This is referring to restricting session keys to Kerberos only, correct? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, May 29, 2003 7:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] w2k / nt4 trust -possible fix
Good catch, Stephen. -rtk -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wilkinson, Stephen (DrKW) Sent: Thursday, May 29, 2003 11:28 AM To: '[EMAIL PROTECTED]' We have fixed this now.. We had the policy "Require strong (Windows 2000 or later) session key" set to "enable"- which results in the failure to establish a secure channel with NT4 DCS in the trusted\trusting domain. MSDN explanation of policy is below ************************ Require strong (Windows 2000 or later) session key Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options Description If this policy is enabled, all outgoing secure channel traffic will require a strong (Windows 2000 or later) encryption key. If this policy is disabled, the key strength is negotiated with the DC. This option should only be enabled if all of the DCs in all trusted domains support strong keys. By default, this value is disabled. **************************** -----Original Message----- From: Wilkinson, Stephen (DrKW) [mailto:[EMAIL PROTECTED] Sent: 29 May 2003 14:37 To: '[EMAIL PROTECTED]' Graham, You will be pleased to know that we are currently experiencing exactly the same issues and are now stepping through resetting the polices we had applied on the AD DCS to the reverse and stepping through w2k3 version of the doc you referenced (PSS 325874). There is a PSS article (295335) referencing this issue and it supposedly is caused by name resolution errors.. although our name resolution, both DNS and WINS seems ok. Will keep you posted Stephen Wilkinson E-Mail: [EMAIL PROTECTED] -----Original Message----- From: Graham Turner [mailto:[EMAIL PROTECTED] Sent: 28 May 2003 18:40 To: [EMAIL PROTECTED] forgive me for a second post on the same topic but have just gone through a whole load of docs on issues of w2k / nt4 trusts have referenced Q308195 it would seem that this documents a process that is the reverse of the process by which one would establish trust between two NT4 domains is this by design or do i read it wrong ??? - why different as surely for a downlevel trust the process should be the same ?? ie on NT4 domains we would add the trusting domain on the trusted domain (permit it to trust the trusting domain) first and then add the trusted domain on the trusting domain GT List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---------------------------------------------------------------------- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. ---------------------------------------------------------------------- List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---------------------------------------------------------------------- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. ---------------------------------------------------------------------- List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
