views:

545

answers:

3

I have gone through many blogs which are telling that if Kerberos fails then it automatically falls back to NTLM.Is it true?

+1  A: 

Yes it is, if you configured Kerberos through central administration.
In IIS metabase, you should have "Negociate, NTLM".

Nico
Hi Nico Thank You for the response.I have already written a Java code which supports NTLM authentication.But now the customer environment supports only Kerberos.It blocks the concept of falling back to Kerberos.Is it possible to write java code to support only Kerberos authentication (should not negotiate back to NTLM)Thanks in Advance!!!
Carol
A: 

Actually, this is a pretty big gotcha with Kerberos. Yes, Negotiate will pick between Kerberos and NTLM, but this is a one time choice. It is not failover authentication. So if the Kerberos Authentication fails, the server won't specifically send a new NTLM authnetication to the client.

Christopher_G_Lewis
Thank You Chris.I have a SharePoint setup with Kerberos Authentication.Now I am trying to implement a java code to authenticate against SharePoint using Kerberos.Found ticket for [email protected] to go to krbtgt/[email protected] expiring on Fri Oct 16 19:16:18 EDT 2009Entered Krb5Context.initSecContext with state=STATE_NEWService ticket not found in the subject>>> Credentials acquireServiceCreds: same realmI have seen many blog posts with people asking for the same. But I could not find any answer.Any help would be really appreciated.
Carol
A: 

I think the client decides what to send and the server simply accepts or rejects. Meaning, based on what the server is asking for, the client may or may not be able to comply. So if the server says Negotiate, the client can send either an NTLM token or a Kerberos token...?

If you are writing a server that needs to authenticate clients via Kerberos, then you will be able to specify if you want to accept or reject the token, or have the client retry using some other scheme... like Basic (not recommended).

If you are writing a client, simply send which ever token you want (NTLM or Kerberos) and the server will tell you what to do next (if anything, server may accept).

Take a look at this open source project http://spnego.sourceforge.net The project implements a SPNEGO Http Servlet Filter as well as a SpnegoHttpURLConnection object.

Pat Gonzalez