Re: Kerberos interoperablity with import NT4 users and WRQ Reflections

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Jason (jason.yarberry_at_atlantisplastics.com)
Date: 03/12/04 

Date: Fri, 12 Mar 2004 13:33:55 -0500

Alex,
The WRQ Reflections program has a problem with the Kerberos authentication
when you use it to access a Unix host. I will have to get the exact error
message for you.

We are using Windows 2000 (SP2,SP3) Pro as the client. We found the DNS
request failed the authentication, unless you add an entry into the host
file on the computer. I am to ping/resolve the name easily before modifing
the host file with no problems. Strange.

We did notice that any users that were import from the old NT4 domain do not
have the DES item enbled. Any new users do. Is this a know issue?

Is there any know issues with the Windows 2000 Kerberos version that
conflict with the MIT version of Kerberos?

Thanks
"Alex Zhang(MSFT)" <v-qiz@online.microsoft.com> wrote in message
news:v0tF$wCCEHA.564@cpmsftngxa06.phx.gbl...
> Hello Jason,
>
> Thank you for posting here.
>
> To understand the issue better, I'd like to confirm the following
> information with you:
> 1. How do you find that clients have not the ability to work the kerberos
> authentication? Is there any error related error message or events?
> 2. Which kind of clients do not have the ability? Do you refer to
computers
> or users for ¡°clients¡±?
>
> The "Use DES encryption types for this account" and the "Don't require
> Kerberos Preauthentication" check boxes are controlled by bits that are
set
> in the userAccountControl field of the Active Directory.
>
> You could try to open the ¡°Active Directory Users and Computers¡± and set
> the userAccountControl value to be ¡®66048¡¯. For more information about
> how to modify the values of userAccountControl you may browse the
following
> website:
>
> How to Use the UserAccountControl Flags to Manipulate User Account
> Properties
> http://support.microsoft.com/default.aspx?scid=KB;EN-US;305144
>
> I hope the information proves helpful!
> If you have any questions please do not hesitate to let me know. I am
glad
> to be of assistance.
> Thanks and regards,
> Alex Zhang
> Microsoft Partner Online Support
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> --------------------
> | Reply-To: "Jason" <jason.yarberry@atlantisplastics.com>
> | From: "Jason" <jason.yarberry@atlantisplastics.com>
> | Subject: Kerberos interoperablity with import NT4 users and WRQ
> Reflections
> | Date: Thu, 11 Mar 2004 16:18:36 -0500
> | Lines: 15
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
> | Message-ID: <#6Wvr56BEHA.580@TK2MSFTNGP11.phx.gbl>
> | Newsgroups: microsoft.public.win2000.active_directory
> | NNTP-Posting-Host: port29.atlantisplastics.com 65.83.39.93
> | Path:
>
cpmsftngxa06.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08
> phx.gbl!TK2MSFTNGP11.phx.gbl
> | Xref: cpmsftngxa06.phx.gbl
microsoft.public.win2000.active_directory:69628
> | X-Tomcat-NG: microsoft.public.win2000.active_directory
> |
> | Has any encountered a problem with getting Windows 2000 kerberos running
> | with the WRQ client connections?
> |
> | We have a problem with any clients that were imported over from the NT 4
> | domain not having the ability to work the kerberos authentication. We
were
> | able to create new users that did not have the problem.
> |
> | I found the NT4 imported users do not have the option "Use DES
encryption
> | types for this account" selected, while as the newly created users do.
> |
> | Is this a know issue?
> |
> | Suggestions?
> |
> |
> |
>

Relevant Pages

  • Re: kerberos 5.0 and apache 1.3.34
    ... My kerberos authentication i think is working now ... i say 'i think' because when i check my http header response this is ... I have apache 1.3.34 running on a ubuntu linux box. ...
    (comp.protocols.kerberos)
  • Re: Kerberos and Group membership
    ... Has anyone used Kerberos in Windows 2000\2003 server environment? ... "Active Directory" is basically a KDC and an LDAP server. ... doing Kerberos authentication to W2K or Windows 2003? ...
    (comp.protocols.kerberos)
  • Re: Windows authentication query
    ... trusts) cannot be authenticated by Kerberos due to the absence of a common ... > Kerberos Authentication works find with FQDN. ... a client on the internet would not be able to connect ... >: over an intranet). ...
    (microsoft.public.inetserver.iis.security)
  • RE: Activesync HTTP_500
    ... One of the main causes of the HTTP_500 error is if Kerberos authentication ... From a command prompt on the Exchange 2000 computer, ... WSS but its best not to have WSS installed on an Exchange Server. ...
    (microsoft.public.exchange.clients)
  • Re: How to set up Kerberos authentication? (some code :)
    ... The Web server must be a member of a Windows 2000 or Windows Server 2003 ... requirements on the Web server to integrated, you will get your Kerberos ... Does Kerberos authentication only work when you ...
    (microsoft.public.windows.server.security)