Quantcast
Channel: Internet Explorer Web Development forum
Viewing all articles
Browse latest Browse all 3527

IE sending NTLM token instead of Kerberos

$
0
0
According to Microsoft documentation, if you register service principal name correctly and your machine is logged onto domain, then when using IE (6 or later) with Integrated Windows Authentication box enabled and the site you are visiting already part of intranet zone, with automatically log-on setting selected, the browser should be able to send Kerberos token to the web server. We are using Apache tomcat web server, but when the server requests with WWW-Authenticate header to negotiate, apparently, the browser is always sending NTLM token only (i can see token starts with TlRMTVNT)
When Service principles listed, it looks as below:
C:\Program Files\Apache\bin>setspn.exe -L mydesktop
Registered ServicePrincipalNames for CN=mydesktop,CN=Computers,DC=testdomain,DC=loc:
    http/mydesktop.testdomain.loc
    http/mydesktop
    MSSQLSvc/mydesktop.testdomain.loc:1419
    MSSQLSvc/mydesktop.testdomain.loc:SQLINSTANCE1
    MSSQLSvc/mydesktop.testdomain.loc:1433
    MSSQLSvc/mydesktop.testdomain.loc
    HOST/mydesktop
    HOST/mydesktop.testdomain.loc
My Web Server URL will be like this: http://mydesktop.testdomain.loc/myapplication
My operating system is windows 2003 server and my connectivity to testdomain.loc is perfectly fine. 
I even installed Microsoft resource kit tools and used kerbtray.exe to look at the kerberos tokens. I can see in general there are kerberos tokens, but the browser cannot acquire one and pass it on when requesting the web server though.
If someone can help on this and shed some light on what else we need to take care, it would of great help.
Thank you

Viewing all articles
Browse latest Browse all 3527

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>