Re: KRB Error
- From: "Mike Shepperd" <newsgroups a t sunfiresolutions d o t com>
- Date: Tue, 28 Nov 2006 13:07:21 -0800
My listed e-mail is valid if you format it correctly.
--
Mike Shepperd
Sunfire Solutions LLC
Seattle, WA
[This posting is provided AS-IS, with no warranties and confers no rights]
"danbos" <danbos@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:8D765031-528E-4630-A9FC-4D387EA5785D@xxxxxxxxxxxxxxxx
I found some documentation regarding the tightning down. There are
approximately 4 pages of GP settings that include settings in User rights
Assignment, Security Options, and Services. Too many to post to this site.
If there is a way that I can send it to you offline that would be great.
"Mike Shepperd" wrote:
I don't suppose you've got more information about the 3rd party lockdown
tool...
There is so much that can be done with a security template that wouldn't be
obvious from any common interface that the best bet would be to identify
what changes were made. It's not clear if you've got the settings that were
applied or if you looked at settings on the live servers... If you've got
whatever specific lockdown details were applied, please post them or contact
me offline with the details.
Thanks,
--
Mike Shepperd
Sunfire Solutions LLC
Seattle, WA
[This posting is provided AS-IS, with no warranties and confers no rights]
"danbos" <danbos@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:127E980F-4511-483B-890A-60F7785EA7EC@xxxxxxxxxxxxxxxx
>I ran gpresult on both member servers, the one in question and the one >that
> works fine; however, I did not notice any differences that would have > any
> effect on my condition.
>
> "Mike Shepperd" wrote:
>
>> Run gpresult -v > gp.txt on the good server and on the bad server.
>> You will probably see different entries for the Local Policy in the >> area
>> of
>> User Rights Assignment.
>>
>> If that's not it, or not clear, let me know.
>>
>> -- >>
>> Mike Shepperd
>> Sunfire Solutions LLC
>> Seattle, WA
>>
>> [This posting is provided AS-IS, with no warranties and confers no
>> rights]
>>
>>
>> "danbos" <danbos@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:E11CBA59-B2B0-48F2-B819-E8E904248CF4@xxxxxxxxxxxxxxxx
>> >I believe it may be a seeting in the local policy. A utility, from >> >a
>> >third
>> > party vendor was used to harden security on this server and another
>> > server,
>> > both members of Domain A. Another member server on Domain A did not
>> > have
>> > this utility run against it and it is working fine. I've gone over
>> > the
>> > settings and nothing sticks out to indicate this symptom.
>> >
>> > "Mike Shepperd" wrote:
>> >
>> >> I'm heading out the door for the day, but there is something >> >> tickling
>> >> the
>> >> back of my brain about differences with Authenticated Users from
>> >> Windows
>> >> 2000 to 2003. I'm guessing that there is just something in the
>> >> permissions
>> >> that needs to be changed but I don't have a clear picture of what >> >> it
>> >> is
>> >> yet...
>> >>
>> >> I'll try to do some digging tonight if nobody else has identified >> >> the
>> >> issue
>> >> by then...
>> >>
>> >> -- >> >> Mike Shepperd
>> >> Sunfire Solutions LLC
>> >> Seattle, WA
>> >>
>> >> [This posting is provided AS-IS, with no warranties and confers no
>> >> rights]
>> >>
>> >>
>> >> "danbos" <danbos@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> news:671A3283-7EE7-4DAC-A4F2-2BFEA7679990@xxxxxxxxxxxxxxxx
>> >> > The server on Domain A is a member of Domain A. User is from
>> >> > domain
>> >> > B.
>> >> > I
>> >> > discovered something very interesting. I am logged on to the >> >> > server
>> >> > (member
>> >> > server of Domain A) as an Domain Administrator. If I attempt to
>> >> > access
>> >> > any
>> >> > resources on Domain B I am successful so long as it isn't a >> >> > resource
>> >> > on
>> >> > a
>> >> > Domain Controller in Domain B. If I attempt to access a >> >> > resource
>> >> > on a
>> >> > domain controller I am prompted with a username and Password. If >> >> > I
>> >> > enter
>> >> > proper credentials of a user on Domain B I receive a login
>> >> > unsuccessful;
>> >> > however, going to the event long on Domain B I see a successful
>> >> > login
>> >> > followed by a successful user logoff. Another Twist, if I log >> >> > onto
>> >> > Domain
>> >> > A
>> >> > and try to access recources on Domain B I am successful. It >> >> > appears
>> >> > that
>> >> > Member servers on Domain A cannot access resources on Domain B.
>> >> >
>> >> > I do not have this problem with the opposite direction; I can >> >> > access
>> >> > resources from a Member server on Domain B to a member server or >> >> > DC
>> >> > on
>> >> > Domain
>> >> > A.
