Pam, thanks for your reply.
There is no where in the Kerberos configuration that I see that indicates SAM-Account-Name. Is there?
2 of 2 people found this helpful
This is your browser trying to do netbios (e.g. NTML1 or 2) rather than kerberos.
Netbios will use samaccountname which has a 20 char limit, kerberos, which has a 255 limit, and will use a user principal name (UPN) which is a variation of a user account name that looks like an e-mail name. Made up of two parts of the AD attributes. Look at the flow here:
1. take local timestamp and digest/generate hash
2. salt resulting hash with UPN
* if netbios account name was supplied --> UPN = sam account name + FDQN
* if UPN was supplied --> use it
3. add the UPN (i.e. salt it) to the hash from step #1
4. digest again
5. add to ticket cache and construct AS request
So if you do a fiddler trace, you *should* see either NTML: hash or SPNEGO hash followed by an NTLM token wrapped in a 401 http status somewhere.
We've found it very difficult to force all browsers to do kerberos all the time. With Firefox being a pain in the ...
So I don't have an answer for you other than speak with your domain admin to try and get NTLM disabled on the network which will help force the desktop to login using Kerberos and therefore the browsers will pick that up.
You can do some experiments on a desktop that doesn't work by opening a command prompt, getting a Kerberos ticket then start IE/Chrome from that command line. e.g
Not the answer you want but at least it may help to understand why