Windows Server Referral Problem
Markus Moeller
huaraz at moeller.plus.com
Fri Aug 31 19:51:20 EDT 2007
I have a problem with server referrals in my Windows environment. I have
two Unix webservers server1.example.com and server2.example.com with SPNs
HTTP/server1.example.com and HTTP/server2.example.com respectively. Both
SPNs are setup under a Windows 2003 SP2 domain test.example.com.
test.example.com has a two way trust to example.com (2003 SP2 domain) which
has a two way trust to prod.example.com (2003 SP2 domain).
EXAMPLE.COM
/ \
/ \
TEST.EXAMPLE.COM PROD.EXAMPLE.COM
The problem I have that a user from prod.example.com can access server1 and
authenticate, but can not authanticate to server2. The reason is that the
client gets an error "unknown principal" from prod.example.com when
requesting a TGS for HTTP/server2.example.com whereas for
HTTP/server1.example.com the client gets a TGS referrals reply to
example.com and from there to test.example.com.
What determines on the domain controller prod.example.com to reply with a
referral to a TGS Req ?
BTW I only assume the replys are referrals as the TGS Req does not have the
canonicalisation option set and the TGS Rep doesn't have pa-data as
described in draft-ietf-krb-wg-kerberos-referrals-09.txt. Does Windows
follow that draft ?
Thank you
Markus
More information about the Kerberos
mailing list