I'm trying to test a Kerberos-based SSO solution for our Java app. Unfortunately, I don't have a Windows domain at my disposal to do so. I read about the ability to integrate Windows with a standalone, non-Microsoft Kerberos KDC:
http://technet.microsoft.com/en-us/library/bb742433.aspx#EDAA
…so I set up a Kerberos server on Ubuntu and integrated a Windows XP box with it using the ksetup.exe
utility. I'm now able to log into the Kerberos realm on these PCs.
However, when I connect to our web app, IE doesn't offer to send a Kerberos ticket to the server…only NTLM.
I've configured the site to be in the Intranet zone and performed the other steps outlined here: http://docs.oracle.com/cd/E13222_01/wls/docs81/secmanage/sso.html#1101398
I've also set the 'delegate' flag on the realm using ksetup /SetRealmFlags <realm> delegate
…I'm not sure if this is relevant, but have seen some indication that it might be.
Is it possible to make IE send Kerberos tickets if it's not part of a Windows domain, but merely part of a Kerberos realm?
Best Answer
Is the name that you are connecting to have an A record in DNS? Using a CNAME will not work unless you implement a registry setting on the client, which would not be a viable solution for most.