I'm trying to test a Kerberos-based SSO solution for our Java app. Unfortunately, I don't have a Windows domain at my disposal to do so. I read about the ability to integrate Windows with a standalone, non-Microsoft Kerberos KDC:
http://technet.microsoft.com/en-us/library/bb742433.aspx#EDAA
…so I set up a Kerberos server on Ubuntu and integrated a Windows XP box with it using the ksetup.exe utility. I'm now able to log into the Kerberos realm on these PCs.
However, when I connect to our web app, IE doesn't offer to send a Kerberos ticket to the server…only NTLM.
I've configured the site to be in the Intranet zone and performed the other steps outlined here: http://docs.oracle.com/cd/E13222_01/wls/docs81/secmanage/sso.html#1101398
I've also set the 'delegate' flag on the realm using ksetup /SetRealmFlags <realm> delegate…I'm not sure if this is relevant, but have seen some indication that it might be.
Is it possible to make IE send Kerberos tickets if it's not part of a Windows domain, but merely part of a Kerberos realm?
Best Answer
Is the name that you are connecting to have an A record in DNS? Using a CNAME will not work unless you implement a registry setting on the client, which would not be a viable solution for most.