Windows Server Referral Problem

Markus Moeller huaraz at moeller.plus.com
Sun Sep 2 15:20:27 EDT 2007


Thomas,

thank you for the pointer. I found my problem and it was related to having a 
duplicated entry in another domain (uat.example.com) which I forgot about. I 
had


                       EXAMPLE.COM
                      /                    |      \
                     /                     |        \
TEST.EXAMPLE.COM     |       PROD.EXAMPLE.COM
                                           |
                                   UAT.EXAMPLE.COM

So when a client in prod.example.com was looking for 
HTTP/server2.example.com the request was send to PROD.EXAMPLE.COM which 
checked if EXAMPLE.COM knew about ONE entry and in this case there were more 
than one entry available which forced PROD.EXAMPLE.COM to return unknown 
principal.  ( At least that is what I think happened )

Does anybody know a link from Microsoft how the sever referrals work ?  It 
doesn't seem to follow the draft.

Thank you
Markus


  ----- Original Message ----- 
  From: Thomas Maslen
  To: huaraz at moeller.plus.com
  Sent: Saturday, September 01, 2007 7:43 PM
  Subject: Re: Windows Server Referral Problem


  My understanding is that AD searches the entire forest (presumably by 
doing a search in the Global Catalog) for 
"(servicePrincipalName=HTTP/server2.example.com)".

  So I would suggest that you use your favourite LDAP client to perform that 
same search (ideally over the Global Catalog rather than over the individual 
domains).  You should get back exactly one entry.  If you get back no 
entries then the problem is obvious;  conversely, if you get two or more 
entries then your problem is duplicate SPN mappings, and you need to delete 
the duplicate mappings until you have exactly one mapping for the SPN.  If 
you get back exactly one entry, and AD is still giving you the "unknown 
principal" error, then I don't know what the problem is.  [But perhaps you 
could perform a similar search for 
"(servicePrincipalName=HTTP/server1.example.com)" and see whether there are 
any differences between server1 and server2.

  Oh, here's something else to consider:  have you packet-sniffed the client 
to make sure that the SPN in its TGS-REQ really is 
"HTTP/server2.example.com"?  Perhaps it is actually using some other SPN, 
e.g. "HTTP/server2" or "HTTP/dns-cname-of-server2.example.com" etc etc.






More information about the Kerberos mailing list