Re: Kerberos realm referral problem

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Joseph,

Thanks for the info, that explains a lot.

-Wes

"Joseph Corey" wrote:

Wes,

You don't have a Kerberos referral problem. External trusts don't use
Kerberos. What you're seeing is the client going to the DC to check for
any
SPNs that might be configured for RPCSS\server1.peanut.com. When nothing
is
found, you get a KDC_ERR_S_PRINCIPAL_UNKNOWN back.

The only way to use Kerberos across a trust is with a Forest trust or an
MIT
Realm trust.

--
Joseph T. Corey MCSE, MCITP-EA
Windows Systems Administrator

-----Original Message-----
From: WesE [mailto:WesE@xxxxxxxxxxxxxxxx]
Posted At: Tuesday, September 30, 2008 4:11 PM
Posted To: microsoft.public.windows.server.active_directory
Conversation: Kerberos realm referral problem
Subject: Kerberos realm referral problem

Hello,

I am troubleshooting what I believe to be a Kerberos realm referral
problem.
This is all Win 2003 and XP.

The environment looks like this: resource servers are in the peanut.com
domain, the users are in the cashew.nut domain. Peanut.com is a single
domain
forest. Cashew is the child domain of nut. Peanut.com trusts cashew.nut,
this
is an external trust. Users in cashew.nut access resources in peanut.com
There is no DNS forwarding between the domains/forest, all DNS records
have
been created manually.

Now the question. When user1, in cashew.nut, requests a ticket for
RPCSS\server1.peanut.com, the ticket request is sent to the KDC/DC in
cashew.nut. I think this shouldn't be a problem since the KDC should
respond
with a referral to the KDC/DC in the peanut.com domain. However this
doesn't
happen, instead the KDC/DC responds with KDC_ERR_S_PRINCIPAL_UNKNOWN and
thats the end of it, the system proceeds with NTLM authen. Presumably
there
is some DNS misconfiguation somewhere that is causing the referral to fail
however I have been unable to determine exactly what info the KDC uses in
making the decision to provide a referral. The best description I can find
is
here http://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-referrals-11

A little guidance on what needs to be in place for the referral to work
would be really appreciated.

Thanks,

-Wes




.

Relevant Pages

  • Re: Kerberos realm referral problem
    ... You don't have a Kerberos referral problem. ... External trusts don't use ... The only way to use Kerberos across a trust is with a Forest trust or an ...
    (microsoft.public.windows.server.active_directory)
  • RE: [fw-wiz] NTLM authentication from DMZ
    ... > that the OWA box needs to be in the same domain as the Exchange server ... its own domain with a one-way trust to the internal domain. ... You need to have NetBIOS (or Kerberos) enabled to the domain ...
    (Firewall-Wizards)
  • Re: openldap and Active directory integration
    ... But isn't it possible to use the trust relationship with the kerberos realm ... >> What I want to do, is use both domains to authenticate users from XP pro ... >> through a Trust Relationship between windows domain and kerberos realm ...
    (microsoft.public.windows.server.active_directory)
  • Re: Kerberos - Multi-domain SPN problem
    ... Kerberos - Multi-domain SPN problem ... I've also discussed with some other IIS engineers on this scenario, ... Add website.NotAnADDomain.com as an additional UPN for ADDomain2 ... website.NotAnADDomain.com across the trust ...
    (microsoft.public.inetserver.iis.security)