Guy,
If you're using MIT Kerberos on the other end of that trust you probably need to call PSS and ask them for the following hotfix...
http://support.microsoft.com/default.aspx?scid=kb;en-us;825081 WindowsXP-KB825081-x86-ENU.exe
While you have them on the phone, you may as well ask them for the patch that will correct an RDP issue too!
couldn't find the article...but here's the filename... WindowsXP-KB842308-x86-ENU.exe <-XP version, there's also a 2003 version...
respond to let us know if it works....
hth!
-Mark
Guy Teverovsky wrote:
I was too lazy to tell the long story that made me speculate about TGTs, so I'll try to explain the reason for asking:
We have 2 W2K3 forests with Kerberos transitive trust.
Forest corp.com has 3 child domains respectively: emea.company.com amer.company.com ap.company.com
Second forest (ad.devision.company.com) has no children. We have users migrating from NT domains to one of the corp AD child domains (emea\amer\ap).
After the migration, when users logon to XP computers in
ad.division.company.com domain with EMEA\username cached credentials and
than reconnect to the network, sometimes (after they work for a while)
they get a popup in system tray saying something like "XP needs your
credentials".
Usually this would be caused by changing the user password from another machine or account lockout replicated from another DC, but in our case this is the only machine the user logs on to and there are no account lockouts. When the same user logs on with UPN ([EMAIL PROTECTED]), we have not yet seen this to repeat itself. So I was wondering whether UPN logons enable caching of TGTs and sAMAccountName logons are different in some way from UPN logons.
Hope I managed to be clear enough ;)
Cheers, Guy
I don't know if the kerberos ticket is cached or not. (I suspect not.) When a machine reconnects to the network and you attempt to access a network resource, the resource will ask for you ticket. If you don't have one, or if it is out of date, the client will request a new kerberos ticket and then be authenticated to the resource.
Denny
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky
Sent: Friday, August 20, 2004 8:48 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] By design or configurable ?
In my environment, when W2K3 DC boots with security logs full, the
replication from that DC stops till the security log is cleared and the
box is rebooted. The interesting thing is that after the security logs become full (while
the box is online) the replication continues to work till the box is
rebooted with full log.
So the question is whether this can be prevented (we do have a routine
which takes care of security logs archiving, but it failed on one of the
DCs and I would like to prevent the replication from breaking again).
And another OT question: When logging on to XP with cached credentials, is the Kerberos ticket cached too ? And if yes, what happens when the ticket expires and the box is reconnected to the network: will it seamlessly try to renew the ticked ?
Thanks, Guy
-- Smith & Wesson - the original point and click interface
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
