Kerberos, Windows 2000 and IBM

Gustavo_Mayordomo_Herraiz/ Gustavo_Mayordomo_Herraiz/ATCA at
Wed Aug 13 07:23:14 EDT 2003

  I think so, but I can ask it to IBM.   I think so because we can change
the password from Windows normally.

     We  only  have  problems  when  the KDC ( IBM Server) tells to Windows
client  ( Workstation ) that the password is
expired  and  it  must be changed. Windows shows this message and shows the
box  with the userid, old password and new password fields for changing it.
And  then,  the  system  doesn´t  work and show the message : ' the  system
cannot  change  your  password  now  because  the domain domain_name is not
available '.

      Since the Workstation receives from the Host the message for changing
the password, the Workstation doesn´t try to  comunicate with the IBM Host.
We  have  put  a  sniffer  in  the  Workstation  and  we have seen that the
Workstation  (  w2000 profesional) ask to the DNS ( W2000 Server,  where is
the  DNS,  Active  Directory,....)  for  a  resource called "_ldap._tcp.dc.
_msdcs.<domain_name  >".   This  resource  is  not  defined  and  then  the
Workstation make a broadcast asking for it.  A few moments later, as nobody
answer it, it shows the message.

          I  think  that if it was a problem in Windows environment then it
would  happen  not  only  with  an  IBM  external KDC: it also happens with
another operating system ( Sun, Linux,..)  that acts as master KDC.


Luke Howard <lukeh at PADL.COM> con fecha 13/08/2003 10:11:43

Por favor, responda a lukeh at PADL.COM

Enviado por:   kerberos-bounces at

Destinatarios: Gustavo_Mayordomo_Herraiz/ATCA at
CC:     kerberos at
Asunto: Re: Kerberos, Windows 2000 and IBM

>We are try to make an authentication method between Windows 2000
>and IBM  ZOS using Kerberos.  The IBM Host works as the KDC server and
>as  client.   It  works,   but  when  the  password  is  expired in the
>environment  and we try to change it frow Windows 2000 Profesional client
>we  received  the  message  ' the  system  cannot change your password now
>because the domain domain_name is not available '.

Does the IBM KDC support RFC 3244 ("Microsoft Windows 2000 Kerberos Change
Password and Set Password Protocols")?

-- Luke

Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list