2k3 (SP1) and PDC Emulator difference

amol dixit dixitamol at yahoo.com
Wed Sep 28 17:55:59 EDT 2005 

Markus,
There is no error per-se, since the 2k3 forwards the
ticket request (AS_REQ) to the PDC Emulator (2k
server), which authenticates using the same key. So
the salt created does work with the PDC.
To see how windows macnine accoutns are added to a
domain, I took a trace while adding a machine to the
domain, turns out, it uses SAMR and not Kerberos, so
no help.
Thanks,
Amol


--- Markus Moeller <huaraz at moeller.plus.com> wrote:

> Can you look at the error message ? I think there
> was a change in 
> calculating the salt for DES keys.
> 
> Regards
> Markus
> 
> "amol dixit" <dixitamol at yahoo.com> wrote in message 
>
news:20050928201447.43903.qmail at web52408.mail.yahoo.com...
> > Hi,
> > I have Windows 2k and 2k3 (SP1) AD servers in a
> > domain, and if I set the 2k server as the
> > OperationsMaster->PDC (aka. PDC Emulator), then
> > DES_CBC_MD5 key generated using the SPN (and
> > corresponding Salt) fails to authenticate on 2k3
> > server. It automatically forwards the kerberos
> ticket
> > request (AS_REQ) to the PDC Emulator (which is the
> 2k
> > server), which in turn authenticates the SPN using
> the
> > same key. Also, kinit can get a ticket from 2k3
> for
> > the same account without forwarding to PDC.
> > I am at a loss to explain how come the same
> kerberos
> > DES key works on 2k but not on 2k3, even though
> the
> > account is created on 2k3 AD.
> > Interestingly, if I make the 2k3 server as PDC
> master,
> > it will authenticate using the same key and not
> > forward the request to the 2k server anymore.
> > PDC emulators are for legacy windows clients, I
> dont
> > see what role is plays here.
> > Any ideas, please let me know.
> > TIA,
> > Amol
> >
> >
> >
> >
> > __________________________________
> > Yahoo! Mail - PC Magazine Editors' Choice 2005
> > http://mail.yahoo.com
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> > 
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 



		
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com

More information about the Kerberos mailing list