2k3 (SP1) and PDC Emulator difference
amol dixit
dixitamol at yahoo.com
Wed Sep 28 16:14:47 EDT 2005
Hi,
I have Windows 2k and 2k3 (SP1) AD servers in a
domain, and if I set the 2k server as the
OperationsMaster->PDC (aka. PDC Emulator), then
DES_CBC_MD5 key generated using the SPN (and
corresponding Salt) fails to authenticate on 2k3
server. It automatically forwards the kerberos ticket
request (AS_REQ) to the PDC Emulator (which is the 2k
server), which in turn authenticates the SPN using the
same key. Also, kinit can get a ticket from 2k3 for
the same account without forwarding to PDC.
I am at a loss to explain how come the same kerberos
DES key works on 2k but not on 2k3, even though the
account is created on 2k3 AD.
Interestingly, if I make the 2k3 server as PDC master,
it will authenticate using the same key and not
forward the request to the 2k server anymore.
PDC emulators are for legacy windows clients, I dont
see what role is plays here.
Any ideas, please let me know.
TIA,
Amol
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
More information about the Kerberos
mailing list