2k3 (SP1) and PDC Emulator difference

Markus Moeller huaraz at moeller.plus.com
Wed Sep 28 18:01:19 EDT 2005


Check also the kvno (key version number). 2000 doesn't increment it, whereas 
2003 does, so you can get different kvnos from 2000 and 2003 kdcs. But there 
is a patch form MS which allows to configure 2003 to act like a 2000 kdc wrt 
to kvnos.

Regards
Markus

"amol dixit" <dixitamol at yahoo.com> wrote in message 
news:20050928201447.43903.qmail at web52408.mail.yahoo.com...
> Hi,
> I have Windows 2k and 2k3 (SP1) AD servers in a
> domain, and if I set the 2k server as the
> OperationsMaster->PDC (aka. PDC Emulator), then
> DES_CBC_MD5 key generated using the SPN (and
> corresponding Salt) fails to authenticate on 2k3
> server. It automatically forwards the kerberos ticket
> request (AS_REQ) to the PDC Emulator (which is the 2k
> server), which in turn authenticates the SPN using the
> same key. Also, kinit can get a ticket from 2k3 for
> the same account without forwarding to PDC.
> I am at a loss to explain how come the same kerberos
> DES key works on 2k but not on 2k3, even though the
> account is created on 2k3 AD.
> Interestingly, if I make the 2k3 server as PDC master,
> it will authenticate using the same key and not
> forward the request to the 2k server anymore.
> PDC emulators are for legacy windows clients, I dont
> see what role is plays here.
> Any ideas, please let me know.
> TIA,
> Amol
>
>
>
>
> __________________________________
> Yahoo! Mail - PC Magazine Editors' Choice 2005
> http://mail.yahoo.com
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 





More information about the Kerberos mailing list