A network trace from the server getting the error would be helpful. I imagine you are not getting past the MIT KDC who should be passing back a referral to the Windows KDC. With a trace from the client we can see what is being requested and what errors are returned.
Thanks, -Steve -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Friday, August 19, 2005 10:28 AM To: [email protected] Subject: Re: [ActiveDir] w2k sp4 Kerberos changes? Al Lilianstrom wrote: > Thanks for all the advice. > > Checked our srv records and they returned all the DCs. It was > resolvable from our MIT/Unix systems. > > The strange part is that between 5:30 and 7:15 this morning access > using MIT credentials started working. I'm searching for a reason as > to why it happened but no one admits to changing anything. And strangely enough - 2 hours later they started failing again. This is very weird. The Windows event logs are of no help. Any other ideas? al > Steve Linehan wrote: > >> I should clarify that I would not expect the MIT KDCs to be using the >> SRV records however we have seen problems where load from Windows >> clients, because we had limited servers actually registering SRV >> records, could cause anomalies. >> Thanks, >> >> -Steve >> >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Steve >> Linehan >> Sent: Thursday, August 18, 2005 10:48 PM >> To: [email protected] >> Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? >> >> Actually it is possible that you are running into this issue: >> http://support.microsoft.com/default.aspx?scid=KB;EN-US;841395. Check >> to make sure that your SRV records are being registered in DNS. >> >> Thanks, >> >> -Steve >> >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Steve >> Linehan >> Sent: Thursday, August 18, 2005 10:37 PM >> To: [email protected] >> Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? >> >> I am not aware of any changes in SP4 or the security patch that would >> cause the failure you mention below. It is normally a DNS name >> resolution issue that causes that error. Can you verify that the >> Windows KDCs can be resolved from the UNIX boxes? Would it be >> possible to get a network trace of the failure? >> >> Thanks, >> >> -Steve >> >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Al >> Lilianstrom >> Sent: Thursday, August 18, 2005 10:04 PM >> To: [email protected] >> Subject: [ActiveDir] w2k sp4 Kerberos changes? >> >> Hi, >> >> We applied sp4 to our w2k based AD this morning. It was a tad hurried >> as >> >> one of the ms05-039 based worms showed up inside our border router >> (laptop from home) so not everything got tested in our test domain. >> We noticed that Unix based applications that used Kerberos >> authentication (we have a MIT Kerberos infrastructure for the Unix >> systems) to read and >> >> write to AD started failing. >> >> The error isn't very helpful either - "Miscellaneous failure (Cannot >> re solve KDC for requested realm)". All w2k DCs are on line and functional. >> >> The trusts to the MIT side are still there. >> >> I've been looking through the sp4 docs and I don't see anything >> obvious but I may have missed something. We also applied the ms05-042 >> Kerberos spoofing patch but according to the docs it doesn't change >> functionality >> >> without a registry change. >> >> Any ideas? >> >> al > > -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
