Re: [ActiveDir] Kerberos Question
It could also mean you have a problem with the tool, right? Are you seeing some other symptoms that caused you to look at this tool? Time? you can check that pretty easily by checking the time on your machine and comparing to a DC in your environment. What do you see in your system event log? On 1/25/07, Mike Hogenauer [EMAIL PROTECTED] wrote: Just curious – I have the resource kit tool *Kerbtray *running on my taskbar – When I double click it; it list my tickets, etc… Twice during the day yesterday it turned red and said there was no tickets available. It's already done this once today – When it was showing information it had a ticket renewal until time up to 8 days and a start and end time offset of 10 minutes Does this mean my ticket is getting renewed or that I could have a time problem, connecting to the PDC emulator problem, etc. Thanks in advance for any insight on this. Mike
RE: [ActiveDir] Kerberos Question
The Time is the same on the PDC emulator as my PC – no event logs I could find – I guess it might be a problem with the tool – I don’t have any firewalls between my PC and the DC. The loss of the ticket information is what raised the flag for me. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, January 25, 2007 11:24 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Kerberos Question It could also mean you have a problem with the tool, right? Are you seeing some other symptoms that caused you to look at this tool? Time? you can check that pretty easily by checking the time on your machine and comparing to a DC in your environment. What do you see in your system event log? On 1/25/07, Mike Hogenauer [EMAIL PROTECTED] wrote: Just curious – I have the resource kit tool Kerbtray running on my taskbar – When I double click it; it list my tickets, etc… Twice during the day yesterday it turned red and said there was no tickets available. It's already done this once today – When it was showing information it had a ticket renewal until time up to 8 days and a start and end time offset of 10 minutes Does this mean my ticket is getting renewed or that I could have a time problem, connecting to the PDC emulator problem, etc. Thanks in advance for any insight on this. Mike
RE: [ActiveDir] Kerberos Question
I think you are seeing your Kerberos tickets start to reach their expiration time. The kerbtray icon will go from green to red. I think the last 5 or 15 minutes the default configuration will also issue an audible (and very distinctive) sound. The tickets will renew automatically (and the icon will go from red back to green). This will happen until you reach the default renew tickets until... date. At that time you will need to manually renew your ticket unless you do something like logoff and then logon to automatically get new tickets. Hth, Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, January 25, 2007 1:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos Question Just curious - I have the resource kit tool Kerbtray running on my taskbar - When I double click it; it list my tickets, etc... Twice during the day yesterday it turned red and said there was no tickets available. It's already done this once today - When it was showing information it had a ticket renewal until time up to 8 days and a start and end time offset of 10 minutes Does this mean my ticket is getting renewed or that I could have a time problem, connecting to the PDC emulator problem, etc. Thanks in advance for any insight on this. Mike
RE: [ActiveDir] Kerberos Question
Cool - sounds good to me! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Thursday, January 25, 2007 11:39 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Question I think you are seeing your Kerberos tickets start to reach their expiration time. The kerbtray icon will go from green to red. I think the last 5 or 15 minutes the default configuration will also issue an audible (and very distinctive) sound. The tickets will renew automatically (and the icon will go from red back to green). This will happen until you reach the default renew tickets until... date. At that time you will need to manually renew your ticket unless you do something like logoff and then logon to automatically get new tickets. Hth, Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, January 25, 2007 1:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Kerberos Question Just curious - I have the resource kit tool Kerbtray running on my taskbar - When I double click it; it list my tickets, etc... Twice during the day yesterday it turned red and said there was no tickets available. It's already done this once today - When it was showing information it had a ticket renewal until time up to 8 days and a start and end time offset of 10 minutes Does this mean my ticket is getting renewed or that I could have a time problem, connecting to the PDC emulator problem, etc. Thanks in advance for any insight on this. Mike
RE: [ActiveDir] Kerberos Question
If you suspect it's the KerbTray tool, you may wish to use KList (part of the Reskit) to verify that both are showing the same output. Ryan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, January 25, 2007 1:34 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos Question The Time is the same on the PDC emulator as my PC - no event logs I could find - I guess it might be a problem with the tool - I don't have any firewalls between my PC and the DC. The loss of the ticket information is what raised the flag for me. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, January 25, 2007 11:24 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Kerberos Question It could also mean you have a problem with the tool, right? Are you seeing some other symptoms that caused you to look at this tool? Time? you can check that pretty easily by checking the time on your machine and comparing to a DC in your environment. What do you see in your system event log? On 1/25/07, Mike Hogenauer [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: Just curious - I have the resource kit tool Kerbtray running on my taskbar - When I double click it; it list my tickets, etc... Twice during the day yesterday it turned red and said there was no tickets available. It's already done this once today - When it was showing information it had a ticket renewal until time up to 8 days and a start and end time offset of 10 minutes Does this mean my ticket is getting renewed or that I could have a time problem, connecting to the PDC emulator problem, etc. Thanks in advance for any insight on this. Mike
RE: [ActiveDir] Kerberos question
