Ping a Specific Port

Question

Maurice Perry

Asked: 2011-04-15 00:30:02 +0800 CST2011-04-15 00:30:02 +0800 CST 2011-04-15 00:30:02 +0800 CST

NTLM token sent instead of Kerberos ticket

772

I am trying to implement kerberos SSO in our network using spnego on a tomcat server.

We have created an account (TCNKRBGINA) on the domain for the preauthentication, and setspn'ed it to the http server:

Setspn -A HTTPS/testtech.etat-ge.ch TCNKRBGINA
Setspn -A HTTP/testtech.etat-ge.ch TCNKRBGINA

But the client (IE or Firefox) sends an NTLM token instead of a kerberos ticket.

The problem doesn't seem to be on the server side because, when no Authorization header is sent, it correctly returns a 401 status code with a WWW-Authenticate: Negotiate header. The next request sent by the client contains the NTLM token, before the server had a chance to contact the domain controller.

1 Answers

Voted

Maurice Perry · Answer 1 · 2011-04-19T01:04:33+08:00

Best Answer

Maurice Perry

2011-04-19T01:04:33+08:002011-04-19T01:04:33+08:00

Got it, thanks to wireshark. The server name testtech.etat-ge.ch was defined in the DNS as an alias for bleutest.ceti.etat-ge.ch. It seems that the name used by kerberos is obtained by a reverse-lookup.

5

NTLM token sent instead of Kerberos ticket

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Resolve host name from IP address

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?