Re: GPO problems when logon to kerberos-realm
From: Michael Sundström (anonymous_at_discussions.microsoft.com)
Date: 09/20/04
- Next message: hallstein: "Delete cached copies of roaming profiles non-working?"
- Previous message: Michael Wai: "How to restore the default template?"
- In reply to: Tim Springston [MS]: "Re: GPO problems when logon to kerberos-realm"
- Next in thread: Michael Sundström: "Re: GPO problems when logon to kerberos-realm"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 20 Sep 2004 00:53:46 -0700
Hej Tim,
I understand your reasoning but the strange think is that
when I put the same policy on an OU with e.g. a Windows
2000 or a Windows XP client there is no problem applaying
the policy settings to the client when logon to the
kerberos-realm (non-Microsoft). It seems only to be a
problem when logon to a Terminal Server.
Does anyone have an explantion for this behavior?
Regards,
/Michael Sundström
Royal Institute of Technology, Sweden
>-----Ursprungligt meddelande-----
>Hi Michael-
>
>If I understand correctly you have used KSETUP.EXE to map
users your domain
>users (ALLUSERS). That sounds like it would work,
however the other realm
>(the non-Microsoft one) will not have the information
that the group policy
>processing will need to identify the user principal and
verify that they
>have the required permissions and access to that policy
or policies (the AD
>portion of it and the file system portion located in the
SYSVOL).
>
>This access is identified by using security identifiers
(SID) attributes on
>the Active Directory account for the user principal. I
don't know how a
>non-Microsoft realm would be able to pass that along to
your terminal server
>when creating the user environment at logon. If I recall
correctly, most
>other environments do not have a security identfier (SID)
to pass along at
>logon. That being the case, the loopback processing mode
would not be an
>option when your users logon using their credentials from
the other Kerberos
>realm (the non-Microsoft one).
>
>If anyone in the newsgroup has some good interopability
experience to pass
>along for Michael please add to this thread.
>--
>Tim Springston
>Microsoft Corporation
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>
>
>"Michael Sundström" <misun@nada.kth.se> wrote in message
>news:3Mm2d.103479$dP1.372838@newsc.telia.net...
>> Hej from Sweden,
>>
>> We have a Terminal Server running on Windows Server
2003. We locked it
>> down
>> according to Microsoft white paper how to lock down a
Terminal Server.
>>
>> We configured a kerberos realm with "ksetup" and using
kerberos as
>> authentication method for our users.
>>
>> Because our user are not placed in the same OU as the
Terminal Server we
>> have enabled "User Group Policy loopback processing
mode" and it works
>> perfectly as long as the users logon to the normal
windows domain. But
>> when
>> the users logon to the kerberos-realm the GPO settings
will not be
>> applied.
>> It seems that the loopback processing mode does not
work when logon to the
>> kerberos-realm.
>>
>> Does anybody know why there should be such a problem
when using GPO and
>> logon to a kerberos-realm?
>> Could it be possible that we have to "activate" that
the GPO settings also
>> should work for the kerberos-realm?
>>
>> Thanks in advance!
>>
>> /Michael
>>
>
>
>.
>
- Next message: hallstein: "Delete cached copies of roaming profiles non-working?"
- Previous message: Michael Wai: "How to restore the default template?"
- In reply to: Tim Springston [MS]: "Re: GPO problems when logon to kerberos-realm"
- Next in thread: Michael Sundström: "Re: GPO problems when logon to kerberos-realm"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