Title: Kerberos question I think we have a miscom here: I have no 5.5 server-- I assume that you mean exchange 5.5 (we are all ex2k3). More details: I have an app that runs on a win2k3 that uses either LDAP or Kerberos to authenticate its users against our 2003 active directory. The app server is part of our domain but the app that runs on it is a third party app that says it can authenticate using Kerberos or LDAP. My question is: Do I need to do anything to our Domain controller to allow the app to talk to the domain controller? Thanks, Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 9:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question Before going any further, how about trying to get the information from a 5.5 server locally using the admin utility? The goal of looking there is to isolate whether the problem is on the 5.5 side or if the problem is elsewhere; just need to rule out there's a problem with the 5.5 admin :) Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 9:49 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question It is also windows 2003, but the software is a web app (webct). I am confused as the whether the OS it doing the authentication or the app is. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 9:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question What OS is the remote system and how is it connected? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 9:04 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Kerberos question Quick question: I have a remote system that needs to authenticate to our 2003 dcs, I have the choices of Kerberos and ldap. I would perfer to use Kerberos for security reasons, but I do not know if I need to do anything on the DC server in order to make this work. Does anyone have place they could point me to? I have the Kerberos trouble shooting guide and am working through this. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED]
RE: [ActiveDir] Kerberos question
Title: Kerberos question I would contact the vendor. They should know. There should be nothing extra you have to do to support kerberos on your dc as the support is already there, that is the primary authentication mechanism now. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 9:49 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question It is also windows 2003, but the software is a web app (webct). I am confused as the whether the OS it doing the authentication or the app is. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, August 05, 2004 9:08 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question What OS is the remote system and how is it connected? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 9:04 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Kerberos question Quick question: I have a remote system that needs to authenticate to our 2003 dcs, I have the choices of Kerberos and ldap. I would perfer to use Kerberos for security reasons, but I do not know if I need to do anything on the DC server in order to make this work. Does anyone have place they could point me to? I have the Kerberos trouble shooting guide and am working through this. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED]
RE: [ActiveDir] Kerberos question
Title: Kerberos question The application is called WebCT. www.webct.com. It is a distance learning app that runs off a web server. Their documentation is some what lacking, and their support is not really that good. I do have everything set up as they request, so I was thinking that my problem is on my end. I do have a support call scheduled with them later today. I wanted to try to rule out a AD problem. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 10:44 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question Sorry Rick. Thread overlap. :) Whether or not you need to make a change depends on the application. For example, if they use the operating system to handle the authentication calls, then it should work fine, right? If they do something else, they should have documented it and should tell you what is needed. What is the application saying they need to do?Which application is it out of curiosity? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 10:29 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question I think we have a miscom here: I have no 5.5 server-- I assume that you mean exchange 5.5 (we are all ex2k3). More details: I have an app that runs on a win2k3 that uses either LDAP or Kerberos to authenticate its users against our 2003 active directory. The app server is part of our domain but the app that runs on it is a third party app that says it can authenticate using Kerberos or LDAP. My question is: Do I need to do anything to our Domain controller to allow the app to talk to the domain controller? Thanks, Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 9:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question Before going any further, how about trying to get the information from a 5.5 server locally using the admin utility? The goal of looking there is to isolate whether the problem is on the 5.5 side or if the problem is elsewhere; just need to rule out there's a problem with the 5.5 admin :) Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 9:49 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question It is also windows 2003, but the software is a web app (webct). I am confused as the whether the OS it doing the authentication or the app is. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 9:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question What OS is the remote system and how is it connected? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 9:04 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Kerberos question Quick question: I have a remote system that needs to authenticate to our 2003 dcs, I have the choices of Kerberos and ldap. I would perfer to use Kerberos for security reasons, but I do not know if I need to do anything on the DC server in order to make this work. Does anyone have place they could point me to? I have the Kerberos trouble shooting guide and am working through this. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED]
RE: [ActiveDir] Kerberos question
