Markus
I have a request out to Microsoft to get more information on this.
Microsoft apparently are not following the draft IETF standard as yet
but have something similar (pre-draft spec) implemented in 2000/2003. 09
spec shows differences in Appendix.
I would check both DNS and AD:
- For DNS check that server2.example.com has a correct forward and
reverse. Possible that reverse maps back to another name and thus wrong
SPN being requested from AD
- Check AD has the right SPN registered in domain. I also assume this is
one forest and you left appropriate delay for new server to replicate.
It is not clear (to me...) how Windows does cross-forest but within
forest it can look up SPN through Global Catalog and return referral to
correct domain.
Edward
I have a problem with server referrals in my Windows environment. I
have
two Unix webservers server1.example.com and server2.example.com with
SPNs
HTTP/server1.example.com and HTTP/server2.example.com respectively. Both
SPNs are setup under a Windows 2003 SP2 domain test.example.com.
test.example.com has a two way trust to example.com (2003 SP2 domain)
which
has a two way trust to prod.example.com (2003 SP2 domain).
EXAMPLE.COM
/ \
/ \
TEST.EXAMPLE.COM PROD.EXAMPLE.COM
The problem I have that a user from prod.example.com can access server1
and
authenticate, but can not authanticate to server2. The reason is that
the
client gets an error "unknown principal" from prod.example.com when
requesting a TGS for HTTP/server2.example.com whereas for
HTTP/server1.example.com the client gets a TGS referrals reply to
example.com and from there to test.example.com.
What determines on the domain controller prod.example.com to reply with
a
referral to a TGS Req ?
BTW I only assume the replys are referrals as the TGS Req does not have
the
canonicalisation option set and the TGS Rep doesn't have pa-data as
described in draft-ietf-krb-wg-kerberos-referrals-09.txt. Does Windows
follow that draft ?
Thank you
Markus
Edward
___________________________________
Edward Newman
GTI A&E Identity & Naming Services
Merrill Lynch, 9th Fl, 222 Broadway, New York, NY 10007, USA
Phone : +1-212-670-1546 Cell: +1-917-975-2356
--------------------------------------------------------
This message w/attachments (message) may be privileged, confidential or
proprietary, and if you are not an intended recipient, please notify the
sender, do not use or share it and delete it. Unless specifically indicated,
this message is not an offer to sell or a solicitation of any investment
products or other financial product or service, an official confirmation of any
transaction, or an official statement of Merrill Lynch. Subject to applicable
law, Merrill Lynch may monitor, review and retain e-communications (EC)
traveling through its networks/systems. The laws of the country of each
sender/recipient may impact the handling of EC, and EC may be archived,
supervised and produced in countries other than the country in which you are
located. This message cannot be guaranteed to be secure or error-free. This
message is subject to terms available at the following link:
http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you
consent to the foregoing.
--------------------------------------------------------
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