>> >> >
>> >> >
>> >> > Furthermore when I attempt to add users (Domain A users) on a >> >> > share
>> >> > on
>> >> > a
>> >> > Domain Controller in Doman B I do not have the option to access
>> >> > users
>> >> > from
>> >> > Domain A from the list (I am unable to switch to Domain A users >> >> > as
>> >> > when
>> >> > I
>> >> > attempt to choose the location for Domain A it does not appear);
>> >> > however,
>> >> > on
>> >> > any member of Domain B, I do get the location of Domain A and I >> >> > am
>> >> > able
>> >> > to
>> >> > set security settings for any member of Domain A on the member
>> >> > resource.
>> >> >
>> >> > "Mike Shepperd" wrote:
>> >> >
>> >> >> If this domain was not upgraded from NT4, can you provide more
>> >> >> detail
>> >> >> about
>> >> >> the testing you've done?
>> >> >>
>> >> >> Call them:
>> >> >> Domain A = Windows 2000
>> >> >> Domain B = Windows 2003
>> >> >>
>> >> >> Test server is a member of Domain ?
>> >> >> User is from Domain ?
>> >> >>
>> >> >> Do all users in Domain ? have the same login problem when >> >> >> logging
>> >> >> into
>> >> >> a
>> >> >> server in Domain ?
>> >> >> What is the error presented when trying to login?
>> >> >>
>> >> >> What about when you reverse the scenario. User from Domain B
>> >> >> logging
>> >> >> into
>> >> >> server in Domain A?
>> >> >>
>> >> >> Do you see any KRB errors (within ethereal) when those users >> >> >> login
>> >> >> to
>> >> >> machines on their own domain?
>> >> >>
>> >> >> The more you can do to pin down under exactly what circumstances
>> >> >> the
>> >> >> problem
>> >> >> occurs will help identify the cause.
>> >> >>
>> >> >> -- >> >> >> Mike Shepperd
>> >> >> Sunfire Solutions LLC
>> >> >> Seattle, WA
>> >> >>
>> >> >> [This posting is provided AS-IS, with no warranties and confers >> >> >> no
>> >> >> rights]
>> >> >>
>> >> >>
>> >> >> "Danny Sanders" <DSanders@xxxxxxxxxxxxxxx> wrote in message
>> >> >> news:%23ozRVUoDHHA.3520@xxxxxxxxxxxxxxxxxxxxxxx
>> >> >> > See if this link helps:
>> >> >> > http://support.microsoft.com/kb/328570/en-us
>> >> >> >
>> >> >> >
>> >> >> > hth
>> >> >> > DDS
>> >> >> > "danbos" <danbos@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> >> > news:958B7BB8-8C19-4148-943E-82CCC199A6C6@xxxxxxxxxxxxxxxx
>> >> >> >>I am getting a Kerberos error when attempting to authenticate >> >> >> >>a
>> >> >> >>user
>> >> >> >>from
>> >> >> >>an
>> >> >> >> Windows 2000 domain to a Windows 2003 Domain that has a two >> >> >> >> way
>> >> >> >> trust
>> >> >> >> (separate forrests). I am able, from the DC's to selected
>> >> >> >> users
>> >> >> >> from
>> >> >> >> the
>> >> >> >> other domain and add them to shared objected; however, when
>> >> >> >> attempting
>> >> >> >> to
>> >> >> >> authenticate from a server connected to the Win2K domain to >> >> >> >> the
>> >> >> >> AD
>> >> >> >> of
>> >> >> >> the
>> >> >> >> Windows 2003 Domain it is failing the KRB autnentication.
>> >> >> >> Using
>> >> >> >> Etherreal,
>> >> >> >> I see that the AS-Request is sent; however, the Windows 2003
>> >> >> >> Server
>> >> >> >> is
>> >> >> >> sending back a KRB error (KRB5KDC_ERR_PREAUTH_FAILED) >> >> >> >> MESSAGE.
>> >> >> >> I
>> >> >> >> am
>> >> >> >> certain
>> >> >> >> that the credidentials of the user is correct. The event >> >> >> >> log
>> >> >> >> has
>> >> >> >> event
>> >> >> >> ID
>> >> >> >> 675 with the following information
>> >> >> >> Pre-Authentication Type: 0x2
>> >> >> >> Failure Code: 0x18
>> >> >> >>
>> >> >> >> I am stumpted and any information to point me to a solution
>> >> >> >> would
>> >> >> >> be
>> >> >> >> much
>> >> >> >> appreciated.
>> >> >> >
>> >> >> >
>> >> >>
>> >> >>
>> >>
>> >>
>>
>>
.
- References:
- Re: KRB Error
- From: danbos
- Re: KRB Error
- Prev by Date: Re: Laptop DNS Settings for Traveling User Laptops
- Next by Date: Can't view all Security Settings in any GPO's when the PDC Emulator is down
- Previous by thread: Re: KRB Error
- Next by thread: Can't view all Security Settings in any GPO's when the PDC Emulator is down
- Index(es):
Relevant Pages
|
