Strict Name Checking is for reflection attacks - you need to disable it when a server connects to itself using something other than its own name.
I'm pretty sure it's not necessary when an external party/machine connects using a CNAME or some other alias Cheers Ken -----Original Message----- From: Steve Kradel [mailto:[email protected]] Sent: Friday, 30 September 2011 12:48 PM To: NT System Admin Issues Subject: Re: fake-out NetBIOS Are y'all positive that disabling strict name checking is necessary in conjunction with a CNAME? Most apps will get the canonical name (de-alias) when looking for SPNs, etc. --Steve On Thu, Sep 29, 2011 at 2:44 PM, Sean Martin <[email protected]> wrote: > We disable it on all of our SQL servers so our DBAs can leverage DNS > aliases for DBs. Makes it easy to move DBs between SQL servers. > > - Sean > > On Thu, Sep 29, 2011 at 5:15 AM, David Lum <[email protected]> wrote: >> >> That's perfect, thanks! I have never run into this before nor even >> heard of "disable strict name checking", so this is good new stuff. >> >> >> >> Reason number 703,510 to love this list. >> >> >> >> How did you know about that anyhow? >> >> >> >> Dave >> >> >> >> From: Glen Johnson [mailto:[email protected]] >> Sent: Thursday, September 29, 2011 6:12 AM >> >> To: NT System Admin Issues >> Subject: RE: fake-out NetBIOS >> >> >> >> Google disable strict name checking and you will find what you seek. >> >> >> >> From: David Lum [mailto:[email protected]] >> >> Sent: Thursday, September 29, 2011 9:09 AM >> To: NT System Admin Issues >> Subject: fake-out NetBIOS >> >> >> >> How do I go about having a Windows client (XP, or 7) connect to a UNC >> that's different from the actual hostname w/out using a FQDN? I have >> a server named BOB but I want users to be able to attach using \\FRED. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
