I seem to recall seeing something like this in the
newsgroups previously. Once I seem to recall that the problem was related to the
keytab not being generated properly. The other time was an issue with the
encryption type. The machine required encryption that is OFF by default in
Windows Server 2003 because it is insecure, I want to say DES-CBC-CRC maybe,
because the machine couldn't support DES-CBC-MD5. There was a hotfix
out there which I think is wrapped into SP1 now that allows you to reenable that
encryption. It was always available under W2K from what I
understand.
The kerb questions tend to not get tackled big time in this
list probably because most people are using Windows and Microsoft just made it
so it simply works. The times you hear about it are with interaction with
Unix/Linux/BSD and some pain point.
Something you may consider doing is looking at a product
that makes kerberos integration with Windows far easier, this would be from
either Centrify or Vintela.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of T C
Sent: Monday, April 03, 2006 5:19 PM
To: Active Directory Discussions
Subject: [ActiveDir] Creating a service instance account in AD
I am working on bringing a Unix service under AD. To do this I need to map a service
principal name (SPN) to an AD account. The MS document specifies using a user
account for this, and I have tested with this and it works. However, I am also
trying to use a computer account for this. Everything seems to work except the
ticket cannot be decrypted. So I am curious if computer accounts can be used
for this purpose. It seems quite straightforward, but it just didn't work.
Thanks,
Terry
