Windows Server Referral Problem
Markus Moeller
huaraz at moeller.plus.com
Sun Sep 2 15:20:27 EDT 2007
Thomas,
thank you for the pointer. I found my problem and it was related to having a
duplicated entry in another domain (uat.example.com) which I forgot about. I
had
EXAMPLE.COM
/ | \
/ | \
TEST.EXAMPLE.COM | PROD.EXAMPLE.COM
|
UAT.EXAMPLE.COM
So when a client in prod.example.com was looking for
HTTP/server2.example.com the request was send to PROD.EXAMPLE.COM which
checked if EXAMPLE.COM knew about ONE entry and in this case there were more
than one entry available which forced PROD.EXAMPLE.COM to return unknown
principal. ( At least that is what I think happened )
Does anybody know a link from Microsoft how the sever referrals work ? It
doesn't seem to follow the draft.
Thank you
Markus
----- Original Message -----
From: Thomas Maslen
To: huaraz at moeller.plus.com
Sent: Saturday, September 01, 2007 7:43 PM
Subject: Re: Windows Server Referral Problem
My understanding is that AD searches the entire forest (presumably by
doing a search in the Global Catalog) for
"(servicePrincipalName=HTTP/server2.example.com)".
So I would suggest that you use your favourite LDAP client to perform that
same search (ideally over the Global Catalog rather than over the individual
domains). You should get back exactly one entry. If you get back no
entries then the problem is obvious; conversely, if you get two or more
entries then your problem is duplicate SPN mappings, and you need to delete
the duplicate mappings until you have exactly one mapping for the SPN. If
you get back exactly one entry, and AD is still giving you the "unknown
principal" error, then I don't know what the problem is. [But perhaps you
could perform a similar search for
"(servicePrincipalName=HTTP/server1.example.com)" and see whether there are
any differences between server1 and server2.
Oh, here's something else to consider: have you packet-sniffed the client
to make sure that the SPN in its TGS-REQ really is
"HTTP/server2.example.com"? Perhaps it is actually using some other SPN,
e.g. "HTTP/server2" or "HTTP/dns-cname-of-server2.example.com" etc etc.
More information about the Kerberos
mailing list