Tuesday, February 28, 2012

Windows 7 Negotiate/Kerberos

The company I work for had been having issues getting NTLM authentication to work between a Windows 7 client PC, domain servers, and CXF web services. In the end I got it working through HTTP Negotiate Auth and a registry setting, below is the paragraph I sent as an explanation:

With Windows 7 and changing the lmcompatibility level to 4 on the client (Clients use NTLMV2 for auth and NTLMv2 session security if server accepts, Domain controller refuses LM auth responses but accepts NTLM and NTLMv2 -- http://technet.microsoft.com/en-us/library/cc960646.aspx), the client and server were no longer accepting LM authentication. Kerberos is preferred to NTLM, and since when LM was disabled the servers responded with HTTP 401 errors indicating that the only allowable mechanisms were NTLM and Negotiate (NTLM or Kerberos -- http://docs.oracle.com/javase/6/docs/technotes/guides/net/http-auth.html), it was decided to use Negotiate with Kerberos, since that is what the below Linux code was already doing. On windows this required an extra registry setting "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\AllowTgtSessionKey", a REG_DWORD set to 1 -- http://support.microsoft.com/kb/837361, along with the regular Kerberos config files (krb5.conf and login.conf).