Re: Cannot find domain controller

From: "Ace Fekay [MVP]" <PleaseAskMe@xxxxxxxxxxxxxx>
Date: Fri, 9 Nov 2007 07:03:15 -0500

In news:FgVYi.7397$9h.5160@xxxxxxxxxxxxxxxxxxxxxx,
Austin Osuide <austin@xxxxxxxxxxx> typed:

Hi Ace,
For my edification and that of others, can you explain what you mean
by: " The SPN record for the domain controlller is used by the SPNEgo
and is based on the PTR for the DC" ?
Any pointer to where SPENEGO is dependent on PTR records?
SPNEGO is AFAIK, a (usually HTTP) Client/Server AUTHENTICATION
NEGOTIATION Mechanism (i.e. what do you talk? NTLM or Kerberos).
Even this KB says nothing of PTR records:
http://support.microsoft.com/kb/824217

Regards,

Austin

It's all about Kerberos. That article does not have enough info in it to
help you, nor does http://support.microsoft.com/kb/823712. If you search
back in these groups for 40960, 40961, SPNEGO, and/or LsaSrv you will find
posts that discuss it and the fix, being that to fix an SPNEGO error, it
needs a reverse zone wtih a PTR for the DC. Kerberos is purely DNS based.
Kerberos uses the FQDN to identify itself as well as to confirm with the
PTR, hence it's "ego." NTLM is not a factor here since Kerberos is what's
being used. Also HTTP has nothing to do with AD authentication. I understand
there are other uses for the SPN, but Kerberos is the key thing with this
issue.

See if this helps you out:
http://eventid.net/display.asp?eventid=40961&eventno=1398&source=LsaSrv&phase=1

I hope that helps.

Ace

.

Follow-Ups:
- Re: Cannot find domain controller
  - From: Austin Osuide

References:
- Re: Cannot find domain controller
  - From: Ace Fekay [MVP]
- Re: Cannot find domain controller
  - From: Yakob
- Re: Cannot find domain controller
  - From: Ace Fekay [MVP]
- Re: Cannot find domain controller
  - From: Austin Osuide
- Re: Cannot find domain controller
  - From: Ace Fekay [MVP]
- Re: Cannot find domain controller
  - From: Austin Osuide

Prev by Date: Re: Can I view AD version from cli?
Next by Date: Re: Interforest Migration
Previous by thread: Re: Cannot find domain controller
Next by thread: Re: Cannot find domain controller
Index(es):
- Date
- Thread

Relevant Pages

Re: Cannot find domain controller
... "Kerberos uses the FQDN to identify itself as well as to confirm with ... Can't be SPNEGO 'cause that stands for Simple and Protected GSSAPI ... how it works, however I know what will fix it, that is requiring a PTR. ... few comments I have found in the past all point to Kerberos and SPNEGO ...
(microsoft.public.windows.server.active_directory)
Re: Cannot find domain controller
... Can't be SPNEGO 'cause that stands for Simple and Protected GSSAPI ... The original DNS RFCs do not even mention reverse lookup zones! ... Kerberos uses DNS to resolve host names to IP, ... and is based on the PTR for the DC"? ...
(microsoft.public.windows.server.active_directory)
Re: SSO
... and can use the Kerberos in Active Directory. ... Apache can use mod_auth_kerb that supports SPNEGO. ... When trying to determine the right SSO solution for your web ...
(comp.protocols.kerberos)
Re: Cannot find domain controller
... AFA the SPNEGO RFC, it doesn't mention it, I do not have the specifics of how it works, however I know what will fix it, that is requiring a PTR. ... A few comments I have found in the past all point to Kerberos and SPNEGO requiring a matching PTR for the FQDN, pretty much what the article and comments at eventid.net imply. ...
(microsoft.public.windows.server.active_directory)
Re: SSO
... and can use the Kerberos in Active Directory. ... Apache can use mod_auth_kerb that supports SPNEGO. ... transforms Kerberos authentication to a cookie-based authentication which ...
(comp.protocols.kerberos)