SSO Fails on XP SP2
Miguel Sanders
miguelsanders at telenet.be
Wed Aug 1 05:11:49 EDT 2007
Ok I narrowed the problem.
It seems that whever the user has more than 20 groups, SSO on XP2
won't work. Below 20 groups it works OK. In XP1 there is no problem on
the amount of group memberhips. I assume that the Cross Realm Object
needs the NO_AUTH_REQUIRED field set in userAccountControl. However
the DNS admin reports that he gets "Access Denied" when trying to edit
that field of the Cross Realm object...
On 31 jul, 23:24, "Markus Moeller" <hua... at moeller.plus.com> wrote:
> Can you add the SPN with REALM into the SPN field under ssh->GSSAPI e.g.
>
> host/server.com at REALM
>
> I think Vintella is adding the default domain otherwise. Not sure if that is
> a bug or if I missed configuration setting.
>
> Markus
>
> "Miguel Sanders" <miguelsand... at telenet.be> wrote in message
>
> news:1185858011.253554.141040 at b79g2000hse.googlegroups.com...
>
>
>
> >I see that I receive the cross realm ticket.
> > However I don't receive any service ticket!
>
> > On 30 jul, 21:53, "Markus Moeller" <hua... at moeller.plus.com> wrote:
> >> Can you use kerbtray to see if you get the service principal ?
>
> >> Markus
>
> >> "Miguel Sanders" <miguelsand... at telenet.be> wrote in message
>
> >>news:1185823586.577161.78640 at l70g2000hse.googlegroups.com...
>
> >> > Markus, I already tried editing that setting but no luck either...
> >> > Everytime I think I am done with this setup, there is a new issue...
> >> > However, the SSO from the Linux clients to the UNIX KDCs worked
> >> > instantly!
>
> >> > On 30 jul, 20:52, "Markus Moeller" <hua... at moeller.plus.com> wrote:
> >> >> You might need this:
>
> >> >> "This new feature has been seen in Windows 2003 Server, Windows 2000
> >> >> Server
> >> >> SP4, and Windows XP SP2. We assume that it will be implemented in all
> >> >> future Microsoft operating systems supporting the Kerberos SSPI.
> >> >> Microsoft
> >> >> does work closely with MIT and has provided a registry key to disable
> >> >> this
> >> >> new feature.
>
> >> >> HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
> >> >> AllowTGTSessionKey = 0x01 (DWORD)On Windows XP SP2 the key is
> >> >> specified
> >> >> as
>
> >> >> HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
> >> >> AllowTGTSessionKey =
> >> >> 0x01 (DWORD)"as described
> >> >> herehttp://web.mit.edu/kerberos/kfw-2.6/kfw-2.6.5/relnotes.html#mslsa
>
> >> >> Regards
> >> >> Markus
>
> >> >> "Miguel Sanders" <miguelsand... at telenet.be> wrote in message
>
> >> >>news:1185818694.532130.67160 at g4g2000hsf.googlegroups.com...
>
> >> >> > Dear all
>
> >> >> > I don't know whether or not I should post this here or in
> >> >> > microsoft.xp.client but I will do both.
> >> >> > After successfully implementing a cross realm trust between AD and a
> >> >> > UNIX realm, it seems that the clients that user SP1 can successfully
> >> >> > have SSO to the UNIX machine whereas the SP2 people can't. Can
> >> >> > anyone
> >> >> > help me out, since I am not a Windows expert :-)
> >> >> > The tool I use for SSO on the Windows clients is Vintella Putty 0.60
> >> >> > q1.129.
>
> >> >> > Kind regards
>
> >> >> > Miguel
>
> >> >> > ________________________________________________
> >> >> > Kerberos mailing list Kerbe... at mit.edu
> >> >> >https://mailman.mit.edu/mailman/listinfo/kerberos-Tekstuit
> >> >> >oorspronkelijk bericht niet weergeven -
>
> >> >> - Tekst uit oorspronkelijk bericht weergeven -
>
> >> > ________________________________________________
> >> > Kerberos mailing list Kerbe... at mit.edu
> >> >https://mailman.mit.edu/mailman/listinfo/kerberos-Tekst uit
> >> >oorspronkelijk bericht niet weergeven -
>
> >> - Tekst uit oorspronkelijk bericht weergeven -
>
> > ________________________________________________
> > Kerberos mailing list Kerbe... at mit.edu
> >https://mailman.mit.edu/mailman/listinfo/kerberos- Tekst uit oorspronkelijk bericht niet weergeven -
>
> - Tekst uit oorspronkelijk bericht weergeven -
More information about the Kerberos
mailing list