Re: Re-Post - "the trust relationship between this workstation and

Adding a local user to a workstation(that's also joined to the domain).
The
account is NEW to the workstation. Account gets restricted access in AD
but
needs admin group priv at workstation level. Worked in the past.

How does that work? Have you enabled anonymous access to AD, or have you
created a user in the AD with the same username and password as the local
one?

The above statement confuses me. Your replies indicate you're having issues
creating local objects. How do these access AD? It sounds like what you
want to do is add domain objects into local groups. Any chance you can
explain your requirements here? I appreciate you have a crap app that needs
local admin permissions, but do you want your users to use an alternate
account when running this app, e.g. local account via RUNAS, or do you want
them to use their domain account?


The Kerberos issue is something I brought up several times but have not
gotton a good response from yet other than checking time/date between the
DC/DNS & the workstation. That's fine now but same problem. Information
I
have found searching is pretty vague. I'm open to suggestions here.

[FATAL] Kerberos does not have a ticket for host/RM-7-1.contoso.org

What is RM-7-1? Is it the workstation?

What happens if you purge your ticket cache and try establishing
connection(s) to the hosts and services again?

HOST is a generic SPN that references most of the services running on the
host machine that aren't explicitly defined via SPN. The SAM is included in
this, so if there's no HOST SPN you might not be able to resolve the SAM
SPN. I don't know how important this is, it depends if the client is using
SPN to locate a given interface.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net



.

Relevant Pages

  • Re: kerberos tickets and the SPNs
    ... Use the Active Directory Management tool to create a new user account for ... Type the name of the UNIX host. ... The ktpass then *ADDS* the SPN to the user account using the -principal ...
    (comp.protocols.kerberos)
  • Re: kerberos tickets and the SPNs
    ... have clients requesting HOST/fqdn just use the above method to add a second ... Now the SPN appears as ... Use the Active Directory Management tool to create a new user account for the UNIX host: ... Type the name of the UNIX host. ...
    (comp.protocols.kerberos)
  • Re: Re-Post - "the trust relationship between this workstation and
    ... member server 2003 enterprise edition SP1. ... Account gets restricted access in AD ... needs admin group priv at workstation level. ... HOST is a generic SPN that references most of the services running on the ...
    (microsoft.public.windows.server.active_directory)
  • Re: kerberos tickets and the SPNs
    ... Note that the MS documentation says to add a "user" account, ... Type the name of the UNIX host. ... The ktpass then *ADDS* the SPN to the user account using the -principal ... where as the samba net ads keytab create simply doesn't ...
    (comp.protocols.kerberos)
  • Re: "Login as" not shown
    ... workstation there is a user named "christian". ... From another computer with an original named "christian" account I can logon to the "host". ...
    (microsoft.public.windowsxp.network_web)