Re: Kerberos Help!

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Joe -

How do i run the ldap filter and with which program ?

ldifde




Joe Kaplan wrote:
I'd start by searching the forest for both of those SPNs and seeing if there
is a duplicate. An LDAP filter like:

(servicePrincipalName=host/phmaindc1.phippsny.org) issued against the GC
should do it.

If there is more than one account in the forest that has either of those two
SPNs, you need to fix that.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"HbooGz" <hboogz@xxxxxxxxx> wrote in message
news:1163696842.245146.312570@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I am having continued issues with Kerberos. I tried running tokensz
against the problem server and i get this error message..

C:\Tools>tokensz /compute_tokensize /package:negotiate /use_delegation
/target_s
erver:host/phmaindc1

Name: Negotiate Comment: Microsoft Package Negotiator
Current PackageInfo->MaxToken: 12128

Asked for delegate, but didn't get it.
Check if server is trusted for delegation.

QueryKeyInfo:
Signature algorithm =
Encrypt algorithm = RSADSI RC4
KeySize = 128
Flags = 2001c
Signature Algorithm = -138
Encrypt Algorithm = 26625
QueryContextAttributes (lifespan): Status = 0x80090302
SEC_E_NOT_SUPP
ORTED


any ideas ?

I also get these message every few hours..

Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 4
Date: 11/16/2006
Time: 12:02:37 PM
User: N/A
Computer: PHMAINDC1
Description:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the
server host/phmaindc1.phippsny.org. The target name used was
host/phprint1. This indicates that the password used to encrypt the
kerberos service ticket is different than that on the target server.
Commonly, this is due to identically named machine accounts in the
target realm (PHIPPSNY.ORG), and the client realm. Please contact
your system administrator.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Help!


.

Relevant Pages

  • Re: Why got error "Only one type of operation can be performed in
    ... I was getting the error becuase I was committing with both "Clear" and ... "Joe Kaplan" wrote: ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... It could be that you have run into an ADSI limitation on Win2K server ...
    (microsoft.public.dotnet.security)
  • Re: Why got error "Only one type of operation can be performed in
    ... Virutal Machine that doesn't have the VS installed so I dont' have any stack ... But why would the same code ran OK on my server but not on the VM ... "Joe Kaplan" wrote: ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
    (microsoft.public.dotnet.security)
  • Re: using xp credentials for ldap authentication
    ... would be there a solution / workaround if the server would be running on ... "Joe Kaplan" wrote: ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... authenticate the xpuser againts active directory. ...
    (microsoft.public.windows.server.security)
  • Re: Kerberos Constrained Delegation for Writing Files
    ... "Joe Kaplan" wrote: ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... one service to delegate to the file sharing service on a specific server, ... with it if constrained delegation is being used. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: LDAPS connection error on 636
    ... "Joe Kaplan" wrote: ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... No suitable default server credential exists on this system. ... The cert s issued from VeriSign and I instaled per the directionsof the KB ...
    (microsoft.public.windows.server.active_directory)