Somewhere on this thread, you indicated that you were watching the packets as you attempted the "net use". If you were watching closely, you will also notice that the transaction does not just include your user credentials, it also include your machine name. Because that machine name existed in the source, the source DC looks at the machine name and see that it has an expired password. Expired password = no access. If the machine name does not exist in the source domain, then the source dc will look at this machine as coming from (belonging to) the target domain and will rely on the target DC to verify its legitimacy. You wouldn't have noticed any oddity if the machine account password had not expired on the source. It would have, shall we say, "passed through" unmolested. I have comments around this behavior, but I don't think this is the place for it. Gil has something along this line on his blog, but you will have to read between the lines to comprehend how this applies to machine accounts. Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Wed 2/22/2006 11:50 AM To: [email protected] Subject: Re: [ActiveDir] SPN issue BTW, what is actually going on "under the hood" for that machine to cause an issue? If i have 2 forests with a 2 way trust and a machine account exists in both forests in AD but only in the target DNS, when I try to map a drive to that machine using a source user account, why would it fail? Even if the machine's PW has expired in the source, why would a DC check the source machine account and not the target machine account? I know its convoluted, but i'd just thought someone on this list would have an explanation. Thanks again On 2/22/06, Tom Kern <[EMAIL PROTECTED]> wrote: I owe you 10 cents :) thanks a lot!! On 2/22/06, [EMAIL PROTECTED] < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: >>>What if I delete the computer account in the source Forest? 10 cents says there would be no errors then. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com <http://www.readymaids.com/> - we know IT www.akomolafe.com <http://www.akomolafe.com/> Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Wed 2/22/2006 10:00 AM To: [email protected] Subject: Re: [ActiveDir] SPN issue That doesn't work. Still same error. What if I delete the computer account in the source Forest? On 2/22/06, [EMAIL PROTECTED] <[EMAIL PROTECTED] > wrote: Quick question: are the source and target accounts' passwords the same in all cases? If so, try setting different passwords and do your tests again. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com <http://www.readymaids.com/> - we know IT www.akomolafe.com <http://www.akomolafe.com/> Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Wed 2/22/2006 8:49 AM To: [email protected] Subject: Re: [ActiveDir] SPN issue Ok, here's all the info- If I'm on a target pc trying to access a target server with a target account, all is good. If i'm on a target pc trying to access a target server with a source account, no go. If i'm on a target DC trying to access a target server with a target account, all is good. If i'm on a target DC trying to access a target server with a source account, all is good. If i'm on a source DC trying to access a target server with a target account, all is good. If i'm on a source DC trying to access a target server with a source account, no go. Hope that helps a little. Thanks On 2/22/06, Tom Kern < [EMAIL PROTECTED] > wrote: We migrated inter forest. We are still coexisting with the source forest. This company still stages and deploys machines and users in the source and then migrates to target. I know this is a really bad practice but I can't talk management out of it. So, in summary, when i'm on a migrated box and i try to net use to a share with a target account i'm fine. If i try to net use from a migtrated box with an account still in the source, i get "Logon Failure: The target account name is incorrect". This always worked until yesterday. DNS is working and it resloves to the correct domain when querying a flat name. In a packet sniffer while net use'ing with a source account i get a bunch of Kerberos errors. If a net use with a target account, I get different Kerberos errors and the auth fails over to NTLM and i get in. The SPN's look fine to me. If i'm on a migrated box in the target and the source "copy" of that box had its password expire in the source Forest, would that affect me? Then I wouldn't be able to log in at all. If quest sync's password expiration of machines from source to target, no one would be able to log on to any domain. are there any issues with leaving a copy of source objects and sync'ing changes from source to target? Thanks On 2/22/06, [EMAIL PROTECTED] < [EMAIL PROTECTED] <mailto: [EMAIL PROTECTED] <mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > > wrote: Let me see if I understand this: you've migrated the users and computers from source to target. Now you are trying to log into source from an already migrated computer. Right? Could your problem be because the computer's password has expired on the source domain? I'm assuming that you did an inter-forest migration which left the computer account in the source after the migration. btw, what are you still synching with the Quest tool if you've already migrated everyone? Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com <http://www.readymaids.com/> < http://www.readymaids.com/ < http://www.readymaids.com/ <http://www.readymaids.com/> > > - we know IT www.akomolafe.com <http://www.akomolafe.com/> < http://www.akomolafe.com/ <http://www.akomolafe.com/> > Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Wed 2/22/2006 6:23 AM To: [email protected] Subject: Re: [ActiveDir] SPN issue Nope. I checked DNS with a fine tooth comb and I can't find any issues there. On 2/22/06, Peter Johnson < [EMAIL PROTECTED] <mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > wrote: Check for duplicate FQDN's in DNS pointing to the same IP Address. I've had this one bite me in the ass before. ________________________________ From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] <mailto: [EMAIL PROTECTED]> ] On Behalf Of Tom Kern Sent: 22 February 2006 02:05 To: [email protected] Subject: Re: [ActiveDir] SPN issue yeah but what and why? Thats the question. Here's more of the story as i'm learning- i only get these errors when auth'ing with an account in the source forest. using an account in the target forest seems to work ok. most of the servers are in the target forest now. The workstations are spread over both. i verified the trust and its up and working. we have been in this state for 4 months with no issues until today and there have been no migrations in about a month of any sort. the only thing running is the quest sync agent which sync's source to target(no deletions). Thanks again On 2/21/06, [EMAIL PROTECTED] < [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > wrote: Something is dorked over there. I know you said nothing has changed. It appears to me that netdom is your next option. If "netdom reset" does not work (after a reboot) or "netdom verify" keels over, then I'm afraid you are looking at a painful "netdom join" exercise. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com <http://www.readymaids.com/> < http://www.readymaids.com/ <http://www.readymaids.com/> > < http://www.readymaids.com/ < http://www.readymaids.com/ <http://www.readymaids.com/> > > - we know IT www.akomolafe.com <http://www.akomolafe.com/> < http://www.akomolafe.com <http://www.akomolafe.com/> > < http://www.akomolafe.com/ <http://www.akomolafe.com/> > < http://www.akomolafe.com/ <http://www.akomolafe.com/> > Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Tue 2/21/2006 1:45 PM To: [email protected] Subject: Re: [ActiveDir] SPN issue Yeah, I'm an idiot. sorry. That worked. I still have the same issue though- Kerberos errors and the "Logon Failure: The target account name is incorrect." Thanks On 2/21/06, Free, Bob < [EMAIL PROTECTED] <mailto: [EMAIL PROTECTED] <mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > > wrote: Your syntax looks backward....you have the hostname in front of the SPN -A = add arbitrary SPN Usage: setspn -A SPN computername setspn -A http/daserver daserver1 It will register SPN "http/daserver" for computer "daserver1" ________________________________ From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] <mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > ] On Behalf Of Tom Kern Sent: Tuesday, February 21, 2006 1:26 PM To: [email protected] Subject: Re: [ActiveDir] SPN issue Thank you for the advice. I will in the future. This is the output from setspn /A C:\Program Files\Resource Kit>setspn -A OP5080570765 host/OP5080570765 Unable to locate account host/OP5080570765 C:\Program Files\Resource Kit>setspn -A OP5080570765 host/OP5080570765.corp.opro ot.opco.com <http://ot.opco.com/> < http://ot.opco.com/ <http://ot.opco.com/> > < http://ot.opco.com/ < http://ot.opco.com/ <http://ot.opco.com/> > > Unable to locate account host/OP5080570765.corp.oproot.opco.com The weird thing is, these accounts were migrated months ago and had no issue till today. There was no change made to AD by hand or by app. Thanks On 2/21/06, [EMAIL PROTECTED] < [EMAIL PROTECTED] <mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED] > > > wrote: Try the /A option. btw, try munging your resource/domain names when you post to a forum such as this. