2k3 (SP1) and PDC Emulator difference

Douglas E. Engert deengert at anl.gov
Thu Sep 29 11:49:25 EDT 2005 


Markus Moeller wrote:
> Check also the kvno (key version number). 2000 doesn't increment it, whereas 
> 2003 does, so you can get different kvnos from 2000 and 2003 kdcs. But there 
> is a patch form MS which allows to configure 2003 to act like a 2000 kdc wrt 
> to kvnos.

If you have the MIT KfW or Unix, try the kvno utility to get a service ticket,
and see what kvno the KDC returnes. Then make sure the keytab file has the key
with that kvno.


> 
> Regards
> Markus
> 
> "amol dixit" <dixitamol at yahoo.com> wrote in message 
> news:20050928201447.43903.qmail at web52408.mail.yahoo.com...
> 
>>Hi,
>>I have Windows 2k and 2k3 (SP1) AD servers in a
>>domain, and if I set the 2k server as the
>>OperationsMaster->PDC (aka. PDC Emulator), then
>>DES_CBC_MD5 key generated using the SPN (and
>>corresponding Salt) fails to authenticate on 2k3
>>server. It automatically forwards the kerberos ticket
>>request (AS_REQ) to the PDC Emulator (which is the 2k
>>server), which in turn authenticates the SPN using the
>>same key. Also, kinit can get a ticket from 2k3 for
>>the same account without forwarding to PDC.
>>I am at a loss to explain how come the same kerberos
>>DES key works on 2k but not on 2k3, even though the
>>account is created on 2k3 AD.
>>Interestingly, if I make the 2k3 server as PDC master,
>>it will authenticate using the same key and not
>>forward the request to the 2k server anymore.
>>PDC emulators are for legacy windows clients, I dont
>>see what role is plays here.
>>Any ideas, please let me know.
>>TIA,
>>Amol
>>
>>
>>
>>
>>__________________________________
>>Yahoo! Mail - PC Magazine Editors' Choice 2005
>>http://mail.yahoo.com
>>________________________________________________
>>Kerberos mailing list           Kerberos at mit.edu
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>
> 
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list