kerberos TGS for an IP address
Posted: 01-30-2009, 09:19 AM
my tests show the following thing. I would like to hear please a
confirmation of the fact, or something that would explain, what I do
incorrectly or what to change.
Vista never uses kerberos for servers (at least http, smb/cifs) which name
is specified by an IP address, is that right?
in different words:
Vista (as against XP) never ASKS for TGS if the name of the server is
specified as an IP address, is that right?
By using the work ASKS I would like to stress the fact XP always asks for a
TGS, which may not be available because of an appropriate SPN is missing.
While Vista never asks for the TGS even if a correct SPN exists. I checked
this by using Wireshark. When using an IP address, there is no TGS request
comming from Vista while there IS one comming from XP.
I can reproduce the problem by taking the following steps:
the following serie of steps works correctly as expected:
a) have server SRV1.domain.local, IP address 10.10.0.11
b) create DNS A record intranet.domain.local, IP address 10.10.0.11
c) add site "intranet.domain.local" to the Local Intranet sites (IEESC
d) purge Kerberos ticket cache
e) restart IE
e) try IE to http://intranet.domain.local (exactly this, not using the short
f) only TGT received, but both TGT and TGS were requested as was seen in
wireshark - this is stil correct because no SPN was still created. So we are
going to create SPN and enable kerberos for the alias.
g) create SPN http/intranet.domain.local
h) purge Kerberos ticket cache
i) restart IE
j) try IE to http://intranet.domain.local (exactly this, not using the short
k) both TGT and TGS were received successfully
the same procedure works the same way even for SMB/CIFS access (certainly,
the DisableStrictNameChecking must have been set up to 1)
but when I try the same procedure to access http://10.10.0.11 or
\\10.10.0.11 (Local Intranet
site addess, the caches purged out, SPN created etc.) the Vista client not
even asks for TGT - once again as observed by using Wireshark.
The client doesn't try Kerberos at all, it uses NTLM as the first method
without trying Kerberos first
many thanks for any hint.