Thank you for your reply and information.
In my test machines, Windows XP did not use Kerberos when using IP address
to visit websites. The Vista has the same behave with your client, it
didn¡¯t use Kerberos when using IP address.
I have found a similar case about Kerberos not working with IP Address.
Below is summary of their conclusion:
"Indeed, in Win2003/XP/Vista, all systems use KerbIsIpAddress to check if
the target server name is one IP address. If it is, the function will
return true and System will deny to Kerberos in this situation with
The reason that IP address worked in Windows 2003/XP is that the old system
logic doesn¡¯t check this pattern ¡°http/ipaddress¡±. Because the SPN is
like ¡°http/ipaddress¡± in your situation, this implicitly workarounds the
However, in Vista, the KerbIsIpAddress function has been improved and all
ip address used in SPN will be filtered out and denied before Kerberos
Negotiation. As key code logic, KerbIsIpAddress is not avoidable and it is
In fact, for previous system, the description of Kerberos behavior when
Address has been provided as below (although it doesn't mention
322979 Kerberos is not used when you connect to SMB shares by using IP
From the article "Improving Web Proxy Client Authentication Performance on
ISA Server 2006" http://technet.microsoft.com/en-us/l.../bb984870.aspx
We can find:
"Although in the first scenario (see figure 1) we have a Windows Server
2003 Domain and the native support to use Kerberos, NTLM will still be
preferred authentication method for Internet Explorer 6 while browsing the
Internet through a Proxy."
Many application will control also control the authentication method.
There is also Group Policy for Kerberos.
Configure Kerberos policy http://technet.microsoft.com/en-us/l.../cc776647.aspx
Microsoft Online Community Support
This posting is provided "AS IS" with no warranties, and confers no rights.