Re: Kerberos interoperablity with import NT4 users and WRQ Reflections

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Alex Zhang (v-qiz_at_online.microsoft.com)
Date: 03/15/04 

Date: Mon, 15 Mar 2004 11:36:53 GMT

Hello Jason,

Thank you for your reply.

For your question: that conflict between Windows 2000 Kerberos version and
the MIT version of Kerberos, I am glad to provide some related information
to you:
http://www.blackhat.com/presentations/bh-europe-00/Rooster_Glaser/RoosterJDG
laser.ppt

Windows 2000 Kerberos Interoperability
http://web.mit.edu/pismere/MSR-Summer-2000/DAY1_Finished/KerberosWorkshop_In
teroperability/default.htm

Kerberos Security
http://www.mcmcse.com/win2k/guides/kerberos.shtml

Windows 2000 added some new user attributes such as "Use DES encryption
types for this account" for users. Therefore, the option is not available
for users that migrated from NT domain.

To understand the issue better, I'd like to confirm the following
information with you:
1. If you enable the DES option selected as I suggested, does the WRQ
Reflections program work?
2. What' s the error message?
3. After you add an entry into the host file, does the WRQ program work?
4. You could rejoin your windows 2000 client to domain. Remove the client
from the domain and then rejoin to domain.

This response contains a reference to a third-party World Wide Web site.
Microsoft is providing this information as a convenience to you. Microsoft
does not control these sites and has not tested any software or information
found on these sites; therefore, Microsoft cannot make any representations
regarding the quality, safety, or suitability of any software or
information found there. There are inherent dangers in the use of any
software found on the Internet, and Microsoft cautions you to make sure
that you completely understand the risk before retrieving any software from
the Internet.

I hope the information proves helpful!
If you have any questions please do not hesitate to let me know. I am glad
to be of assistance.
Have a nice day!
Thanks and regards,
Alex Zhang
Microsoft Partner Online Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Reply-To: "Jason" <jason.yarberry@atlantisplastics.com>
| From: "Jason" <jason.yarberry@atlantisplastics.com>
| References: <#6Wvr56BEHA.580@TK2MSFTNGP11.phx.gbl>
<v0tF$wCCEHA.564@cpmsftngxa06.phx.gbl>
| Subject: Re: Kerberos interoperablity with import NT4 users and WRQ
Reflections
| Date: Fri, 12 Mar 2004 13:33:55 -0500
| Lines: 103
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <O1HZWCGCEHA.2164@TK2MSFTNGP10.phx.gbl>
| Newsgroups: microsoft.public.win2000.active_directory
| NNTP-Posting-Host: port29.atlantisplastics.com 65.83.39.93
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.active_directory:69727
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| Alex,
| The WRQ Reflections program has a problem with the Kerberos authentication
| when you use it to access a Unix host. I will have to get the exact error
| message for you.
|
| We are using Windows 2000 (SP2,SP3) Pro as the client. We found the DNS
| request failed the authentication, unless you add an entry into the host
| file on the computer. I am to ping/resolve the name easily before modifing
| the host file with no problems. Strange.
|
| We did notice that any users that were import from the old NT4 domain do
not
| have the DES item enbled. Any new users do. Is this a know issue?
|
| Is there any know issues with the Windows 2000 Kerberos version that
| conflict with the MIT version of Kerberos?
|
| Thanks
| "Alex Zhang(MSFT)" <v-qiz@online.microsoft.com> wrote in message
| news:v0tF$wCCEHA.564@cpmsftngxa06.phx.gbl...
| > Hello Jason,
| >
| > Thank you for posting here.
| >
| > To understand the issue better, I'd like to confirm the following
| > information with you:
| > 1. How do you find that clients have not the ability to work the
kerberos
| > authentication? Is there any error related error message or events?
| > 2. Which kind of clients do not have the ability? Do you refer to
| computers
| > or users for ¡°clients¡±?
| >
| > The "Use DES encryption types for this account" and the "Don't require
| > Kerberos Preauthentication" check boxes are controlled by bits that are
| set
| > in the userAccountControl field of the Active Directory.
| >
| > You could try to open the ¡°Active Directory Users and Computers¡± and
set
| > the userAccountControl value to be ¡®66048¡¯. For more information about
| > how to modify the values of userAccountControl you may browse the
| following
| > website:
| >
| > How to Use the UserAccountControl Flags to Manipulate User Account
| > Properties
| > http://support.microsoft.com/default.aspx?scid=KB;EN-US;305144
| >
| > I hope the information proves helpful!
| > If you have any questions please do not hesitate to let me know. I am
| glad
| > to be of assistance.
| > Thanks and regards,
| > Alex Zhang
| > Microsoft Partner Online Support
| > Get Secure! - www.microsoft.com/security
| > =====================================================
| > When responding to posts, please "Reply to Group" via your newsreader so
| > that others may learn and benefit from your issue.
| > =====================================================
| > This posting is provided "AS IS" with no warranties, and confers no
| rights.
| > --------------------
| > | Reply-To: "Jason" <jason.yarberry@atlantisplastics.com>
| > | From: "Jason" <jason.yarberry@atlantisplastics.com>
| > | Subject: Kerberos interoperablity with import NT4 users and WRQ
| > Reflections
| > | Date: Thu, 11 Mar 2004 16:18:36 -0500
| > | Lines: 15
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | Message-ID: <#6Wvr56BEHA.580@TK2MSFTNGP11.phx.gbl>
| > | Newsgroups: microsoft.public.win2000.active_directory
| > | NNTP-Posting-Host: port29.atlantisplastics.com 65.83.39.93
| > | Path:
| >
|
cpmsftngxa06.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08
| > phx.gbl!TK2MSFTNGP11.phx.gbl
| > | Xref: cpmsftngxa06.phx.gbl
| microsoft.public.win2000.active_directory:69628
| > | X-Tomcat-NG: microsoft.public.win2000.active_directory
| > |
| > | Has any encountered a problem with getting Windows 2000 kerberos
running
| > | with the WRQ client connections?
| > |
| > | We have a problem with any clients that were imported over from the
NT 4
| > | domain not having the ability to work the kerberos authentication. We
| were
| > | able to create new users that did not have the problem.
| > |
| > | I found the NT4 imported users do not have the option "Use DES
| encryption
| > | types for this account" selected, while as the newly created users do.
| > |
| > | Is this a know issue?
| > |
| > | Suggestions?
| > |
| > |
| > |
| >
|
|
|

