Re: KRB Error

I'm heading out the door for the day, but there is something tickling the back of my brain about differences with Authenticated Users from Windows 2000 to 2003. I'm guessing that there is just something in the permissions that needs to be changed but I don't have a clear picture of what it is yet...

I'll try to do some digging tonight if nobody else has identified the issue by then...

--
Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

[This posting is provided AS-IS, with no warranties and confers no rights]


"danbos" <danbos@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:671A3283-7EE7-4DAC-A4F2-2BFEA7679990@xxxxxxxxxxxxxxxx
The server on Domain A is a member of Domain A. User is from domain B. I
discovered something very interesting. I am logged on to the server (member
server of Domain A) as an Domain Administrator. If I attempt to access any
resources on Domain B I am successful so long as it isn't a resource on a
Domain Controller in Domain B. If I attempt to access a resource on a
domain controller I am prompted with a username and Password. If I enter
proper credentials of a user on Domain B I receive a login unsuccessful;
however, going to the event long on Domain B I see a successful login
followed by a successful user logoff. Another Twist, if I log onto Domain A
and try to access recources on Domain B I am successful. It appears that
Member servers on Domain A cannot access resources on Domain B.

I do not have this problem with the opposite direction; I can access
resources from a Member server on Domain B to a member server or DC on Domain
A.


Furthermore when I attempt to add users (Domain A users) on a share on a
Domain Controller in Doman B I do not have the option to access users from
Domain A from the list (I am unable to switch to Domain A users as when I
attempt to choose the location for Domain A it does not appear); however, on
any member of Domain B, I do get the location of Domain A and I am able to
set security settings for any member of Domain A on the member resource.

"Mike Shepperd" wrote:

If this domain was not upgraded from NT4, can you provide more detail about
the testing you've done?

Call them:
Domain A = Windows 2000
Domain B = Windows 2003

Test server is a member of Domain ?
User is from Domain ?

Do all users in Domain ? have the same login problem when logging into a
server in Domain ?
What is the error presented when trying to login?

What about when you reverse the scenario. User from Domain B logging into
server in Domain A?

Do you see any KRB errors (within ethereal) when those users login to
machines on their own domain?

The more you can do to pin down under exactly what circumstances the problem
occurs will help identify the cause.

--
Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

[This posting is provided AS-IS, with no warranties and confers no rights]


"Danny Sanders" <DSanders@xxxxxxxxxxxxxxx> wrote in message
news:%23ozRVUoDHHA.3520@xxxxxxxxxxxxxxxxxxxxxxx
> See if this link helps:
> http://support.microsoft.com/kb/328570/en-us
>
>
> hth
> DDS
> "danbos" <danbos@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:958B7BB8-8C19-4148-943E-82CCC199A6C6@xxxxxxxxxxxxxxxx
>>I am getting a Kerberos error when attempting to authenticate a user >>from
>>an
>> Windows 2000 domain to a Windows 2003 Domain that has a two way trust
>> (separate forrests). I am able, from the DC's to selected users from
>> the
>> other domain and add them to shared objected; however, when attempting >> to
>> authenticate from a server connected to the Win2K domain to the AD of >> the
>> Windows 2003 Domain it is failing the KRB autnentication. Using
>> Etherreal,
>> I see that the AS-Request is sent; however, the Windows 2003 Server is
>> sending back a KRB error (KRB5KDC_ERR_PREAUTH_FAILED) MESSAGE. I am
>> certain
>> that the credidentials of the user is correct. The event log has >> event
>> ID
>> 675 with the following information
>> Pre-Authentication Type: 0x2
>> Failure Code: 0x18
>>
>> I am stumpted and any information to point me to a solution would be >> much
>> appreciated.
>
>



.

Relevant Pages

  • Re: W2k3 NETBIOS name change?
    ... You need to reboot twice all member workstations, member servers, and ... standalone servers that are running Windows ... 2000, Windows XP, and Windows Server 2003 Server family in the renamed ... to all applications and services running on the member computer. ...
    (microsoft.public.windows.server.migration)
  • Re: Group Policy
    ... you should be running Terminal Services on a dedicated member server ... user policy settings). ... Windows Server group, as I was actually talking about AD ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Windows NT 4.0 BDC Upgrade
    ... >>Moving workstations and member servers are not a problem. ... >>Scott Harding ... >>Microsoft MVP - Windows NT Server ...
    (microsoft.public.win2000.active_directory)
  • Re: Problem after migrate
    ... Windows Server member still authenticate with BDCs ... The CAB file will be generated for your convenience in the ...
    (microsoft.public.windows.server.migration)
  • Re: Group Policy
    ... Your data should be on a file server - the TS box should be nothing ... Windows Server group, as I was actually talking about AD ... You can edit domain policies from a member server (or a workstation, ... and it wouldn't affect your administrators. ...
    (microsoft.public.windowsxp.security_admin)