Do you have a disjoint name space or have you really tighted down your security on those OUs?
joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Sunday, January 11, 2004 9:29 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] computer accounts created without serviceprincipalname Hi, We have a w2k sp3 based domain and while troubleshooting a IIS problem we noticed that the machine that was causing problems was only doing NTLM authentication while the other servers the IIS server was serving were using Kerberos authentication. We checked that our policies were being applied properly - all ok. I talked with our local windows security expert and he suggested checking for the existance of the serviceprincipalname as if it wasn't there then the server would have no way of doing Kerberos as it could not accept tickets. Checked the servers entry in AD and SPN was missing. After it was put in manually everything started working properly. I check one OU and came up with a significant number of machines without the SPN. Some were upgrades from NT, some were new installs. I've been looking on Microsoft for an article on what might be wrong and have come up empty. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