Relevant Pages

  • Re: Microsoft Says Recovery from Malware Becoming Impossible
    ... a Microsoft security official said ... dollar everytime I caught something on Windows I could retire very ... first where did Kerberos come from? ... of the MS efforts to get a standard model in the browser and to get ...
    (microsoft.public.security)
  • RE: Security log errors (Event ID 537)
    ... Windows XP clients that in your network. ... Because the Windows XP computer tries to use Kerberos authentication before ... synchronize time from the server. ... Microsoft Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Event ID 4
    ... please confirm if the event error only occurs on this Windows ... Microsoft Global Technical Support Center ... |> Troubleshooting Kerberos Errors ...
    (microsoft.public.windowsxp.general)
  • Re: cross-realm authentication problem
    ... Windows client are in KLIENT.UIB.NO, Windows user accounts are in UIB.NO, Unix/Linux machines and accounts are in UNIX.UIB.NO. ... I have one web server running RHEL4, apache 2.0.52 and Kerberos 1.3.4 as provided by Redhat, self-compiled mod_auth_kerb 5.4, and another running RHEL5, apache 2.2.3 and Kerberos 1.6.1 as provided by Redhat, self-compiled mod_auth_kerb 5.4. ... After authenticating against UIB.NO on a Linux machine (which have UNIX.UIB.NO as primary realm in krb5.conf) cross-realm authentication works fine. ... But using a Windows machine where the user is authenticated in UIB.NO I get cross-realm authentication only to the web server running RHEL4, not the one running RHEL5, I never even get a ticket for UNIX.UIB.NO from AD when trying to access the RHEL5 server web page. ...
    (comp.protocols.kerberos)
  • Re: Authenticating LDAP connection with current windows users credentials?
    ... setup and theory behind an ldap ... The Kerberos only works with ADS right now but that is sufficient for your situation. ... when the user has logged in interactively and therefore has a valid Kerberos ticket cached in Windows logon credential cache. ... CallbackHandler callbackHandler = new KerbCallback; ...
    (comp.lang.java.programmer)