Title: Kerberos question Joe, I was pretty sure that was the case, but I wanted to make sure. Thanks, Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, August 05, 2004 11:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question I would contact the vendor. They should know. There should be nothing extra you have to do to support kerberos on your dc as the support is already there, that is the primary authentication mechanism now. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 9:49 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question It is also windows 2003, but the software is a web app (webct). I am confused as the whether the OS it doing the authentication or the app is. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 9:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question What OS is the remote system and how is it connected? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 9:04 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Kerberos question Quick question: I have a remote system that needs to authenticate to our 2003 dcs, I have the choices of Kerberos and ldap. I would perfer to use Kerberos for security reasons, but I do not know if I need to do anything on the DC server in order to make this work. Does anyone have place they could point me to? I have the Kerberos trouble shooting guide and am working through this. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED]
RE: [ActiveDir] Kerberos question
Title: Message Your local liquor store is a good place to start, followed by the drug store for a few gallons of Maalox. Kerberos interoperability is a pain. It is possible, but you will have to do LOTS of research. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 8:04 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Kerberos question Quick question: I have a remote system that needs to authenticate to our 2003 dcs, I have the choices of Kerberos and ldap. I would perfer to use Kerberos for security reasons, but I do not know if I need to do anything on the DC server in order to make this work. Does anyone have place they could point me to? I have the Kerberos trouble shooting guide and am working through this. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED]
RE: [ActiveDir] Kerberos question
Title: Kerberos question So that leads to the next question then: do you have a problem going on? If so, can you give some details? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 11:26 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question The application is called WebCT. www.webct.com. It is a distance learning app that runs off a web server. Their documentation is some what lacking, and their support is not really that good. I do have everything set up as they request, so I was thinking that my problem is on my end. I do have a support call scheduled with them later today. I wanted to try to rule out a AD problem. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, August 05, 2004 10:44 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question Sorry Rick. Thread overlap. :) Whether or not you need to make a change depends on the application. For example, if they use the operating system to handle the authentication calls, then it should work fine, right? If they do something else, they should have documented it and should tell you what is needed. What is the application saying they need to do?Which application is it out of curiosity? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 10:29 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question I think we have a miscom here: I have no 5.5 server-- I assume that you mean exchange 5.5 (we are all ex2k3). More details: I have an app that runs on a win2k3 that uses either LDAP or Kerberos to authenticate its users against our 2003 active directory. The app server is part of our domain but the app that runs on it is a third party app that says it can authenticate using Kerberos or LDAP. My question is: Do I need to do anything to our Domain controller to allow the app to talk to the domain controller? Thanks, Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, August 05, 2004 9:53 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question Before going any further, how about trying to get the information from a 5.5 server locally using the admin utility? The goal of looking there is to isolate whether the problem is on the 5.5 side or if the problem is elsewhere; just need to rule out there's a problem with the 5.5 admin :) Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 9:49 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question It is also windows 2003, but the software is a web app (webct). I am confused as the whether the OS it doing the authentication or the app is. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, August 05, 2004 9:08 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question What OS is the remote system and how is it connected? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 9:04 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Kerberos question Quick question: I have a remote system that needs to authenticate to our 2003 dcs, I have the choices of Kerberos and ldap. I would perfer to use Kerberos for security reasons, but I do not know if I need to do anything on the DC server in order to make this work. Does anyone have place they could point me to? I have the Kerberos trouble shooting guide and am working through this. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED]
RE: [ActiveDir] Kerberos question
Title: Kerberos question There are tools to monitor kerberos conversations (capture), but I think you're likely better off using success/failure audit logging to see what's going on, what's being attempted and whereauthentication isfailing. I think the following is most likely to be helpful http://support.microsoft.com/default.aspx?kbid=326985 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 2:41 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question Question,: is there a utility that would use Kerberos to login (Kind of like a test login utility)? We are not experiencing any problem with logins anywhere (except as mentioned).. This is the first non windows application we are deploying that uses Kerberos (outside of windows). IT does recognize a bad password as a bad password, but throws an error with the correct password is given: ERROR(1006)An error occurred in WebCT authorization. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, August 05, 2004 2:00 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question So that leads to the next question then: do you have a problem going on? If so, can you give some details? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 11:26 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question The application is called WebCT. www.webct.com. It is a distance learning app that runs off a web server. Their documentation is some what lacking, and their support is not really that good. I do have everything set up as they request, so I was thinking that my problem is on my end. I do have a support call scheduled with them later today. I wanted to try to rule out a AD problem. