RE: AW: AW: AW: Some Users get Basic Auth?
- From: "Gopalan, Sriram" <sgopalan@xxxxxxxxxx>
- Date: Thu, 12 Jul 2007 13:28:19 -0400
Matthias,
We had this same exact issue. The symptoms you explained are exactly similar to our issue.
We applied this patch on top of XP SP2. http://support.microsoft.com/kb/906524/en-us
Now this issue is completely gone.
Thanks
Sriram Gopalan
-----Original Message-----
From: kerberos-bounces@xxxxxxx [mailto:kerberos-bounces@xxxxxxx] On Behalf Of Djihangiroff, Matthias (KC-DD)
Sent: Thursday, July 12, 2007 2:37 AM
To: Markus Moeller; kerberos@xxxxxxx
Subject: AW: AW: AW: AW: Some Users get Basic Auth?
They are logged in between 2 and 6 hours.
Ive checked the lifetime with kertray, and the ticket expires at night (9pm or 10pm).
Liftetime settings in AD is 10 hours, renew until 7 days in the future.
The only ticked cached was the krbtgt ticked of the domain and the ticket for the machine itself.
-----Ursprüngliche Nachricht-----
Von: kerberos-bounces@xxxxxxx [mailto:kerberos-bounces@xxxxxxx] Im Auftrag von Markus Moeller
Gesendet: Donnerstag, 12. Juli 2007 11:12
An: kerberos@xxxxxxx
Betreff: Re: AW: AW: AW: Some Users get Basic Auth?
Matthias,
how long is the user logged in on the machine and what are the ticket lifetime settings in AD ? Before you lock and unlock the PC can you check with kerbtray the tickets in the ticket cache ? They may be expired and some application (e.g. IE) can not trigger a ticket renew, but a lock and unlock triggers a ticket renew.
Markus
"Djihangiroff, Matthias (KC-DD)" <Matthias.Djihangiroff@xxxxxxxxxx> wrote in message news:A4987E8FC1C6CD44805DDE5676EE262E015783DD@xxxxxxxxxxxxxxxxxxxxxxxxx
Hello,
I havent managed to grep a useful packet capture yet.
But ive noticed something:
Right after the users get the auth box, they can lock their computer, login again, and the problem is gone?
They get a new krbtgt-ticket, and all is running fine for some time.
-----Ursprüngliche Nachricht-----
Von: Michael B Allen [mailto:mba2000@xxxxxxxxxx]
Gesendet: Donnerstag, 14. Juni 2007 17:46
An: Djihangiroff, Matthias (KC-DD)
Cc: kerberos@xxxxxxx
Betreff: Re: AW: AW: AW: Some Users get Basic Auth?
On Thu, 14 Jun 2007 15:19:59 +0200
"Djihangiroff, Matthias (KC-DD)" <Matthias.Djihangiroff@xxxxxxxxxx> wrote:
Hello,
We'have just created a new domain Account and voila, all is running fine.
So somekind of settings in the userprofile are incorrect, so the auth
box popped up.
Now we have another problem.
SOME users are getting this basic auth box somtimes. IE is running in
NTLM mode..
If you close the IE, and open it again, with the same URL, all is
running fine.
What the hell is wrong with this IE thing :-(
Hi Matthias,
Honestly the best way to determine what's going on is to get a packet capture and do a network analysis. The problem with that is that clients cache both positive and negative Kerberos ticket request results so you basically have to reboot the client, start the capture, launch IE, try the page and if it fails restart the browser and if it then succeeds stop the capture. If it doesn't fail or if it doesn't succeed after failing you won't have to two conditions you need to compare and you have no choice but to reboot the client and repeat.
But if you do get a capture like that I'll look at it. Can't guarantee I'll find anything but I'm always interested in these sorts of failure conditions.
There is a decription of getting a capture with netcap.exe in the appendix of that document I pointed you to before.
Also, you might try to get this patch:
http://support.microsoft.com/kb/885887
It does sound remotely like what you're seeing and some people have had success with it when experiencing unreliable behavior like you're describing.
Mike
-----Ursprüngliche Nachricht-----
Von: Michael B Allen [mailto:mba2000@xxxxxxxxxx]
Gesendet: Mittwoch, 13. Juni 2007 08:57
An: Djihangiroff, Matthias (KC-DD)
Cc: Todd Stecher; kerberos@xxxxxxx
Betreff: Re: AW: AW: Some Users get Basic Auth?
On Wed, 13 Jun 2007 08:25:51 +0200
"Djihangiroff, Matthias (KC-DD)" <Matthias.Djihangiroff@xxxxxxxxxx> wrote:
Thanks.
Than i dont know why IE is switching to NTLM.
It doesnt matter if i type http://someserver or with our domain
http://someserver.konzern.intern (thats although the registerd
machine account in the domain).
The auth box pop ups every time.
I think, thats somekind of defect windows profile.
