On Fri, 30 Jun 2006 04:10:35 GMT Jeffrey Altman <[EMAIL PROTECTED]> wrote:
> Michael B Allen wrote: > > > It could be (2). But it's not specific to IE because the wsh script > > generates the same error and it just uses the WinHttpRequest interface. So > > it would have to be an machine level or "Global Policy" type of setting. > > > > It could be (4) if there's something wrong with the account. As per my > > instructions he created a Computer account and ran ktpass to generate > > an "RC4-HMAC-NT" keytab. Maybe he should have used a User account and > > DES? I've tested all of this with my very vanilla W2K3 KDC. Considering > > the keytab credential was used successfully by the installer to query > > an AD group I'm thinking this isn't the problem. > > Do you have a network monitor? If so, look for HTTP service ticket > requests that are being denied. Yeah. I just worked out exactly how to install netcap.exe on XP and get a capture. I think it is indeed something wrong with trying to acquire the HTTP sercice ticket. If I disable the Computer account in my environment I get exactly the same behavior as the customer. IE gets KRB5KDC_ERR_S_UNKNOWN_PRINCIPAL and falls back to NTLM. > If you don't see them, then you most > likely have not added the host url to the Trusted Sites list. This > is required in order for WinHttpRequest or IE to perform Kerberos > negotiate. Interesting. So that also affects WinHttpResuest. Regardless we've been over that twice already. The customer definitely has that set. Incedentially I think the proper method is to add the domain to the IntrAnet zone like 'http://*.foo.net'. I think the Trusted Sites list is more for IntErnet sites like http://download.microsoft.com, etc. Mike -- Michael B Allen PHP Extension for SSO w/ Windows Group Authorization http://www.ioplex.com/ ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
