>"Nikolaos Milas" <nmilas_at_noa.gr> wrote in message
>news:4E7C2DE5.8000104_at_noa.gr...
>On 23/9/2011 12:41 أخ¼, Markus Moeller wrote:
>
>>
>> A bit. Yor Kerberos setup seems not ro work as the client tries to use
>> NTLM instead
>>
>
>Thanks Markus,
>
>I used Wireshark. I opened IE and requested site www.example.com:
>
> HTTP GET http://www.example.com/ HTTP/1.1
>
>and saw that the browser, after:
>
> HTTP HTTP/1.0 407 Proxy Authentication Required (text/html)
>
>sends a query to the DNS Server:
>
> Standard query SRV _kerberos._tcp.dc._msdcs.EXAMPLE.COM
>
>and the DNS Server replies:
>
> DNS Standard query response, No such name
>
>and then we have three tries with :
>
> NBNS Name query NB EXAMPLE.COM<1c>
>
>and finally it obviously switches to NTLM/Negotiate:
>
> HTTP GET http://www.example.com/ HTTP/1.1 , NTLMSSP_NEGOTIATE
>
>
>So, the glitch seems to be the DNS query stage. How we handle this?
>
This is an incomplete Active Directory setup (or Kerberos if you don't use
AD). If you setup a Windows 2003 or 2008 server as a domain controller it
will ask you if you want to setup DNS too.If you say yes MS will create DNS
entries for kerberos services automatically. If you don't you have to do it
on your DNS server manually.
You need entries for:
port 88
SRV _kerberos._udp.dc._msdcs.EXAMPLE.COM
SRV _kerberos._tcp.dc._msdcs.EXAMPLE.COM
port 464
SRV _kpasswd._tcp.dc._msdcs.EXAMPLE.COM
SRV _kpasswd._tcp.dc._msdcs.EXAMPLE.COM
and some more. See http://technet.microsoft.com/en-us/library/cc961719.aspx
, http://technet.microsoft.com/en-us/library/cc759550(WS.10).aspx or
http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Hostnames-for-KDCs
and http://tools.ietf.org/html/draft-ietf-krb-wg-krb-dns-locate-03
>
>> Which points do you miss, so I can update the wiki ?
>
>I plan to document my setup, and I will send you details, when things
>finally work!
>
>Thanks,
>Nick
>
>
Received on Fri Sep 23 2011 - 07:26:10 MDT
This archive was generated by hypermail 2.2.0 : Fri Sep 23 2011 - 12:00:02 MDT