SSO Fails on XP SP2

Jeffrey Altman jaltman at secure-endpoints.com
Thu Aug 2 15:09:06 EDT 2007 

Marcus:

Miguel's problem is that his Unix KDC does not support TCP connections.

Jeffrey Altman


Markus Moeller wrote:
> Miguel,
>
> I use an XP SP2 client and can't recreate your problem. I have
>
> AD <-transitive trust->MIT
>   |
> XPSP2
>
> I login to my XP box with a Windows  id with 25 groups. Use Vintella Putty 
> to login to a Unix server which is registered on the MIT kdc and I can login 
> straight away. Is that your setup or do you login to a client which is part 
> of your child domain ?
>
> Thank you
> Markus
>
>
>
> "Miguel Sanders" <miguelsanders at telenet.be> wrote in message 
> news:1185959509.025577.286370 at w3g2000hsg.googlegroups.com...
>> Ok I narrowed the problem.
>> It seems that whever the user has more than 20 groups, SSO on XP2
>> won't work. Below 20 groups it works OK. In XP1 there is no problem on
>> the amount of group memberhips. I assume that the Cross Realm Object
>> needs the NO_AUTH_REQUIRED field set in userAccountControl. However
>> the DNS admin reports that he gets "Access Denied" when trying to edit
>> that field of the Cross Realm object...
>>
>> On 31 jul, 23:24, "Markus Moeller" <hua... at moeller.plus.com> wrote:
>>> Can you add the SPN with REALM into the SPN field under ssh->GSSAPI e.g.
>>>
>>> host/server.com at REALM
>>>
>>> I think Vintella is adding the default domain otherwise. Not sure if that 
>>> is
>>> a bug or if I missed configuration setting.
>>>
>>> Markus
>>>
>>> "Miguel Sanders" <miguelsand... at telenet.be> wrote in message
>>>
>>> news:1185858011.253554.141040 at b79g2000hse.googlegroups.com...
>>>
>>>
>>>
>>>> I see that I receive the cross realm ticket.
>>>> However I don't receive any service ticket!
>>>> On 30 jul, 21:53, "Markus Moeller" <hua... at moeller.plus.com> wrote:
>>>>> Can you use kerbtray to see if you get the service principal ?
>>>>> Markus
>>>>> "Miguel Sanders" <miguelsand... at telenet.be> wrote in message
>>>>> news:1185823586.577161.78640 at l70g2000hse.googlegroups.com...
>>>>>> Markus, I already tried editing that setting but no luck either...
>>>>>> Everytime I think I am done with this setup, there is a new issue...
>>>>>> However, the SSO from the Linux clients to the UNIX KDCs worked
>>>>>> instantly!
>>>>>> On 30 jul, 20:52, "Markus Moeller" <hua... at moeller.plus.com> wrote:
>>>>>>> You might need this:
>>>>>>> "This new feature has been seen in Windows 2003 Server, Windows 
>>>>>>> 2000
>>>>>>> Server
>>>>>>> SP4, and Windows XP SP2.  We assume that it will be implemented in 
>>>>>>> all
>>>>>>> future Microsoft operating systems supporting the Kerberos SSPI.
>>>>>>> Microsoft
>>>>>>> does work closely with MIT and has provided a registry key to 
>>>>>>> disable
>>>>>>> this
>>>>>>> new feature.
>>>>>>>   HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
>>>>>>> AllowTGTSessionKey = 0x01 (DWORD)On Windows XP SP2 the key is
>>>>>>> specified
>>>>>>> as
>>>>>>>   HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
>>>>>>> AllowTGTSessionKey =
>>>>>>> 0x01 (DWORD)"as described
>>>>>>> herehttp://web.mit.edu/kerberos/kfw-2.6/kfw-2.6.5/relnotes.html#mslsa
>>>>>>> Regards
>>>>>>> Markus
>>>>>>> "Miguel Sanders" <miguelsand... at telenet.be> wrote in message
>>>>>>> news:1185818694.532130.67160 at g4g2000hsf.googlegroups.com...
>>>>>>>> Dear all
>>>>>>>> I don't know whether or not I should post this here or in
>>>>>>>> microsoft.xp.client but I will do both.
>>>>>>>> After successfully implementing a cross realm trust between AD 
>>>>>>>> and a
>>>>>>>> UNIX realm, it seems that the clients that user SP1 can 
>>>>>>>> successfully
>>>>>>>> have SSO to the UNIX machine whereas the SP2 people can't. Can
>>>>>>>> anyone
>>>>>>>> help me out, since I am not a Windows expert :-)
>>>>>>>> The tool I use for SSO on the Windows clients is Vintella Putty 
>>>>>>>> 0.60
>>>>>>>> q1.129.
>>>>>>>> Kind regards
>>>>>>>> Miguel
>>>>>>>> ________________________________________________
>>>>>>>> Kerberos mailing list           Kerbe... at mit.edu
>>>>>>>> https://mailman.mit.edu/mailman/listinfo/kerberos-Tekstuit
>>>>>>>> oorspronkelijk bericht niet weergeven -
>>>>>>> - Tekst uit oorspronkelijk bericht weergeven -
>>>>>> ________________________________________________
>>>>>> Kerberos mailing list           Kerbe... at mit.edu
>>>>>> https://mailman.mit.edu/mailman/listinfo/kerberos-Tekst uit
>>>>>> oorspronkelijk bericht niet weergeven -
>>>>> - Tekst uit oorspronkelijk bericht weergeven -
>>>> ________________________________________________
>>>> Kerberos mailing list           Kerbe... at mit.edu
>>>> https://mailman.mit.edu/mailman/listinfo/kerberos- Tekst uit 
>>>> oorspronkelijk bericht niet weergeven -
>>> - Tekst uit oorspronkelijk bericht weergeven -
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3355 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20070802/498bba65/attachment.bin

More information about the Kerberos mailing list