On 6/19/2013 5:44 PM, Booker Bense wrote: > I'm working with mod_auth_kerb and from a linux box, it works fine with > tickets from both of our realms, WIN.SLAC.STANFORD.EDU and SLAC.STANFORD.EDU > . > > Browsers running on windows boxes (IE and Firefox ) fail with this error in > the > apache server logs. > > Warning: received token seems to be NTLM, which isn't supported by the > Kerberos module. Check your IE configuration. > > Some googling suggests that there needs to be some configuration on the AD > side. > > I know little about AD, but that post suggests that the server needs an AD > entry > of some kind to enable the browser to use kerberos credentials. Does anyone > know what the appropriate entry would be for a webserver
For browsers this might help: https://wiki.shibboleth.net/confluence/display/SHIB2/Single+sign-on+Browser+configuration You may have to add both realms and website to the list of trusted sites. (I don't have much experience with cross realm these days.) Also look google for: ie enable windows integrated authentication > > foo.slac.stanford.edu > > being accessed by clients in > > win.slac.stanford.edu > >>From the unix side of things cross-realm appears to be working just fine. I > can easily get service tickets for unix servers using the windows tgt. > > thanks, > > - Booker C. Bense > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > -- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
