Ok I narrowed the problem. It seems that whever the user has more than 20 groups, SSO on XP2 won't work. Below 20 groups it works OK. In XP1 there is no problem on the amount of group memberhips. I assume that the Cross Realm Object needs the NO_AUTH_REQUIRED field set in userAccountControl. However the DNS admin reports that he gets "Access Denied" when trying to edit that field of the Cross Realm object...
On 31 jul, 23:24, "Markus Moeller" <[EMAIL PROTECTED]> wrote: > Can you add the SPN with REALM into the SPN field under ssh->GSSAPI e.g. > > host/[EMAIL PROTECTED] > > I think Vintella is adding the default domain otherwise. Not sure if that is > a bug or if I missed configuration setting. > > Markus > > "Miguel Sanders" <[EMAIL PROTECTED]> wrote in message > > news:[EMAIL PROTECTED] > > > > >I see that I receive the cross realm ticket. > > However I don't receive any service ticket! > > > On 30 jul, 21:53, "Markus Moeller" <[EMAIL PROTECTED]> wrote: > >> Can you use kerbtray to see if you get the service principal ? > > >> Markus > > >> "Miguel Sanders" <[EMAIL PROTECTED]> wrote in message > > >>news:[EMAIL PROTECTED] > > >> > Markus, I already tried editing that setting but no luck either... > >> > Everytime I think I am done with this setup, there is a new issue... > >> > However, the SSO from the Linux clients to the UNIX KDCs worked > >> > instantly! > > >> > On 30 jul, 20:52, "Markus Moeller" <[EMAIL PROTECTED]> wrote: > >> >> You might need this: > > >> >> "This new feature has been seen in Windows 2003 Server, Windows 2000 > >> >> Server > >> >> SP4, and Windows XP SP2. We assume that it will be implemented in all > >> >> future Microsoft operating systems supporting the Kerberos SSPI. > >> >> Microsoft > >> >> does work closely with MIT and has provided a registry key to disable > >> >> this > >> >> new feature. > > >> >> HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters > >> >> AllowTGTSessionKey = 0x01 (DWORD)On Windows XP SP2 the key is > >> >> specified > >> >> as > > >> >> HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos > >> >> AllowTGTSessionKey = > >> >> 0x01 (DWORD)"as described > >> >> herehttp://web.mit.edu/kerberos/kfw-2.6/kfw-2.6.5/relnotes.html#mslsa > > >> >> Regards > >> >> Markus > > >> >> "Miguel Sanders" <[EMAIL PROTECTED]> wrote in message > > >> >>news:[EMAIL PROTECTED] > > >> >> > Dear all > > >> >> > I don't know whether or not I should post this here or in > >> >> > microsoft.xp.client but I will do both. > >> >> > After successfully implementing a cross realm trust between AD and a > >> >> > UNIX realm, it seems that the clients that user SP1 can successfully > >> >> > have SSO to the UNIX machine whereas the SP2 people can't. Can > >> >> > anyone > >> >> > help me out, since I am not a Windows expert :-) > >> >> > The tool I use for SSO on the Windows clients is Vintella Putty 0.60 > >> >> > q1.129. > > >> >> > Kind regards > > >> >> > Miguel > > >> >> > ________________________________________________ > >> >> > Kerberos mailing list [EMAIL PROTECTED] > >> >> >https://mailman.mit.edu/mailman/listinfo/kerberos-Tekstuit > >> >> >oorspronkelijk bericht niet weergeven - > > >> >> - Tekst uit oorspronkelijk bericht weergeven - > > >> > ________________________________________________ > >> > Kerberos mailing list [EMAIL PROTECTED] > >> >https://mailman.mit.edu/mailman/listinfo/kerberos-Tekst uit > >> >oorspronkelijk bericht niet weergeven - > > >> - Tekst uit oorspronkelijk bericht weergeven - > > > ________________________________________________ > > Kerberos mailing list [EMAIL PROTECTED] > >https://mailman.mit.edu/mailman/listinfo/kerberos- Tekst uit oorspronkelijk > >bericht niet weergeven - > > - Tekst uit oorspronkelijk bericht weergeven - ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
