Do you perhaps have restrictAnonymous enabled? I have first-hand knowledge of someone flipping this switch because they couldn't install 039 yet and they read the tech doc that came with 039 where it says restrictanonymous could be used to remediate the vuln IF 039 can not be installed immediately. On a side note, I think 039 is responsible for my "exceeded 32-bits" issue. Need to find out. Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Thu 8/18/2005 8:03 PM To: [email protected] Subject: [ActiveDir] w2k sp4 Kerberos changes? Hi, We applied sp4 to our w2k based AD this morning. It was a tad hurried as one of the ms05-039 based worms showed up inside our border router (laptop from home) so not everything got tested in our test domain. We noticed that Unix based applications that used Kerberos authentication (we have a MIT Kerberos infrastructure for the Unix systems) to read and write to AD started failing. The error isn't very helpful either - "Miscellaneous failure (Cannot re solve KDC for requested realm)". All w2k DCs are on line and functional. The trusts to the MIT side are still there. I've been looking through the sp4 docs and I don't see anything obvious but I may have missed something. We also applied the ms05-042 Kerberos spoofing patch but according to the docs it doesn't change functionality without a registry change. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
