Browser sending NTLM instead of Kerberos
The following entry in the debug log files indicates that the token received from the client is a Microsoft Windows NT LAN Manager (NTLM) token, not a Kerberos token as required. Verify that the BMC Atrium Single Sign-On server has been set up correctly as a service principal and that the client and successfully request a Ticket for the Service.
Retrieved config params from cache.
amAuthWindowsDesktopSSO:06/28/2011 06:46:14:877 PM CDT: Thread[http-8443-1,5,main]
WARNING: Authentication token is NTLM.
amAuthWindowsDesktopSSO:06/28/2011 06:46:14:877 PM CDT: Thread[http-8443-1,5,main]
SPNEGO token:
4e 54 4c 4d 53 53 50 00 01 00 00 00 07 82 08 a2
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
05 02 ce 0e 00 00 00 0f
When a browser is sending an NTLM token instead of a Kerberos token, the failure could be caused by a problem obtaining a service token for the BMC Atrium Single Sign-On server. For example, failure to find a case-sensitive lookup of the principal name results in an NTLM token being sent.
When debugging a client failure, enable the Kerberos event logging to identify failures. Disabling Kerberos event logging after diagnosing the failure is important. For more information about how to enable Kerberos event logging, see http://support.microsoft.com/kb/262177.
The following trace from an exchange between an Internet Explorer browser and the BMC Atrium Single Sign-On server shows a successful negotiation.
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, /
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: ibmc-jbhbbk1.adprod.bmc.com:8443
Connection: Keep-Alive
Cookie: s_pers=%20s_lv%3D1270043963949%7C1364651963949%3B%20s_lv_s%3DFirst%2520Visit%7C1270045763949%3B%20s_nr%3D1270043963965%7C1272635963965%3B%20gpv_p8%3Dwebapps.bmc.com%253Aepd%253Afaces%253AproductDownloads.jsp%7C1270045763981%3B; s_vi=[CS]v1|25D9AA60851D2F18-60000104E00EF3FE[CE]; __utma=246752535.599385143.1270043842.1270043842.1270043842.1
HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: 0
Cache-Control: private
X-DSAMEVersion: Atrium SSO 7.6.04(2011-June-28 13:47)
AM_CLIENT_TYPE: genericHTML
Set-Cookie: AMAuthCookie=AQIC5wM2LY4SfcwV3%2FNDDybcVGsdeW%2B%2BRnGC93rfcaw%2FEf8%3D%40AAJTSQACMDIAAlNLAAkxOTE4MzI0NTIAAlMxAAIwMQ%3D%3D%23; Domain=.bmc.com; Path=/
Set-Cookie: amlbcookie=01; Domain=.bmc.com; Path=/
WWW-Authenticate: Negotiate
Content-Type: text/html;charset=utf-8
Content-Length: 954
Date: Wed, 29 Jun 2011 00:09:46 GMT
GET /atriumsso/UI/Login?gx_charset=UTF-8&realm=BmcRealm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, /
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: ibmc-jbhbbk1.adprod.bmc.com:8443
Connection: Keep-Alive
Authorization: Negotiate YIIE7gYGKwYBBQUCoIIE4jCCBN6gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKw
YBBAGCNwICCqKCBLQEggSwYIIErAYJKoZIhvcSAQICAQBuggSbMIIEl6ADAgEFoQMCAQ6iBwMFACAAAACjggO/
YYIDuzCCA7egAwIBBaEQGw5CU01EU0wuQk1DLkNPTaIuMCygAwIBAqElMCMbBEhUVFAbG2libWMtamJoYmJrMS5h
ZHByb2QuYm1jLmNvbaOCA2wwggNooAMCARehAwIBA6KCA1oEggNWF2cjeeJwxrbN85nRgZ6kQQ49s7I54ndjXLJD
jdc62pRQqDDYaMn6KUBR5zPfwuvNRlL4e3n0MXtNLbUMgMGWiDBZlLVLRJg6p3tydxJC9eEiWYFu ...