Windows Server Referral Problem

Newman, Edward (GTI) edward_newman at ml.com
Mon Sep 3 08:49:26 EDT 2007 

Markus

I have a request out to Microsoft to get more information on this.
Microsoft apparently are not following the draft IETF standard as yet
but have something similar (pre-draft spec) implemented in 2000/2003. 09
spec shows differences in Appendix.

I would check both DNS and AD:

- For DNS check that server2.example.com has a correct forward and
reverse. Possible that reverse maps back to another name and thus wrong
SPN being requested from AD
- Check AD has the right SPN registered in domain. I also assume this is
one forest and you left appropriate delay for new server to replicate. 

It is not clear (to me...) how Windows does cross-forest but within
forest it can look up SPN through Global Catalog and return referral to
correct domain.

Edward

I have a problem with server referrals in my Windows environment.  I
have 
two Unix webservers server1.example.com and server2.example.com with
SPNs 
HTTP/server1.example.com and HTTP/server2.example.com respectively. Both

SPNs are setup under a Windows 2003 SP2 domain test.example.com. 
test.example.com has a two way trust to example.com (2003 SP2 domain)
which 
has a two way trust to prod.example.com (2003 SP2 domain).

                    EXAMPLE.COM
                      /                      \
                     /                         \
TEST.EXAMPLE.COM        PROD.EXAMPLE.COM


The problem I have that a user from prod.example.com can access server1
and 
authenticate, but can not authanticate to server2. The reason is that
the 
client gets an error "unknown principal" from prod.example.com when 
requesting a TGS for HTTP/server2.example.com whereas for 
HTTP/server1.example.com the client gets a TGS referrals reply to 
example.com and from there to test.example.com.

What determines on the domain controller prod.example.com to reply with
a 
referral to a TGS Req ?

BTW I only assume the replys are referrals as the TGS Req does not have
the 
canonicalisation option set and the TGS Rep doesn't have pa-data as 
described in draft-ietf-krb-wg-kerberos-referrals-09.txt. Does Windows 
follow that draft ?

Thank you
Markus 


Edward

___________________________________
Edward Newman
GTI A&E Identity & Naming Services
Merrill Lynch, 9th Fl, 222 Broadway, New York, NY 10007, USA
Phone : +1-212-670-1546  Cell: +1-917-975-2356
--------------------------------------------------------

This message w/attachments (message) may be privileged, confidential or proprietary, and if you are not an intended recipient, please notify the sender, do not use or share it and delete it. Unless specifically indicated, this message is not an offer to sell or a solicitation of any investment products or other financial product or service, an official confirmation of any transaction, or an official statement of Merrill Lynch. Subject to applicable law, Merrill Lynch may monitor, review and retain e-communications (EC) traveling through its networks/systems. The laws of the country of each sender/recipient may impact the handling of EC, and EC may be archived, supervised and produced in countries other than the country in which you are located. This message cannot be guaranteed to be secure or error-free. This message is subject to terms available at the following link: http://www.ml.com/e-communications_terms/. By messaging with Merrill Lynch you consent to the foregoing.
--------------------------------------------------------

More information about the Kerberos mailing list