Re: AW: AW: Some Users get Basic Auth?
- From: Michael B Allen <mba2000@xxxxxxxxxx>
- Date: Wed, 13 Jun 2007 02:57:20 -0400
On Wed, 13 Jun 2007 08:25:51 +0200
"Djihangiroff, Matthias (KC-DD)" <Matthias.Djihangiroff@xxxxxxxxxx> wrote:
Thanks.
Than i dont know why IE is switching to NTLM.
It doesnt matter if i type http://someserver or with our domain
http://someserver.konzern.intern (thats although the registerd machine
account in the domain).
The auth box pop ups every time.
I think, thats somekind of defect windows profile.
If i login with MY windows account, all is running perfect. If i login
with a user account, they get the auth box. (Both on the same machine,
the same domain)
I'm informing our Windows admins and hope, they can make some brand new
windows account for me for testing purposes in that domain.
Matthias,
On this website:
http://www.ioplex.com/support.html
You will find a document called the Plexcel Operator's Manual. The
document is mostly about our SSO product but of course the protocol
is the same so the "Possible Issues" section has information about
troubleshooting this sort of thing. In particular look at Issue 3 and
Issue 5.
Mike
________________________________
Von: Todd Stecher [mailto:tstecher@xxxxxxxxx]
Gesendet: Mittwoch, 13. Juni 2007 08:18
An: Djihangiroff, Matthias (KC-DD)
Cc: Michael B Allen; kerberos@xxxxxxx
Betreff: Re: AW: Some Users get Basic Auth?
On Jun 12, 2007, at 11:04 PM, Djihangiroff, Matthias (KC-DD) wrote:
I've checked the browser settings, Integrated Windows Auth is
checked.
Where can i configer the browser, that it use only Kerberos?
I didnt find any option.
You can't. A lot of it depends on the URL you present to IE, which will
in turn dictate what protocol is chosen under SPNEGO.
When you type "http://someserver";, then IE will present the kerberos
package on the client with the service principal name (SPN) of
http/someserver. For kerberos to work, you need a service ticket
matching that SPN. This will only be possible if the web server is
properly registered with a machine account in your client's domain, or
potentially another domain in the forest (assuming you're using AD).
In some cases, IE will do a reverse lookup and expand the someserver to
http/someserver.domain.com, but the SPN lookup rule still applies.
If kerberos can't find the SPN (for example if the target server isn't
registered in a trusted domain, or the client's KDC can't be reached
over the presently connected network), it will drop back to NTLM
(wrapped in SPNEGO tokens). There's really no easy way to guarantee
Kerberos, and, in fact, NTLM is frequently the protocol chosen for http
auth.
We tried, in the old days to get rid of NTLM, but that's not possible
w/o service interruptions unless you can *always* get a service ticket
to the server.
Todd
persona service Verwaltungs AG & Co. KG
Freisenbergstra_e 31 _ 58513 L_denscheid
Tel.: (02351) 950-0 _ Fax: (02351) 950-222
Sitz L_denscheid _ Registergericht Iserlohn, HRA Nr. 2930
pers_nlich haftende Gesellschafterin: persona service AG
Gartenstra_e 93 _ CH-4002 Basel
Handelsregister Basel, Nr. CH-270.3.012.836-8
diese vertreten durch den Verwaltungsrat:
Dipl.-Ing. Werner M_ller (Pr_sident) und Dr. Sebastian Burckhardt
www.persona.de
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
.
- References:
- Re: AW: Some Users get Basic Auth?
- From: Todd Stecher
- AW: AW: Some Users get Basic Auth?
- From: "Djihangiroff, Matthias (KC-DD)"
- Re: AW: Some Users get Basic Auth?
- Prev by Date: Re: AW: AW: Some Users get Basic Auth?
- Next by Date: Re: AW: AW: Some Users get Basic Auth?
- Previous by thread: Re: AW: AW: Some Users get Basic Auth?
- Next by thread: Re: AW: AW: Some Users get Basic Auth?
- Index(es):
Relevant Pages
|
