Re: Keberos is not working when "selective authentication" on the forest trust is enabled

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Have you enabled Kerberos Logging?
http://support.microsoft.com/kb/262177

It would also be good to see the previous packet from the client to the
server. The whole conversation would be ideal, but I can understand not
posting that info on the net...

If you're stuck beyond what can be done on the newsgroups (I'm pretty
experienced in troubleshooting Kerb issues, but not an expert), I've got a
consultant on my team who is a Kerberos expert and could probably get it
resolved pretty quickly.

--
Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

**********************************************************
"This posting is provided "AS IS" with no warranties, and confers no
rights."
**********************************************************
"Roger" <roger.zuercher@xxxxxxxx> wrote in message
news:1162290109.548554.34260@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hello

When we use "selective authentication" on the one-way forest trust,
kerberos is not working, only NTLM. When we deselect "selective
authentication" on the forest trust, kerberos works fine to access
ressources in the ressouce domain.


For security reasons we need "selective authentication" on the trust
and we want kerberos as the authentication protocol.


(The Domains are in W2K3 mode, serviceprincipalnames for the accounts
are created)


With "selective authentication" enabled we receive the following error
from a DC in the resource Domain:


No. Time Source Destination
Protocol Info
53 3.896470 159.29.17.56 159.29.193.212 KRB5
KRB Error: KRB5KDC_ERR_POLICY


Frame 53 (196 bytes on wire, 196 bytes captured)
Ethernet II, Src: Cisco_f2:6c:f0 (00:d0:bc:f2:6c:f0), Dst:
CompaqCo_dc:b2:4b (00:08:02:dc:b2:4b)
Internet Protocol, Src: XXX.29.17.56 (159.29.17.56), Dst:
XXX.29.193.212 (XXX.29.193.212)
Transmission Control Protocol, Src Port: kerberos (88), Dst Port: 1853
(1853), Seq: 1, Ack: 1740, Len: 142
Kerberos KRB-ERROR
Record Mark: 138 bytes
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2006-10-27 09:54:51 (Z)
susec: 940079
error_code: KRB5KDC_ERR_POLICY (12)
Realm: SERVICES.XXX.YY
Server Name (Service and Instance): HTTP/personal.services.XXX.YY
Name-type: Service and Instance (2)
Name: HTTP
Name: personal.services.XXX.YY
e-data PA-PW-SALT
Type: PA-PW-SALT (3)
Value: 130400C00000000003000000
NT Status: Unknown (0xc0000413)
Unknown: 0x00000000
Unknown: 0x00000003


Does anyone have an idea?


Greetings Roger



.

Relevant Pages

  • Simple Problem; Need Help Debugging
    ... my sshd server freezes up. ... # HostKey for protocol version 1 ... # Kerberos options ...
    (SSH)
  • No username prompt SSHD
    ... I have sshd set up on my server, and all I want is just username/password ... (with PermitRootLogin yes, if set to no it will not work - and I don't want ... # HostKey for protocol version 1 ... # Kerberos options ...
    (SSH)
  • OpenSSH Assistance - New Admin
    ... The first thing I was told was to upgrade our SSH server. ... # HostKeys for protocol version 2 ... # To enable empty passwords, ... # Kerberos TGT Passing does only work with the AFS kaserver ...
    (comp.os.linux.networking)
  • pka with sshd on win2003
    ... from another server so I can scp backup files to the 2003 box. ... # HostKey for protocol version 1 ... # To disable tunneled clear text passwords, ... # Kerberos options ...
    (comp.security.ssh)
  • Kerberos with "Selective Authentication" over forest Trust
    ... When we use "selective authentication" on the one-way forest trust, ... kerberos is not working, only NTLM. ... For security reasons we need "selective authentication" on the trust ... and we want kerberos as the authentication protocol. ...
    (microsoft.public.security)