Re: Datadomain Windows 2008 DC

Tech-Archive recommends: Fix windows errors by optimizing your registry

Hello Ace

In the default DC gpo i see "Microsoft network server: digitally sign communications (always)
and
" Microsoft network server:digitally sign communications (if client agrees)
Both settings are currently enabled, do i have to disable both settings in order to allow negotiation between client and server?


"Ace Fekay [Microsoft Certified Trainer]" <aceman@xxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:uyOlvCZzJHA.5684@xxxxxxxxxxxxxxxxxxxxxxx
"Family" <shofmann@xxxxxxx> wrote in message news:%23%23XlEzYzJHA.2656@xxxxxxxxxxxxxxxxxxxxxxx
yep i agree as well, i wont know what is causing this issue until i talk to support at datadomain, unfortunetly i am not the storage admin and i dont have access to the device, so i am doing what i can from an AD side to try and figure this out. I am willing to detune SMB on one of the 2008 DC's but i want to make sure this setting doesnt negetively effect other applications that are using Kerberos authentication like SQL. I assume that Kerberos authentication will still function as normal, but when making the change to SMB this will allow ntlm authentication as well, and not prevent kerberos?

Many thanks

Disabling SMB signing allows legacy and non-Windows entities to authenticate that do not support Kerberos. This will NOT stop Kerberos based clients, which will continue to authenticate using Kerberos, whether this setting is enabled or disabled.

Ace


.

Relevant Pages

  • Problems unwrapping SPNEGO token for Single Signon (SSO) in WebLogic Server 8.1.
    ... but cannot get WebLogic to unwrap the SPNEGO token so it authenticates using Kerberos. ... We've tried adding the AllowTGTSessionKey registry key on client and server, but that didn't change it either. ... Enable Integrated Windows Authentication ...
    (comp.protocols.kerberos)
  • Re: Kerberos 5-minute time skew
    ... Unless you have modified the settings you must not be monitoring the correct dc since this machine won't be able to authenticate nor will the user trying to gain access to the domain. ... Disabling NTLM authentication would quickly prove whether or not you are using kerberos, but you might break a whole lot of other stuff in the process. ... MVP - Directory Services ... The time zone of both servers is EDT, but even though the actual time on the client is more than 5 minutes off from that on the DC, the client is STILL able to login to the domain and STILL able to access file shares setup on the DC. ...
    (microsoft.public.windows.server.active_directory)
  • RE: Configure Auth (802.1X) settings for Win2000 Clients
    ... I've written a tool that distributes 802.1x settings for LAN adapters. ... Authentication method – PEAP-MSCHAPv2 ... Once I configure a port on the switch for 802.1X, then configure a client to ... Area Connection/Authentication Tab) everything works as designed. ...
    (microsoft.public.internet.radius)
  • RE: Configure Auth (802.1X) settings for Win2000 Clients
    ... I've written a tool that distributes 802.1x settings for LAN adapters. ... Authentication method – PEAP-MSCHAPv2 ... Once I configure a port on the switch for 802.1X, then configure a client to ... Area Connection/Authentication Tab) everything works as designed. ...
    (microsoft.public.internet.radius)
  • RE: Configure Auth (802.1X) settings for Win2000 Clients
    ... I've written a tool that distributes 802.1x settings for LAN adapters. ... Authentication method – PEAP-MSCHAPv2 ... Once I configure a port on the switch for 802.1X, then configure a client to ... Area Connection/Authentication Tab) everything works as designed. ...
    (microsoft.public.internet.radius)