Re: Extra Round trip while using SSPI Api.
- From: "Richard Ward" <richardw@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 16 Mar 2006 23:12:11 -0800
Sorry, I fatfingered that. microsoft.public.platfomsdk.security is the group.
In general, you should not be passing an SPN of the form "domain\hostname" to
InitializeSecurityContext. You should be passing the form "servicename/hostname"
in, e.g. host/computer or better yet, host/computer.dns.domain. More on SPNs at
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/how_a_service_composes_its_spns.asp
That said, your setspn output implies that there is no SPN associated with your
server. Is that the case.
"henin" <henin@xxxxxxxxxxxxxxxx> wrote in message news:441A35DA.7070200@xxxxxxxxxxxxxxxxxxx
Hi,
I did not find security sub-group under "comp.os.ms-windows.programmer"
group,can you please let me know where I have to post such queries.
I have verified that the targetname that is being passed to
InitializeSecurityContext() is domain\hostname.One more point here is
the hostname is not a fqdn.
Ping hostname and later ping -a ipaddress
gives me the fqdn of the machine on which both the client/server
are running.
Running "Setspn -l (hostname)" gives the following output:
C:\Program Files\Resource Kit>Setspn.exe -l COMPUTERNAME
Registered ServicePrincipalNames for CN=COMPUTERNAME
,CN=Computers,DC=DOMAIN-NAME,DC=us
,DC=ORG-NAME,DC=com:
Any hints here would highly be appreciated.
Regards,
Henin.
Richard Ward wrote:
comp.os.ms-windows.programmer.security is a better forum for these
sorts of questions, but there are a number of cases that can cause this.
A common problem is when the machine account exists in two domains,
and the client selects the wrong domain. This is especially likely when you
are using short names (e.g. host/machine) instead of FQDNs.
"henin" <henin@xxxxxxxxxxxxxxxx> wrote in message
Hello All,
We are facing very strange issues on some of our installations.
Setup consists of a client and a server, server is running as a
service(LocalSystem)
Both client and server are running on the same machine.
The setup is as below
1)Platform : Windows 2000 with sp4.
2)Server is runiing as a service with log-on user as LocalSystem.
3)Kerberos is used for authenticating the client with the server.
In non-working case on both sides( client and server ) we are getting
SEC_I_CONTINUE_NEEDED during the 3rd leg phase of authetication
and later on the client side( InitializeSecurityContext() ) we get
SEC_E_WRONG_PRINCIPLE error.
I have verified that the targetname that is being passed to
InitializeSecurityContext() is fine.
The same installation on a different machine ( Say m/c B) works fine.
We get SEC_E_OK on the first call to AcceptSecurityContext().
Both these machines are in the same domain.
Any pointers here.
Regards,
Henin.
- References:
- Extra Round trip while using SSPI Api.
- From: henin
- Re: Extra Round trip while using SSPI Api.
- From: Richard Ward
- Extra Round trip while using SSPI Api.
- Prev by Date: Re: Error of RtlQueryRegistryValues at Win2003
- Next by Date: Re: Strange behaviour on windows
- Previous by thread: Re: Extra Round trip while using SSPI Api.
- Next by thread: USB MAss storage device emulation
- Index(es):
Relevant Pages
|
