Problem with Kfw 2.5
Jeffrey Altman
jaltman2 at nyc.rr.com
Wed May 10 08:28:24 EDT 2006
Jeffrey Altman wrote:
> Markus Moeller wrote:
>> I have a Windows domain with many desktops. I noticed that some users are
>> logged in via NTLM and not Kerberos (PSECURITY_LOGON_SESSION_DATA in
>> isKerberosLogin says so). This creates sometimes problems for smooth logins
>> to kerberised applications. Is there a way to force Kerberos authentication
>> over NTLM ?
>>
>> Thanks
>> Markus
>
> Is there a reason you are using 2.5 instead of 2.6.5?
Not that using 2.6.5 would help in this situation. I believe the
problem that you are facing is that Windows does not believe it is
able to contact the KDC and is therefore falling back to verifying
the logon credentials against the local cache of previously used
passwords. Via group policy you can disable the password caching
and this will force all authentications to be done via Active Directory.
You should be able to verify this by remotely attaching a network
monitor to the machine and watching the logon communications.
Jeffrey Altman
More information about the Kerberos
mailing list