Re: AD, Kerberos, MOSS, Fails are remote site, works locally.
- From: Gerhard <Gerhard@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 21 Aug 2007 04:42:02 -0700
I can't drop the secuirty between the sites... so opening all of the ports
will be an issue... maybe I can do it on one client.
There are no systems that are not part of the domain that can hit the MOSS
Server, but when kerberos is turned on, the client Pc just sits there.
Nope, no proxy servers, etc.
I'm not seeing any errors related to IIS in the App, Security, or System logs.
There are is one MOSS error, but that's a 7888 error which MS states is
normal and will be fixed in SP1 of MOSS.
There is also a kerberos error "BAD_OPTION," but that's because the tickets
are longer than one UDP packet can accomodate... so the server generates an
error and falls back to TCP. (I only see the error because I turned on
kerberos logging.)
I'm perplexed. I don't seem to be getting any errors, in fact, the security
log shows that people are all successfully hitting the MOSS server.
"Anthony" wrote:
Gerhard,.
Just a few thoughts:
- Does it work OK if you connect from a Server at a remote site (i.e open
ports)?
- or from a PC that is not in the domain at all?
- Do the remote sites use an http proxy server?
- What failure does the IIS log show on the MOSS server?
Anthony,
http://www.airdesk.co.uk
Gerhard" <Gerhard@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:364B0010-5C36-4D1F-AABB-9968C7A6C987@xxxxxxxxxxxxxxxx
I've got a SharePoint 2007 single server setup. I've configured kerberos
authentication to work with MOSS 2007, and the SQL server, et. .al. I've
got
no problems at the primary site. (Which consists of MOSS, SQL 2005, and
Windows 2003 AD Controllers all at that site.)
However, I've got a few remote sites, and they have a firewall / tipping
point in between them on the VPN tunnel that connects the sites. All
SERVERS
between the sites can see each other and communicate unrestricted between
each other.
Everyone at the primary site (local) can use the MOSS 2007 server without
issue and are clearly authenticating via kerberos. The people at the
remote
sites seem to just sit for awhile and then get a "can not view this page"
error... (though things should fall back to NTLM.)
I've got Port 88 open for the clients between the remote sites and the
MOSS
2007 server, and each site has it's own set of AD DCs... and my
understanding
is that each Windows Domain Controller should be able to give kerberos
tickets without issue. [i.e. kerberos shouldn't be restricted to just one
DC]
Lastly, a scan of the network traffic does show
AS-REQ/AS-RES/TGT-REQ/TGT-RES
as KRB5 packets...
For the life of me I can't figure out why the remote sites (who are all
part
of the same domain) can't use kerberos to authenticate to the MOSS 2007
server.
I do have the SPN's configured properly, or kerberos wouldn't work at the
primary site. Also the user accounts, and various computer accounts have
been properly configured for delegation, etc.
What would cause the local clients at a site to authenticate without
issue,
but cause users at the remote sites to not be able to authenticate via
kerberos?
Thanks.
Gerhard
- Follow-Ups:
- References:
- Prev by Date: Re: Group Policy Corupt
- Next by Date: Roaming Profiles
- Previous by thread: Re: AD, Kerberos, MOSS, Fails are remote site, works locally.
- Next by thread: Re: AD, Kerberos, MOSS, Fails are remote site, works locally.
- Index(es):
Relevant Pages
|
