RE: [ActiveDir] w2k sp4 Kerberos changes?

[deji]

I understand that MS later came out with a clarification of their recommendation of “restrictAnonymous” to mitigate against 039 vuln. I think it is proper that I point this out. In the clarification, they pointed out that doing “restrictAnonymous” may break “something”.   Sincerely,   Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Dir. Services / Security www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Thursday, August 18, 2005 8:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes?   Do you perhaps have restrictAnonymous enabled? I have first-hand knowledge of someone flipping this switch because they couldn't install 039 yet and they read the tech doc that came with 039 where it says restrictanonymous could be used to remediate the vuln IF 039 can not be installed immediately.   On a side note, I think 039 is responsible for my "exceeded 32-bits" issue. Need to find out.     Sincerely,   Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon   ________________________________   From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Thu 8/18/2005 8:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] w2k sp4 Kerberos changes?       Hi,   We applied sp4 to our w2k based AD this morning. It was a tad hurried as one of the ms05-039 based worms showed up inside our border router (laptop from home) so not everything got tested in our test domain. We noticed that Unix based applications that used Kerberos authentication (we have a MIT Kerberos infrastructure for the Unix systems) to read and write to AD started failing.   The error isn't very helpful either - "Miscellaneous failure (Cannot re solve KDC for requested realm)". All w2k DCs are on line and functional. The trusts to the MIT side are still there.   I've been looking through the sp4 docs and I don't see anything obvious but I may have missed something. We also applied the ms05-042 Kerberos spoofing patch but according to the docs it doesn't change functionality without a registry change.   Any ideas?           al --   Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info   : http://www.activedir.org/List.aspx List FAQ    : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/     List info   : http://www.activedir.org/List.aspx List FAQ    : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/