"Nikolaos Milas" <nmilas@xxxxxx> wrote in message
news:4E7C2DE5.8000104@xxxxxx...
On 23/9/2011 12:41 Ãμ, Markus Moeller wrote:
A bit. Yor Kerberos setup seems not ro work as the client tries to use
NTLM instead
Thanks Markus,
I used Wireshark. I opened IE and requested site www.example.com:
HTTP GET http://www.example.com/ HTTP/1.1
and saw that the browser, after:
HTTP HTTP/1.0 407 Proxy Authentication Required (text/html)
sends a query to the DNS Server:
Standard query SRV _kerberos._tcp.dc._msdcs.EXAMPLE.COM
and the DNS Server replies:
DNS Standard query response, No such name
and then we have three tries with :
NBNS Name query NB EXAMPLE.COM<1c>
and finally it obviously switches to NTLM/Negotiate:
HTTP GET http://www.example.com/ HTTP/1.1 , NTLMSSP_NEGOTIATE
So, the glitch seems to be the DNS query stage. How we handle this?
This is an incomplete Active Directory setup (or Kerberos if you don't use
AD). If you setup a Windows 2003 or 2008 server as a domain controller it
will ask you if you want to setup DNS too.If you say yes MS will create DNS
entries for kerberos services automatically. If you don't you have to do it
on your DNS server manually.
You need entries for:
port 88
SRV _kerberos._udp.dc._msdcs.EXAMPLE.COM
SRV _kerberos._tcp.dc._msdcs.EXAMPLE.COM
port 464
SRV _kpasswd._tcp.dc._msdcs.EXAMPLE.COM
SRV _kpasswd._tcp.dc._msdcs.EXAMPLE.COM
and some more. See http://technet.microsoft.com/en-us/library/cc961719.aspx
, http://technet.microsoft.com/en-us/library/cc759550(WS.10).aspx or
http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Hostnames-for-KDCs
and http://tools.ietf.org/html/draft-ietf-krb-wg-krb-dns-locate-03
Which points do you miss, so I can update the wiki ?
I plan to document my setup, and I will send you details, when things
finally work!
Thanks,
Nick
