SSO Fails on XP SP2

Markus Moeller huaraz at moeller.plus.com
Wed Aug 1 18:51:32 EDT 2007


Can you get a packet capture with wireshark on port 88 when you start putty 
and connect to your server ?

Markus

"Miguel Sanders" <miguelsanders at telenet.be> wrote in message 
news:1185959509.025577.286370 at w3g2000hsg.googlegroups.com...
> Ok I narrowed the problem.
> It seems that whever the user has more than 20 groups, SSO on XP2
> won't work. Below 20 groups it works OK. In XP1 there is no problem on
> the amount of group memberhips. I assume that the Cross Realm Object
> needs the NO_AUTH_REQUIRED field set in userAccountControl. However
> the DNS admin reports that he gets "Access Denied" when trying to edit
> that field of the Cross Realm object...
>
> On 31 jul, 23:24, "Markus Moeller" <hua... at moeller.plus.com> wrote:
>> Can you add the SPN with REALM into the SPN field under ssh->GSSAPI e.g.
>>
>> host/server.com at REALM
>>
>> I think Vintella is adding the default domain otherwise. Not sure if that 
>> is
>> a bug or if I missed configuration setting.
>>
>> Markus
>>
>> "Miguel Sanders" <miguelsand... at telenet.be> wrote in message
>>
>> news:1185858011.253554.141040 at b79g2000hse.googlegroups.com...
>>
>>
>>
>> >I see that I receive the cross realm ticket.
>> > However I don't receive any service ticket!
>>
>> > On 30 jul, 21:53, "Markus Moeller" <hua... at moeller.plus.com> wrote:
>> >> Can you use kerbtray to see if you get the service principal ?
>>
>> >> Markus
>>
>> >> "Miguel Sanders" <miguelsand... at telenet.be> wrote in message
>>
>> >>news:1185823586.577161.78640 at l70g2000hse.googlegroups.com...
>>
>> >> > Markus, I already tried editing that setting but no luck either...
>> >> > Everytime I think I am done with this setup, there is a new issue...
>> >> > However, the SSO from the Linux clients to the UNIX KDCs worked
>> >> > instantly!
>>
>> >> > On 30 jul, 20:52, "Markus Moeller" <hua... at moeller.plus.com> wrote:
>> >> >> You might need this:
>>
>> >> >> "This new feature has been seen in Windows 2003 Server, Windows 
>> >> >> 2000
>> >> >> Server
>> >> >> SP4, and Windows XP SP2.  We assume that it will be implemented in 
>> >> >> all
>> >> >> future Microsoft operating systems supporting the Kerberos SSPI.
>> >> >> Microsoft
>> >> >> does work closely with MIT and has provided a registry key to 
>> >> >> disable
>> >> >> this
>> >> >> new feature.
>>
>> >> >>   HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
>> >> >> AllowTGTSessionKey = 0x01 (DWORD)On Windows XP SP2 the key is
>> >> >> specified
>> >> >> as
>>
>> >> >>   HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
>> >> >> AllowTGTSessionKey =
>> >> >> 0x01 (DWORD)"as described
>> >> >> herehttp://web.mit.edu/kerberos/kfw-2.6/kfw-2.6.5/relnotes.html#mslsa
>>
>> >> >> Regards
>> >> >> Markus
>>
>> >> >> "Miguel Sanders" <miguelsand... at telenet.be> wrote in message
>>
>> >> >>news:1185818694.532130.67160 at g4g2000hsf.googlegroups.com...
>>
>> >> >> > Dear all
>>
>> >> >> > I don't know whether or not I should post this here or in
>> >> >> > microsoft.xp.client but I will do both.
>> >> >> > After successfully implementing a cross realm trust between AD 
>> >> >> > and a
>> >> >> > UNIX realm, it seems that the clients that user SP1 can 
>> >> >> > successfully
>> >> >> > have SSO to the UNIX machine whereas the SP2 people can't. Can
>> >> >> > anyone
>> >> >> > help me out, since I am not a Windows expert :-)
>> >> >> > The tool I use for SSO on the Windows clients is Vintella Putty 
>> >> >> > 0.60
>> >> >> > q1.129.
>>
>> >> >> > Kind regards
>>
>> >> >> > Miguel
>>
>> >> >> > ________________________________________________
>> >> >> > Kerberos mailing list           Kerbe... at mit.edu
>> >> >> >https://mailman.mit.edu/mailman/listinfo/kerberos-Tekstuit
>> >> >> >oorspronkelijk bericht niet weergeven -
>>
>> >> >> - Tekst uit oorspronkelijk bericht weergeven -
>>
>> >> > ________________________________________________
>> >> > Kerberos mailing list           Kerbe... at mit.edu
>> >> >https://mailman.mit.edu/mailman/listinfo/kerberos-Tekst uit
>> >> >oorspronkelijk bericht niet weergeven -
>>
>> >> - Tekst uit oorspronkelijk bericht weergeven -
>>
>> > ________________________________________________
>> > Kerberos mailing list           Kerbe... at mit.edu
>> >https://mailman.mit.edu/mailman/listinfo/kerberos- Tekst uit 
>> >oorspronkelijk bericht niet weergeven -
>>
>> - Tekst uit oorspronkelijk bericht weergeven -
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 






More information about the Kerberos mailing list