4

I'm trying to test a Kerberos-based SSO solution for our Java app. Unfortunately, I don't have a Windows domain at my disposal to do so. I read about the ability to integrate Windows with a standalone, non-Microsoft Kerberos KDC:

http://technet.microsoft.com/en-us/library/bb742433.aspx#EDAA

...so I set up a Kerberos server on Ubuntu and integrated a Windows XP box with it using the ksetup.exe utility. I'm now able to log into the Kerberos realm on these PCs.

However, when I connect to our web app, IE doesn't offer to send a Kerberos ticket to the server...only NTLM.

I've configured the site to be in the Intranet zone and performed the other steps outlined here: http://docs.oracle.com/cd/E13222_01/wls/docs81/secmanage/sso.html#1101398 I've also set the 'delegate' flag on the realm using ksetup /SetRealmFlags <realm> delegate...I'm not sure if this is relevant, but have seen some indication that it might be.

Is it possible to make IE send Kerberos tickets if it's not part of a Windows domain, but merely part of a Kerberos realm?

Aron
  • 205
  • 2
  • 7
  • It's not clear from your question that the server/app is requesting GSSAPI negotiate auth. Is it? – 84104 Jan 10 '12 at 16:31
  • Yes, the app is requesting 'Negotiate' auth. It turns out I was wrong about Windows 7: it is offering to use Kerberos, but has NTLM as its preferred provider. I believe XP still isn't offering Kerberos. – Aron Jan 10 '12 at 23:15

1 Answers1

0

Is the name that you are connecting to have an A record in DNS? Using a CNAME will not work unless you implement a registry setting on the client, which would not be a viable solution for most.

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • Hi Greg - I'm setting up a test environment at home with a dinky little home router, so no DNS being used. I'm using IP addresses instead of host names. – Aron Jan 12 '12 at 01:05
  • 2
    I'm not saying that will not work, however in my Windows-only experience with Kerberos, IE and windows services in general are obsessively picky with the name used to connect to. I would at least use a name, and try putting it in the hosts file on the machine where you are running IE. – Greg Askew Jan 12 '12 at 11:22