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, August 05, 2004 10:44 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question Sorry Rick. Thread overlap. :) Whether or not you need to make a change depends on the application. For example, if they use the operating system to handle the authentication calls, then it should work fine, right? If they do something else, they should have documented it and should tell you what is needed. What is the application saying they need to do?Which application is it out of curiosity? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 10:29 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question I think we have a miscom here: I have no 5.5 server-- I assume that you mean exchange 5.5 (we are all ex2k3). More details: I have an app that runs on a win2k3 that uses either LDAP or Kerberos to authenticate its users against our 2003 active directory. The app server is part of our domain but the app that runs on it is a third party app that says it can authenticate using Kerberos or LDAP. My question is: Do I need to do anything to our Domain controller to allow the app to talk to the domain controller? Thanks, Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, August 05, 2004 9:53 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question Before going any further, how about trying to get the information from a 5.5 server locally using the admin utility? The goal of looking there is to isolate whether the problem is on the 5.5 side or if the problem is elsewhere; just need to rule out there's a problem with the 5.5 admin :) Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 9:49 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question It is also windows 2003, but the software is a web app (webct). I am confused as the whether the OS it doing the authentication or the app is. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, August 05, 2004 9:08 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question What OS is the remote system and how is it connected
RE: [ActiveDir] Kerberos question
Title: Kerberos question The program uses apache, I am still working with the vendor on this. This is the error from the DC: Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 675 Date: 8/5/2004 Time: 3:15:59 PM User: NT AUTHORITY\SYSTEM Computer: KINGS-DC01 Description: Pre-authentication failed: User Name: ricktest User ID: KINGS\ricktest Service Name: krbtgt/KINGS.EDU Pre-Authentication Type: 0x0 Failure Code: 0x19 Client Address: 10.1.18.48 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 2:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question There are tools to monitor kerberos conversations (capture), but I think you're likely better off using success/failure audit logging to see what's going on, what's being attempted and whereauthentication isfailing. I think the following is most likely to be helpful http://support.microsoft.com/default.aspx?kbid=326985 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 2:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question Question,: is there a utility that would use Kerberos to login (Kind of like a test login utility)? We are not experiencing any problem with logins anywhere (except as mentioned).. This is the first non windows application we are deploying that uses Kerberos (outside of windows). IT does recognize a bad password as a bad password, but throws an error with the correct password is given: ERROR(1006) An error occurred in WebCT authorization. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 2:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question So that leads to the next question then: do you have a problem going on? If so, can you give some details? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 11:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question The application is called WebCT. www.webct.com. It is a distance learning app that runs off a web server. Their documentation is some what lacking, and their support is not really that good. I do have everything set up as they request, so I was thinking that my problem is on my end. I do have a support call scheduled with them later today. I wanted to try to rule out a AD problem. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 10:44 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question Sorry Rick. Thread overlap. :) Whether or not you need to make a change depends on the application. For example, if they use the operating system to handle the authentication calls, then it should work fine, right? If they do something else, they should have documented it and should tell you what is needed. What is the application saying they need to do?Which application is it out of curiosity? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 10:29 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question I think we have a miscom here: I have no 5.5 server-- I assume that you mean exchange 5.5 (we are all ex2k3). More details: I have an app that runs on a win2k3 that uses either LDAP or Kerberos to authenticate its users against our 2003 active directory. The app server is part of our domain but the app that runs on it is a third party app that says it can authenticate using Kerberos or LDAP. My question is: Do I need to do anything to our Domain controller to allow the app to talk to the domain controller? Thanks, Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 9:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question Before going any further, how about trying to get the information from a 5.5
RE: [ActiveDir] Kerberos question
Title: Kerberos question This stands out Pre-authentication failed: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 3:24 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question The program uses apache, I am still working with the vendor on this. This is the error from the DC: Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 675 Date: 8/5/2004 Time: 3:15:59 PM User: NT AUTHORITY\SYSTEM Computer: KINGS-DC01 Description: Pre-authentication failed: User Name: ricktest User ID: KINGS\ricktest Service Name: krbtgt/KINGS.EDU Pre-Authentication Type: 0x0 Failure Code: 0x19 Client Address: 10.1.18.48 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, August 05, 2004 2:54 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question There are tools to monitor kerberos conversations (capture), but I think you're likely better off using success/failure audit logging to see what's going on, what's being attempted and whereauthentication isfailing. I think the following is most likely to be helpful http://support.microsoft.com/default.aspx?kbid=326985 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 2:41 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question Question,: is there a utility that would use Kerberos to login (Kind of like a test login utility)? We are not experiencing any problem with logins anywhere (except as mentioned).. This is the first non windows application we are deploying that uses Kerberos (outside of windows). IT does recognize a bad password as a bad password, but throws an error with the correct password is given: ERROR(1006)An error occurred in WebCT authorization. