[jcifs] Kerberos HTTP authentication

Michael B Allen mba2000 at ioplex.com
Tue Oct 3 15:04:03 GMT 2006

On Tue, 3 Oct 2006 13:56:54 +0100
"Mike Streeton" <mike.streeton at ardentia.co.uk> wrote:

> Thanks for this Eric, these are the instructions I have been following.
> The issue seems to be that Authentication.isNtlm(byte[] token) is always
> returning true, indicating that Kerberos authentication is not taking
> place. I have tried setting the "Enable Integrated Windows
> Authentication (requires restart)" on in IE setup and adding the machine
> to the trusted intranet site. So although the use is authenticated it
> does not seem to be using Kerberos.

There are a number of requirements for IE to even try to use Kerberos. Go
to the support page at the site listed in my signature and look at page 14
of the PDF manual listed there. That page lists all of the requirements
necessary to get IE to try to negotiate Kerberos [1]. Note that the
product assocated with this manual has absolutely nothing to do with
jcifs but getting IE to do Kerberos is the same regardless of what SSO
solution you're using.


[1] One requirement that was left out of the list should read something
like "The target URL must use the hostname used with the /princ option
to ktpass. The URL must not use an IP address."

Michael B Allen
PHP Active Directory SSO

More information about the jcifs mailing list