Re: Cannot find domain controller

Tech-Archive recommends: Fix windows errors by optimizing your registry

In news:vynZi.34549$aF.311@xxxxxxxxxxxxxxxxxxxxx,
Austin Osuide <austin@xxxxxxxxxxx> typed:
Also Ace,
What do you refer to when you say:
"Kerberos uses the FQDN to identify itself as well as to confirm with
the PTR, hence it's "ego." "?

Can't be SPNEGO 'cause that stands for Simple and Protected GSSAPI
Negotiation Mechanism.

Regards,

Austin

AFA the SPNEGO RFC, it doesn't mention it, I do not have the specifics of
how it works, however I know what will fix it, that is requiring a PTR. A
few comments I have found in the past all point to Kerberos and SPNEGO
requiring a matching PTR for the FQDN, pretty much what the article and
comments at eventid.net imply.

This link illustrates what I mentioned above with additional links supplied
you can research concerning Kerberos, SPNEGO and matching FQDN PTR
requirements.
http://tp.its.yale.edu/pipermail/cas-dev/2006-March/001181.html

Another implying a requirement for a macthing PTR to the FQDN:
http://grolmsnet.de/kerbtut/

Implementing SPNEGO TAI single sign-on for WebSphere applications with z/OS
and Windows Kerberos trusted realms:
http://www.ibm.com/developerworks/websphere/techjournal/0707_rogers/0707_rogers.html

How a Service Composes its SPNs
http://msdn2.microsoft.com/en-us/library/ms676921.aspx

If you are arguing the fix, I can't help you with that. I would suggest to
you can take that argument up with the folks who posted to eventid.net the
fix and their comments, which I may add that I've found it works, as well as
the articles mentioned above.

Curious, did you find the comments and fixes mentioned in the eventid.net
article helpful?

And yes, I know SPNEGO stands for Simple and Protected Generic Security
Service Application Program Interface (GSS-API) Negotiation Mechanism. As
far as the SPNEGO and Kerberos, Kerberos is looking for the PTR, and if it
does not exist, you will get those errors. It may have something to do with
the uniqueness requirements in the forest, but I don't have anything else to
offer beyond that, which I apologize.

The SPNEGO "ego" was more of a joke, nothing else.

Cheers!

Ace


.

Relevant Pages

  • Re: Cannot find domain controller
    ... " The SPN record for the domain controlller is used by the SPNEgo ... Any pointer to where SPENEGO is dependent on PTR records? ... SPNEGO is AFAIK, ... It's all about Kerberos. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Cannot find domain controller
    ... Can't be SPNEGO 'cause that stands for Simple and Protected GSSAPI ... The original DNS RFCs do not even mention reverse lookup zones! ... Kerberos uses DNS to resolve host names to IP, ... and is based on the PTR for the DC"? ...
    (microsoft.public.windows.server.active_directory)
  • Re: SSO
    ... and can use the Kerberos in Active Directory. ... Apache can use mod_auth_kerb that supports SPNEGO. ... When trying to determine the right SSO solution for your web ...
    (comp.protocols.kerberos)
  • Re: Cannot find domain controller
    ... AFA the SPNEGO RFC, it doesn't mention it, I do not have the specifics of how it works, however I know what will fix it, that is requiring a PTR. ... A few comments I have found in the past all point to Kerberos and SPNEGO requiring a matching PTR for the FQDN, pretty much what the article and comments at eventid.net imply. ...
    (microsoft.public.windows.server.active_directory)
  • Re: SSO
    ... and can use the Kerberos in Active Directory. ... Apache can use mod_auth_kerb that supports SPNEGO. ... transforms Kerberos authentication to a cookie-based authentication which ...
    (comp.protocols.kerberos)