Hello, I have a the following problem: Our KDC is a Windows 2003 AD Server with address "company.corp" which is also the name of the domain. We have an Apache Webserver running on an OpenSuse with mod_auth_kerb (5.3). Its name is "department.location.company.corp". It has a valid keytab file (for HTTP/[EMAIL PROTECTED]) with which it can get tickets. The WebServer is accessed via "http://department.location.company.corp:1081/site";.
Some hosts can access the WebServer correctly. The other hosts who cannot access the WebServer are Windows XP Pro machines, hooked into the domain with a domain user logged on. Access is not possible via: IE6, IE7, Mozilla despite correct configuration (Integrated Windows Authentication is on, correct zone is set...). Access is possible via the following ways: running the browsers explicitly as the users domain account; using MIT Kerberos for Windows in combination with mozilla (switching network.auth.use-sspi to false). Kerbtray shows a TGT in the MSLSA cache. In case of a failure, Apache log shows that the client is sending an NTLM token. Network sniffers show, that there is no communication between the client and the KDC. One really funny thing about the whole thing is that the error appears exclusively if the user is in the local Administrators group. (User logs on; it is working; user is granted administrative rights; logs off and on again; it does not work). Removing the user from Administrator group again afterwards does not solve the problem. I guess somehow the Microsoft SSPI is the problem, but I do not know how to fix it. Any ideas or thoughts are appreciated. Thanks, Florian ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
