c MSLSA: and kerbtray tell me that the following tickets are given
> to me at login (verified by purging, logout and login again):
>
> * krbtgt/[hidden email]
> * ldap/host.my.domain.tld/[hidden email]
> * host/[hidden email]
>
> However, IE or FF are still sending NTLM tickets. Any clue?
--
vadim <[hidden email]>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: windows browsers send ntlm instead of kerberos tokens

Julien ALLANOS
In reply to this post by Markus Moeller
Quoting Markus Moeller <[hidden email]>:

> Also can you do a kinit -k -t keytab HTTP/server successfully ?
>
> Markus
>
>
> "Julien ALLANOS" <[hidden email]> wrote in message
> news:[hidden email]...
>> Quoting Jeffrey Altman <[hidden email]>:
>>
>>> Julien ALLANOS wrote:
>>>
>>>> Quoting Jeffrey Altman <[hidden email]>:
>>>>
>>>>> Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos
>>>>> support.   If you want them to have Kerberos credentials, Windows must
>>>>> obtain them for you when you login to Windows using an Active Directory
>>>>> account.
>>>>>
>>>>> Jeffrey Altman
>>>>
>>>>
>>>> OK, but how can I be certain that Windows did really obtain the Kerberos
>>>> credentials at login, that FF or IE might be able to use after?
>>>
>>> Since you have MIT KFW installed you can list the contents of the
>>> MSLSA ccache with
>>>
>>> klist -c MSLSA:
>>>
>>> Otherwise, you can install one of the Microsoft tools such as
>>> kerbtray.exe that are available from the Microsoft download web site.
>>>
>>
>> Thanks.
>>
>> Both klist -c MSLSA: and kerbtray tell me that the following tickets are
>> given
>> to me at login (verified by purging, logout and login again):
>>
>> * krbtgt/[hidden email]
>> * ldap/host.my.domain.tld/[hidden email]
>> * host/[hidden email]
>>
>> However, IE or FF are still sending NTLM tickets. Any clue?

OK guys, thanks for your answsers.

Yes, my browsers are correctly configured.

Actually it might be a hostname issue: the domain is my.domain.tld, my
webserver/AD/KDC is host.my.domain.tld and has a CNAME for my.domain.tld. I
also want to access the webserver via http://my.domain.tld/. The keytab was
generated for the HTTP/[hidden email] principal, that's why:

  kinit -5 -k -t keytab HTTP/[hidden email]

works, but not:

  kinit -5 -k -t keytab HTTP/[hidden email]

The strange thing is that I've added another box to the domain, added both
hostnames to FF's auto nego parameters and tried to access both URLs from this
new box, but I get the same thing (a NTLM token is sent), and ethereal doesn't
show any traffic on TCP port 88.

Any help please?
--
Julien ALLANOS
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: windows browsers send ntlm instead of kerberos tokens

Wyllys Ingersoll
In reply to this post by Julien ALLANOS

By default, Firefox will only perform GSSAPI (negotiate-auth) authentication
when the protocol is 'https://'.

Check the "network.negotiate-auth.delegation-uris" and
"network.negotiate-auth.trusted-uris" parameters (under "about:config") and
make sure that you allow "http://" as well as "https://" if you are
accessing
non-SSL protected sites.

network.negotiate-auth.delegation-uris = "https://,http://"
network.negotiate-auth.trusted-uris = "https://,http://"

-Wyllys


Julien ALLANOS wrote:

> Quoting Jeffrey Altman <[hidden email]>:
>
>> Julien ALLANOS wrote:
>>
>>> Quoting Jeffrey Altman <[hidden email]>:
>>>
>>>> Neither Internet Explorer nor FireFox 1.0 use KFW for their Kerberos
>>>> support.   If you want them to have Kerberos credentials, Windows must
>>>> obtain them for you when you login to Windows using an Active
>>>> Directory
>>>> account.
>>>>
>>>> Jeffrey Altman
>>>
>>>
>>>
>>> OK, but how can I be certain that Windows did really obtain the
>>> Kerberos
>>> credentials at login, that FF or IE might be able to use after?
>>
>>
>> Since you have MIT KFW installed you can list the contents of the
>> MSLSA ccache with
>>
>>     klist -c MSLSA:
>>
>> Otherwise, you can install one of the Microsoft tools such as
>> kerbtray.exe that are available from the Microsoft download web site.
>>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: windows browsers send ntlm instead of kerberos tokens