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, August 05, 2004 2:00 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question So that leads to the next question then: do you have a problem going on? If so, can you give some details? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 11:26 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question The application is called WebCT. www.webct.com. It is a distance learning app that runs off a web server. Their documentation is some what lacking, and their support is not really that good. I do have everything set up as they request, so I was thinking that my problem is on my end. I do have a support call scheduled with them later today. I wanted to try to rule out a AD problem. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, August 05, 2004 10:44 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question Sorry Rick. Thread overlap. :) Whether or not you need to make a change depends on the application. For example, if they use the operating system to handle the authentication calls, then it should work fine, right? If they do something else, they should have documented it and should tell you what is needed. What is the application saying they need to do?Which application is it out of curiosity? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 10:29 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question I think we have a miscom here: I have no 5.5 server-- I assume that you mean exchange 5.5 (we are all ex2k3). More details: I have an app that runs on a win2k3 that uses either LDAP or Kerberos to authenticate its users against our 2003 active directory. The app server is part of our domain but the app that runs on it is a third party app that says it can authenticate using Kerberos or LDAP. My question is: Do I need to do anything to our Domain controller to allow the app to talk to the domain controller? Thanks, Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED
RE: [ActiveDir] Kerberos question
Title: Kerberos question I am looking that up now Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 3:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question This stands out Pre-authentication failed: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 3:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question The program uses apache, I am still working with the vendor on this. This is the error from the DC: Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 675 Date: 8/5/2004 Time: 3:15:59 PM User: NT AUTHORITY\SYSTEM Computer: KINGS-DC01 Description: Pre-authentication failed: User Name: ricktest User ID: KINGS\ricktest Service Name: krbtgt/KINGS.EDU Pre-Authentication Type: 0x0 Failure Code: 0x19 Client Address: 10.1.18.48 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 2:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question There are tools to monitor kerberos conversations (capture), but I think you're likely better off using success/failure audit logging to see what's going on, what's being attempted and whereauthentication isfailing. I think the following is most likely to be helpful http://support.microsoft.com/default.aspx?kbid=326985 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 2:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question Question,: is there a utility that would use Kerberos to login (Kind of like a test login utility)? We are not experiencing any problem with logins anywhere (except as mentioned).. This is the first non windows application we are deploying that uses Kerberos (outside of windows). IT does recognize a bad password as a bad password, but throws an error with the correct password is given: ERROR(1006) An error occurred in WebCT authorization. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 2:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question So that leads to the next question then: do you have a problem going on? If so, can you give some details? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 11:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question The application is called WebCT. www.webct.com. It is a distance learning app that runs off a web server. Their documentation is some what lacking, and their support is not really that good. I do have everything set up as they request, so I was thinking that my problem is on my end. I do have a support call scheduled with them later today. I wanted to try to rule out a AD problem. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 10:44 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question Sorry Rick. Thread overlap. :) Whether or not you need to make a change depends on the application. For example, if they use the operating system to handle the authentication calls, then it should work fine, right? If they do something else, they should have documented it and should tell you what is needed. What is the application saying they need to do?Which application is it out of curiosity? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 10:29 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question I think we have a miscom here: I have no 5.5 server-- I assume that you mean exchange 5.5 (we are all ex2k3). More details: I have an app that runs on a win2k3 that uses either LDAP or Kerberos to authenticate its users against our 2003 active directory. The app server is part of our domain but the app that runs on it is a third party app
RE: [ActiveDir] Kerberos question