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com <http://www.readymaids.com/> < http://www.readymaids.com/ <http://www.readymaids.com/> > < http://www.readymaids.com/ < http://www.readymaids.com/ <http://www.readymaids.com/> > > - we know IT www.akomolafe.com <http://www.akomolafe.com/> <http://www.akomolafe.com/ > < http://www.akomolafe.com/ <http://www.akomolafe.com/> > Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] <mailto: [EMAIL PROTECTED] <mailto: [EMAIL PROTECTED] <mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > > on behalf of Tom Kern Sent: Tue 2/21/2006 1:01 PM To: [email protected] Subject: Re: [ActiveDir] SPN issue I get this, when I use netbios name- C:\Program Files\Resource Kit>setspn -R OP5080570765 Failed to crack name CORP\OP5080570765 into the FQDN, (0) 1 0x2 I get this when i use FQDN- C:\Program Files\Resource Kit>setspn -R OP5080570765.corp.oproot.opco.com <http://op5080570765.corp.oproot.opco.com/> < http://op5080570765.corp.oproot.opco.com/ <http://op5080570765.corp.oproot.opco.com/> > < http://op5080570765.corp.oproot.opco.com/ <http://op5080570765.corp.oproot.opco.com/> > Could not find account OP5080570765.corp.oproot.opco.com <http://op5080570765.corp.oproot.opco.com/> < http://op5080570765.corp.oproot.opco.com/ <http://op5080570765.corp.oproot.opco.com/> > < http://op5080570765.corp.oproot.opco.com/ < http://op5080570765.corp.oproot.opco.com/ <http://op5080570765.corp.oproot.opco.com/> > > The name is in DNS and AD. As i said, DNS is functioning properly. Thanks On 2/21/06, [EMAIL PROTECTED] < [EMAIL PROTECTED] <mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > wrote: Try manually resetting or adding the SPN for one of the computers and see if that takes care of your problem. If it does, the I'd do the same for the rest or just disjoin and rejoin them to the domain if there are not too many of them. you can use setspn to do this. Like so: setspn /R the_computer_NetBIOS_Name OR setspn /A host/NetBIOS_Name the_computer_NetBIOS_Name setspn /A host/FQDN_NAme the_computer_FQDN Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com <http://www.readymaids.com/> < http://www.readymaids.com/ < http://www.readymaids.com/ <http://www.readymaids.com/> > > < http://www.readymaids.com/ <http://www.readymaids.com/> > < http://www.readymaids.com <http://www.readymaids.com/> < http://www.readymaids.com/ <http://www.readymaids.com/> > < http://www.readymaids.com/ <http://www.readymaids.com/> > < http://www.readymaids.com <http://www.readymaids.com/> <http://www.readymaids.com/> < http://www.readymaids.com/> < http://www.readymaids.com <http://www.readymaids.com/> < http://www.readymaids.com/ <http://www.readymaids.com/> > < http://www.readymaids.com/ < http://www.readymaids.com/ <http://www.readymaids.com/> > > > > > - we know IT www.akomolafe.com <http://www.akomolafe.com/> <http://www.akomolafe.com/ > < http://www.akomolafe.com/ <http://www.akomolafe.com/> > Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Tom Kern Sent: Tue 2/21/2006 11:52 AM To: activedirectory Subject: Re: [ActiveDir] SPN issue Ok, I came up with some more stuff- If i use the FQDN, I can map a drive without the login error. I ran Ethereal will mapping a drive, both ways. With the flat name and fqdn. When mapping with the flat name, I see a "KRB5KDC_ERR_PREAUTH_FAILED(24)" Then later, I see, "KRB5KRB_AP_ERR_MODIFIED,Error: STATUS_MORE_PROCESSING_REQUIRED(0x0000016)" When I use FQDN, I see- "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN(7)" and then it defaults to NTLM and lets me in. With a flat name, it never gets to NTLM. I've checked the "Troubleshooting Kerberos Errors" MS whitepaper but I can't find anything to help me there. The SPN in AD of my box and the server I'm connecting to seems find. Both client and server are in the same Domain. DNS is functioning. Time is in sync. Anyplace else I should be looking? Thanks a lot. On 2/21/06, Tom Kern < [EMAIL PROTECTED] <mailto: [EMAIL PROTECTED] <mailto: [EMAIL PROTECTED] <mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > > > wrote: I'm at the end of a win2k native to win2k3 win2k3FFL/DFL migration using Quest Migration Manager. I've noticed we've had many login issues where users can map drives via ip but not hostname(dns is working and you can ping by name). Also, when connecting via a drive mapping, the error recieved is "Login failure: The target name is incorrect". Now I know when mapping via ip, you are using NTLM as opposed to Kerberos when you use a hostname. So I thought it was a duplicate SPN issue due to the migration. When I fire up LDP.exe and search for SPN, I see the pc in question has an SPN of the value "host\pc.Old.Domain.Name". There is no SPN for the pc to reflect the new Forest it has been migrated to. This is sporadic and doesn't affect all migrated pc's. Another symptom is users not getting their home drive mappings(via ADUC). The homedir server logs this error in the Security log- Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 537 Date: 2/21/2006 Time: 11:16:05 AM User: NT AUTHORITY\SYSTEM Computer: OPNJR01 Description: Logon Failure: Reason: An unexpected error occurred during logon User Name: Domain: Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: - I have two questions- 1. Could the issues I'm having be a symptom of this SPN "problem"? 2. Has anyone faced a simillar issue when migrating either via Quest ot ADMT,etc? Thanks a lot. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx < http://www.activedir.org/ListFAQ.aspx < http://www.activedir.org/ListFAQ.aspx < http://www.activedir.org/ListFAQ.aspx <http://www.activedir.org/ListFAQ.aspx> > > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ <http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
