My experience is that IE has never used kerberos, it's always been NTLM even though AD understands both Kerberos and NTLM (through SPNEGO).
Hope this helps. -Kent On Thu, 2005-09-15 at 16:49 -0700, Eitan wrote: > Hi, > Not sure if this is the correct place to post this question so I'm > sorry if it's not. > > I've created in a test environment the following configuration: > - PC A: Running Windows 2003 as active directory domain controller. > - PC B: Windows XP Pro (that was added to the AD) logged on to the AD. > - PC C: Simply running a sniffer. > > Now.. > Having read this : > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Operations/6291dce1-4ea8-4b4f-a9c1-23926ab6e8dd.mspx > > I fixed what was stated in this article (added the AD server to the > correct zone on the XP client, and made sure that the Integrated logon > was checked) > After this setup I was ready to start the browser and post a request > for a simple "Hello world" page on the AD server (and yes , the URL was > constructed with the FQDN of the Ad and not it's IP) > > When the TCP stream was decoded by the sniffer I found that the server > sent a single "Authorization" header to the client stating "Negotiate" > and the client sent an NTLM keys (decoded into "NTLMSSP" string) > no mater what I tried I keep getting those NTLM sessions and no > Kerberos. > > Eitan. > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos -- Kent Wu <[EMAIL PROTECTED]> XSIGO INC. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