Jeffrey Hutzelman


On Monday, August 29, 2005 10:28:35 -0400 Wyllys Ingersoll
<[hidden email]> wrote:

>
> By default, Firefox will only perform GSSAPI (negotiate-auth)
> authentication
> when the protocol is 'https://'.
>
> Check the "network.negotiate-auth.delegation-uris" and
> "network.negotiate-auth.trusted-uris" parameters (under "about:config")
> and
> make sure that you allow "http://" as well as "https://" if you are
> accessing
> non-SSL protected sites.
>
> network.negotiate-auth.delegation-uris = "https://,http://"
> network.negotiate-auth.trusted-uris = "https://,http://"

Aaaa!  No!  Don't do this unless you _absolutely_ need this ability.

Running HTTP negotiate over a plaintext connection is _not secure_.  It
provides no integrity protection and is subject to a relatively easy
man-in-the-middle attack.


If the problem is indeed that the connection is not using SSL, the correct
solution is to change that service to use SSL.

If you absolutely must use HTTP negotiate with a service that is not using
SSL and which you do not control, then turning on negotiate support for
non-SSL connections may be your only choice.

-- Jeffrey T. Hutzelman (N3NHS) <[hidden email]>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: windows browsers send ntlm instead of kerberos tokens

Wyllys Ingersoll
Jeffrey Hutzelman wrote:

>>
>> By default, Firefox will only perform GSSAPI (negotiate-auth)
>> authentication
>> when the protocol is 'https://'.
>>
>> Check the "network.negotiate-auth.delegation-uris" and
>> "network.negotiate-auth.trusted-uris" parameters (under "about:config")
>> and
>> make sure that you allow "http://" as well as "https://" if you are
>> accessing
>> non-SSL protected sites.
>>
>> network.negotiate-auth.delegation-uris = "https://,http://"
>> network.negotiate-auth.trusted-uris = "https://,http://"
>
>
> Aaaa!  No!  Don't do this unless you _absolutely_ need this ability.
>
> Running HTTP negotiate over a plaintext connection is _not secure_.  
> It provides no integrity protection and is subject to a relatively
> easy man-in-the-middle attack.


I totally agree with Jeff, that is why SSL is the default setting for
Firefox.  I was just pointing
out one possible reason why the test was not working for the original
poster.

-Wyllys

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: windows browsers send ntlm instead of kerberos tokens

Julien ALLANOS
In reply to this post by Julien ALLANOS
Quoting Markus <[hidden email]>:

> Julien,
>
> as far as I am aware you can not use cnames. Normally the
> client/server uses a call to gss_import_name which canonicalises the
> hostname from the cname to the A record. If you capture the traffic
> on port 88 on the client you should see a TGS-REQ for
> HTTP/host.my.domain.tld although your URL was http://my.domain.tld.
>
> Regards
> Markus
>

As I've already said before, I see no traffic between the client and
the server
(port 88). The client immediately send a NTLM token.

If I could make Kerberos working, do you think a keytab with
HTTP/[hidden email] would be enough?
--
Julien ALLANOS
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: windows browsers send ntlm instead of kerberos tokens

Markus Moeller
In reply to this post by Julien ALLANOS
Julian,

I think creating a keytab with HTTP/[hidden email] should be
enough.

Regards
Markus

Julien ALLANOS wrote:

>
> Quoting Markus <[hidden email]>:
>
>> Julien,
>>
>> as far as I am aware you can not use cnames. Normally the
>> client/server uses a call to gss_import_name which canonicalises the
>> hostname from the cname to the A record. If you capture the traffic on
>> port 88 on the client you should see a TGS-REQ for
>> HTTP/host.my.domain.tld although your URL was http://my.domain.tld.
>>
>> Regards
>> Markus
>>
>
> As I've already said before, I see no traffic between the client and the
> server
> (port 88). The client immediately send a NTLM token.
>
> If I could make Kerberos working, do you think a keytab with
> HTTP/[hidden email] would be enough?


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos