Re: Kerberos not working across domains

You probably already gave up on getting help here, but I'm not going to be
able to solve this one. I suggest you open a ticket with PSS and ask them
to work on it directly. There are just too many moving parts for me to get
a good handle on what's up.

Sorry!

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"metric_thumbs" <mknight@xxxxxxxxxx> wrote in message
news:1190649891.481093.93960@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thanks for the response, Joe
Definitely no object with the same name.
I have since cleared out all DNS and DHCP records not used, checked
root hints and forwarders, and generally go through everything I can
think of - yet still the same. I have added a second XP client to the
BDA domain (the one without the SharePoint and Cube servers) and still
get the error within the web part at the sharepoint in teh browser


"The security database on the server does not have a computer account
for this workstation trust relationship. ."



Running kerb tray I can see a set of tickets issued that at first
sight look OK.
On the XP machine in the ShareP domain and displaying correctly:
e4se.net
cifs/salesdom.e4se.net
host/lassie.e4se.net
HTTP/muttley.e4se.net
krbtgt/E4SE.net
krbtgt/e4se.net
LADP/salesdom.e4se.net
ldap/salesdom.e4se.net/e4se.net


On the XP machine part of the BDA.FORD.NET domain the kerbtray results
are as follows

BDA.FORD.NET
cifs/soter.bda.ford.net
krbtgt/soter.bda.ford.net
krbtgt/soter.bda.ford.net
krbtgt/e4se.net
LADP/soter.bda.ford.net
ldap/soter.bda.ford.net/bda.ford.net
E4SE.net
HTTP/muttley.e4se.net



(soter is the domain controller for bda.ford.net, and lassie is the XP
machine)
So I would appear to be getting a ticket from the e4se domain and it
is presented against muttley, but the original error

Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error:
Client Realm:
Client Name:
Server Realm: BDA.FORD.NET
Server Name: MSOLAPSvc.3/Dingo
Target Name: MSOLAPSvc.3/Di...@xxxxxxxxxxxx

Indicates to me that the OLAP server needs defining, somehow so that
the ticket knows it is in E4SE.net!!

Any comments welcome.
Thanks



.

Relevant Pages

  • Re: Kerberos error event ID:4
    ... This event will occur if you present a service ticket to a principal ... which cannot be decrypted by the target. ... password as a seed for the resulting encryption used on the service ... If the server can decrypt the ticket, ...
    (microsoft.public.windows.server.general)
  • Rant: Customers who know best then decide you were right
    ... web-hosting/email/whatever the customer wants a server for. ... brute force attacks coming from one of our IPs. ... traffic did indeed exist and opened an abuse ticket with a customer. ... for the spam and update the existing ticket. ...
    (alt.sysadmin.recovery)
  • RE: Kerberos error event ID:4
    ... This event will occur if you present a service ticket to a principal ... which cannot be decrypted by the target. ... password as a seed for the resulting encryption used on the service ticket. ... If the server can decrypt the ticket, ...
    (microsoft.public.windows.server.general)
  • Re: Kerberised NFS
    ... Kerberised NFS presumably requires authentication and encryption between client and server, so presumably the client needs to get a ticket prior to contacting the server. ... server with kerberos security options, and successfully automounting user's home directories on client machines when they log in. ...
    (comp.protocols.kerberos)
  • Re: Kerberos not working across domains
    ... BDA domain (the one without the SharePoint and Cube servers) and still ... "The security database on the server does not have a computer account ... So I would appear to be getting a ticket from the e4se domain and it ... Indicates to me that the OLAP server needs defining, ...
    (microsoft.public.windows.server.active_directory)