If i login with MY windows account, all is running perfect. If i
login with a user account, they get the auth box. (Both on the same
machine, the same domain)
I'm informing our Windows admins and hope, they can make some brand
new windows account for me for testing purposes in that domain.
Matthias,
On this website:
http://www.ioplex.com/support.html
You will find a document called the Plexcel Operator's Manual. The
document is mostly about our SSO product but of course the protocol is
the same so the "Possible Issues" section has information about
troubleshooting this sort of thing. In particular look at Issue 3 and
Issue 5.
Mike
________________________________
Von: Todd Stecher [mailto:tstecher@xxxxxxxxx]
Gesendet: Mittwoch, 13. Juni 2007 08:18
An: Djihangiroff, Matthias (KC-DD)
Cc: Michael B Allen; kerberos@xxxxxxx
Betreff: Re: AW: Some Users get Basic Auth?
On Jun 12, 2007, at 11:04 PM, Djihangiroff, Matthias (KC-DD) wrote:
I've checked the browser settings, Integrated Windows Auth is
checked.
Where can i configer the browser, that it use only Kerberos?
I didnt find any option.
You can't. A lot of it depends on the URL you present to IE, which
will in turn dictate what protocol is chosen under SPNEGO.
When you type "http://someserver";, then IE will present the kerberos
package on the client with the service principal name (SPN) of
http/someserver. For kerberos to work, you need a service ticket
matching that SPN. This will only be possible if the web server is
properly registered with a machine account in your client's domain,
or potentially another domain in the forest (assuming you're using AD).
In some cases, IE will do a reverse lookup and expand the someserver
to http/someserver.domain.com, but the SPN lookup rule still applies.
If kerberos can't find the SPN (for example if the target server
isn't registered in a trusted domain, or the client's KDC can't be
reached over the presently connected network), it will drop back to
NTLM (wrapped in SPNEGO tokens). There's really no easy way to
guarantee Kerberos, and, in fact, NTLM is frequently the protocol
chosen for http auth.
We tried, in the old days to get rid of NTLM, but that's not
possible w/o service interruptions unless you can *always* get a
service ticket to the server.
Todd
persona service Verwaltungs AG & Co. KG Freisenbergstra_e 31 _ 58513
L_denscheid
Tel.: (02351) 950-0 _ Fax: (02351) 950-222 Sitz L_denscheid _
Registergericht Iserlohn, HRA Nr. 2930
pers_nlich haftende Gesellschafterin: persona service AG
Gartenstra_e
93 _ CH-4002 Basel Handelsregister Basel, Nr. CH-270.3.012.836-8
diese vertreten durch den Verwaltungsrat:
Dipl.-Ing. Werner M_ller (Pr_sident) und Dr. Sebastian Burckhardt
www.persona.de
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
persona service Verwaltungs AG & Co. KG Freisenbergstraße 31 * 58513
Lüdenscheid
Tel.: (02351) 950-0 * Fax: (02351) 950-222 Sitz Lüdenscheid *
Registergericht Iserlohn, HRA Nr. 2930
persönlich haftende Gesellschafterin: persona service AG Gartenstraße
93 * CH-4002 Basel Handelsregister Basel, Nr. CH-270.3.012.836-8 diese
vertreten durch den Verwaltungsrat:
Dipl.-Ing. Werner Müller (Präsident) und Dr. Sebastian Burckhardt
www.persona.de
--
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/
persona service Verwaltungs AG & Co. KG
Freisenbergstraße 31 . 58513 Lüdenscheid
Tel.: (02351) 950-0 . Fax: (02351) 950-222 Sitz Lüdenscheid . Registergericht Iserlohn, HRA Nr. 2930
persönlich haftende Gesellschafterin: persona service AG Gartenstraße 93 . CH-4002 Basel Handelsregister Basel, Nr. CH-270.3.012.836-8 diese vertreten durch den Verwaltungsrat:
Dipl.-Ing. Werner Müller (Präsident) und Dr. Sebastian Burckhardt www.persona.de
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos
persona service Verwaltungs AG & Co. KG Freisenbergstraße 31 * 58513 Lüdenscheid
Tel.: (02351) 950-0 * Fax: (02351) 950-222 Sitz Lüdenscheid * Registergericht Iserlohn, HRA Nr. 2930
persönlich haftende Gesellschafterin: persona service AG Gartenstraße 93 * CH-4002 Basel Handelsregister Basel, Nr. CH-270.3.012.836-8 diese vertreten durch den Verwaltungsrat:
Dipl.-Ing. Werner Müller (Präsident) und Dr. Sebastian Burckhardt www.persona.de
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos
.
- Prev by Date: Re: [modauthkerb] Negotiate on Windows with cross-realm trust AD and MIT Kereros.
- Next by Date: Re: Negotiate on Windows with cross-realm trust AD and MIT Kereros.
- Previous by thread: Re: AW: AW: AW: Some Users get Basic Auth?
- Next by thread: Negotiate on Windows with cross-realm trust AD and MIT Kereros.
- Index(es):
Relevant Pages
|
