Kerberos & UserAccountControl query

First off sorry for the long winded post but tought it better to have all the
info.

I was asked to create a keytab by our Oracle dba for some single sign-on
server testing we are thinking of implemeting so I ran the supplied command:
Ktpass -princ HTTP/hostname.domain.com@xxxxxxxxxx -pass helloworld -mapuser
testuser -out hostname.keytab

This changed the user logon name which I understand to be the new SPN.
Firstly, is there any problems changing the logon name back to what it was
orginally, so long as the SPN is not changed?

This also started generating 40960 & 40961 warnings on the 3 servers that
use this logon. Rebooting one of them stopped the warnings from happening
but a reboot on another didn't resolve the warnings whilst one server was not
rebooted at all.

We are also receiving event ID 8 source KDC errors on the DCs. I've tried
resetting the password through ADUC (this doesn't seem to have worked) but
also saw a mention that it needed to be done at the actual server. This is
not really possible due to account history/ repetition restrictions and may
prevent legit services running that use this account as the logon account
however there are obvious ways to circumvent this.

I believe the problem to be down to the fact that the ktpass converted the
key type from RC4 to DES so I ran a packet capture and saw a krb error
stating no support. The encryption type was down as DES whilst it was trying
to use RC4. So far, this all ties in.

So I followed kb305144 and edited the UserAccountControl value using
adsiedit. The user account was set at 2163200 so I added the value of the
Use_Des_Key_only - 2097152 - to create 4260352.

I then rebooted the server (not the DC) and logged on again and ran the
packet capture. I now no longer get the kbr error not supported however I
only get TGS_REQ and TGS_REP, there is no AP_REQ or AR_REP which I thought
there should be. Also the enryption type is set as RC4....

Did I do something wrong here?
Is it something as simple as resetting the passwords in the service logon
account?
Thanks


.

Relevant Pages

  • Re: Please help refresh my memory on AD DC
    ... When I boot my Laptop I reach the Logon screeen for XP Laptop and here ... admin account to be able to Login so I can control it from the DC. ... A domain user can by default logon to any domain computer, except Domain controllers. ... A Server has websites already hosted on it in a Workgroup and now I ...
    (microsoft.public.windows.server.active_directory)
  • Re: Please help refresh my memory on AD DC
    ... When I boot my Laptop I reach the Logon screeen for XP Laptop and here I am ... administrator account. ... account to be able to Login so I can control it from the DC. ... A Server has websites already hosted on it in a Workgroup and now I join it ...
    (microsoft.public.windows.server.active_directory)
  • Re: Please help refresh my memory on AD DC
    ... "Meinolf Weber" wrote: ... They however cannot logon directly to the physical DC machine. ... NOT an admin account to be able to Login so I can control it from ... A Server has websites already hosted on it in a Workgroup and now ...
    (microsoft.public.windows.server.active_directory)
  • Re: Please help refresh my memory on AD DC
    ... they just get the result of that what the domain administrator ... They however cannot logon directly to the physical DC machine. ... administrator account. ... A Server has websites already hosted on it in a Workgroup and now I ...
    (microsoft.public.windows.server.active_directory)
  • Re: Please help refresh my memory on AD DC
    ... The users will not see anything of that basically, they just get the result of that what the domain administrator or equivalent configures there. ... They however cannot logon directly to the physical DC machine. ... administrator account. ... A Server has websites already hosted on it in a Workgroup and now I ...
    (microsoft.public.windows.server.active_directory)