Title: Kerberos question Pre-Authentication is a security measure to prevent a client from calling to the KDC and getting a response back that it can work on cracking to break the encryption. The client has to prove who it is before it gets anything useful basically... You can disable pre-auth for an account through the ADUC GUI by looking at the Account Tab and looking specifically at account options then Do not Require Kerberos preauthentication... It is a bit in userAccountControl, specifically 0x40. I would say disable it to test to see if it then works, but I wouldn't leave it configured that way. It is just a method to make sure everything else is ok. Pre-Auth is not the default for any of the kerberos implementations EXCEPT for the MS implementation from what I recall. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 3:24 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question The program uses apache, I am still working with the vendor on this. This is the error from the DC: Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 675 Date: 8/5/2004 Time: 3:15:59 PM User: NT AUTHORITY\SYSTEM Computer: KINGS-DC01 Description: Pre-authentication failed: User Name: ricktest User ID: KINGS\ricktest Service Name: krbtgt/KINGS.EDU Pre-Authentication Type: 0x0 Failure Code: 0x19 Client Address: 10.1.18.48 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, August 05, 2004 2:54 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question There are tools to monitor kerberos conversations (capture), but I think you're likely better off using success/failure audit logging to see what's going on, what's being attempted and whereauthentication isfailing. I think the following is most likely to be helpful http://support.microsoft.com/default.aspx?kbid=326985 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 2:41 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question Question,: is there a utility that would use Kerberos to login (Kind of like a test login utility)? We are not experiencing any problem with logins anywhere (except as mentioned).. This is the first non windows application we are deploying that uses Kerberos (outside of windows). IT does recognize a bad password as a bad password, but throws an error with the correct password is given: ERROR(1006)An error occurred in WebCT authorization. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, August 05, 2004 2:00 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question So that leads to the next question then: do you have a problem going on? If so, can you give some details? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 11:26 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question The application is called WebCT. www.webct.com. It is a distance learning app that runs off a web server. Their documentation is some what lacking, and their support is not really that good. I do have everything set up as they request, so I was thinking that my problem is on my end. I do have a support call scheduled with them later today. I wanted to try to rule out a AD problem. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Thursday, August 05, 2004 10:44 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question Sorry Rick. Thread overlap. :) Whether or not you need to make a change depends on the application. For example, if they use the operating system to handle the authentication calls, then it should work fine, right? If they do something else, they should have documented it and should tell you what is needed. What is the application saying they need to do?Which application is it out of curiosity? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, RickSent: Thursday, August 05, 2004 10:29 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Kerberos question I think we have a miscom
RE: [ActiveDir] Kerberos question
Title: Kerberos question I got it, there is a shared secret ticket key that was set wrong. (bad documentation). Thanks for everyones help From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 4:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question I am looking that up now Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 3:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question This stands out Pre-authentication failed: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 3:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question The program uses apache, I am still working with the vendor on this. This is the error from the DC: Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 675 Date: 8/5/2004 Time: 3:15:59 PM User: NT AUTHORITY\SYSTEM Computer: KINGS-DC01 Description: Pre-authentication failed: User Name: ricktest User ID: KINGS\ricktest Service Name: krbtgt/KINGS.EDU Pre-Authentication Type: 0x0 Failure Code: 0x19 Client Address: 10.1.18.48 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 2:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question There are tools to monitor kerberos conversations (capture), but I think you're likely better off using success/failure audit logging to see what's going on, what's being attempted and whereauthentication isfailing. I think the following is most likely to be helpful http://support.microsoft.com/default.aspx?kbid=326985 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 2:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question Question,: is there a utility that would use Kerberos to login (Kind of like a test login utility)? We are not experiencing any problem with logins anywhere (except as mentioned).. This is the first non windows application we are deploying that uses Kerberos (outside of windows). IT does recognize a bad password as a bad password, but throws an error with the correct password is given: ERROR(1006) An error occurred in WebCT authorization. Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 2:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question So that leads to the next question then: do you have a problem going on? If so, can you give some details? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 11:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question The application is called WebCT. www.webct.com. It is a distance learning app that runs off a web server. Their documentation is some what lacking, and their support is not really that good. I do have everything set up as they request, so I was thinking that my problem is on my end. I do have a support call scheduled with them later today. I wanted to try to rule out a AD problem. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA 18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 10:44 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question Sorry Rick. Thread overlap. :) Whether or not you need to make a change depends on the application. For example, if they use the operating system to handle the authentication calls, then it should work fine, right? If they do something else, they should have documented it and should tell you what is needed. What is the application saying they need to do?Which application is it out of curiosity? Al From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 10:29 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question I think we have a miscom here: I