Setting up Kerberos SSO in Windows 2008 network
Posted
by
Arturs Licis
on Server Fault
See other posts from Server Fault
or by Arturs Licis
Published on 2012-10-18T10:40:43Z
Indexed on
2012/10/18
11:02 UTC
Read the original article
Hit count: 276
windows-server-2008-r2
|kerberos
We recently introduced Kerberos (SPNEGO) Single Sign-on in our web-portal, and tested it on a Windows network with Windows 2003 domain controller.
Now, trying to test it on Windows 2008 R2 controlled network, SSO just doesn't work due to defective tokens. Up to the moment I was pretty sure that there's something wrong about environment and that were NTLM tokens. We double checked IE settings etc, but nothing helped. Then we checked the following settings for both users (logged on a client test-machine, and the one used as a Service Principal):
- This account supports Kerberos AES 128 bit encryption.
- This account supports Kerberos AES 256 bit encryption.
.. and error message changed to '
GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256CTS mode with HMAC SHA1-96 is not supported/enabled)
It makes me think that Internet Explorer receives Kerberos tokens at all times, and there's just some configuration missing, or it was ktpass.exe to be incorrectly executed. Here's how ktpass.exe was invoked:
- C:>ktpass /out portal1.keytab /mapuser USER /princ HTTP/[email protected] /pass *
© Server Fault or respective owner