Steve Linehan wrote:
A network trace from the server getting the error would be helpful. I
imagine you are not getting past the MIT KDC who should be passing back
a referral to the Windows KDC. With a trace from the client we can see
what is being requested and what errors are returned.
I'm trying to arrange that but the system initiating the query to AD is
in a different division and is not always easy to work with. A check of
our MIT KDC logs looked ok. We see the initial request to the MIT KDC,
another for pre-auth, and then the forwarding to AD.
Is there a way to see something similar to a MIT KDC log in AD? I've
looked for a way to who is getting tickets and when but have never found it.
al
Thanks,
-Steve
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom
Sent: Friday, August 19, 2005 10:28 AM
To: [email protected]
Subject: Re: [ActiveDir] w2k sp4 Kerberos changes?
Al Lilianstrom wrote:
Thanks for all the advice.
Checked our srv records and they returned all the DCs. It was
resolvable from our MIT/Unix systems.
The strange part is that between 5:30 and 7:15 this morning access
using MIT credentials started working. I'm searching for a reason as
to why it happened but no one admits to changing anything.
And strangely enough - 2 hours later they started failing again. This is
very weird. The Windows event logs are of no help.
Any other ideas?
al
Steve Linehan wrote:
I should clarify that I would not expect the MIT KDCs to be using the
SRV records however we have seen problems where load from Windows
clients, because we had limited servers actually registering SRV
records, could cause anomalies.
Thanks,
-Steve
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve
Linehan
Sent: Thursday, August 18, 2005 10:48 PM
To: [email protected]
Subject: RE: [ActiveDir] w2k sp4 Kerberos changes?
Actually it is possible that you are running into this issue:
http://support.microsoft.com/default.aspx?scid=KB;EN-US;841395. Check
to make sure that your SRV records are being registered in DNS.
Thanks,
-Steve
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve
Linehan
Sent: Thursday, August 18, 2005 10:37 PM
To: [email protected]
Subject: RE: [ActiveDir] w2k sp4 Kerberos changes?
I am not aware of any changes in SP4 or the security patch that would
cause the failure you mention below. It is normally a DNS name
resolution issue that causes that error. Can you verify that the
Windows KDCs can be resolved from the UNIX boxes? Would it be
possible to get a network trace of the failure?
Thanks,
-Steve
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al
Lilianstrom
Sent: Thursday, August 18, 2005 10:04 PM
To: [email protected]
Subject: [ActiveDir] w2k sp4 Kerberos changes?
Hi,
We applied sp4 to our w2k based AD this morning. It was a tad hurried
as
one of the ms05-039 based worms showed up inside our border router
(laptop from home) so not everything got tested in our test domain.
We noticed that Unix based applications that used Kerberos
authentication (we have a MIT Kerberos infrastructure for the Unix
systems) to read and
write to AD started failing.
The error isn't very helpful either - "Miscellaneous failure (Cannot
re solve KDC for requested realm)". All w2k DCs are on line and
functional.
The trusts to the MIT side are still there.
I've been looking through the sp4 docs and I don't see anything
obvious but I may have missed something. We also applied the ms05-042
Kerberos spoofing patch but according to the docs it doesn't change
functionality
without a registry change.
Any ideas?
al
--
Al Lilianstrom
CD/CSS/CSI
[EMAIL PROTECTED]
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
