Setting up Kerberos SSO in Windows 2008 network

Posted by Arturs Licis on Server Fault See other posts from Server Fault or by Arturs Licis
Published on 2012-10-18T10:40:43Z Indexed on 2012/10/18 11:02 UTC
Read the original article Hit count: 229

We recently introduced Kerberos (SPNEGO) Single Sign-on in our web-portal, and tested it on a Windows network with Windows 2003 domain controller.

Now, trying to test it on Windows 2008 R2 controlled network, SSO just doesn't work due to defective tokens. Up to the moment I was pretty sure that there's something wrong about environment and that were NTLM tokens. We double checked IE settings etc, but nothing helped. Then we checked the following settings for both users (logged on a client test-machine, and the one used as a Service Principal):

  • This account supports Kerberos AES 128 bit encryption.
  • This account supports Kerberos AES 256 bit encryption.

.. and error message changed to '

GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256CTS mode with HMAC SHA1-96 is not supported/enabled)

It makes me think that Internet Explorer receives Kerberos tokens at all times, and there's just some configuration missing, or it was ktpass.exe to be incorrectly executed. Here's how ktpass.exe was invoked:

© Server Fault or respective owner

Related posts about windows-server-2008-r2

Related posts about kerberos