Windows Server Referral Problem

Richard E. Silverman res at qoxp.net
Mon Sep 3 17:33:59 EDT 2007 

>>>>> "EN" == Newman, Edward (GTI) <edward_newman at ml.com> writes:

    EN> Markus I have a request out to Microsoft to get more information
    EN> on this.  Microsoft apparently are not following the draft IETF
    EN> standard as yet but have something similar (pre-draft spec)
    EN> implemented in 2000/2003. 09 spec shows differences in Appendix.

    EN> I would check both DNS and AD:

    EN> - For DNS check that server2.example.com has a correct forward and
    EN> reverse. Possible that reverse maps back to another name and thus
    EN> wrong SPN being requested from AD - Check AD has the right SPN
    EN> registered in domain. I also assume this is one forest and you
    EN> left appropriate delay for new server to replicate.

    EN> It is not clear (to me...) how Windows does cross-forest but
    EN> within forest it can look up SPN through Global Catalog and return
    EN> referral to correct domain.

For cross-forest, Windows has "top-level name translations" (TLN's).  A
TLN is a mapping from a domain name suffix to a realm.  When Windows
consults the GC to satisfy a ticket request, if it doesn't find the
principal, it first matches the principal hostname against the defined
TLN's, and returns a referral to the specified realm if there's a match.
For instance, to define a TLN in the realm WINDOWS mapping hostnames
*.unix.foo.com to a realm UNIX, use these Windows commands on a domain
controller:

netdom trust WINDOWS /domain:UNIX /foresttransitive:yes
netdom trust WINDOWS /domain:UNIX /addtln:unix.foo.com

I use this to solve the problem of Windows clients accessing Unix-based
kerberized services which reside in a Unix-based realm, via cross-realm
trust.  The problem is that Windows always assumes any server is in its
own realm, and generates a ticket request for Unix-based principal in the
Windows realm.  This trick provides the needed referral.

    EN> Edward

    EN> I have a problem with server referrals in my Windows environment.
    EN> I have two Unix webservers server1.example.com and
    EN> server2.example.com with SPNs HTTP/server1.example.com and
    EN> HTTP/server2.example.com respectively. Both

    EN> SPNs are setup under a Windows 2003 SP2 domain test.example.com.
    EN> test.example.com has a two way trust to example.com (2003 SP2
    EN> domain) which has a two way trust to prod.example.com (2003 SP2
    EN> domain).

    EN>                     EXAMPLE.COM / \ / \ TEST.EXAMPLE.COM
    EN> PROD.EXAMPLE.COM


    EN> The problem I have that a user from prod.example.com can access
    EN> server1 and authenticate, but can not authanticate to server2. The
    EN> reason is that the client gets an error "unknown principal" from
    EN> prod.example.com when requesting a TGS for
    EN> HTTP/server2.example.com whereas for HTTP/server1.example.com the
    EN> client gets a TGS referrals reply to example.com and from there to
    EN> test.example.com.

    EN> What determines on the domain controller prod.example.com to reply
    EN> with a referral to a TGS Req ?

    EN> BTW I only assume the replys are referrals as the TGS Req does not
    EN> have the canonicalisation option set and the TGS Rep doesn't have
    EN> pa-data as described in
    EN> draft-ietf-krb-wg-kerberos-referrals-09.txt. Does Windows follow
    EN> that draft ?

    EN> Thank you Markus


    EN> Edward

    EN> ___________________________________ Edward Newman GTI A&E Identity
    EN> & Naming Services Merrill Lynch, 9th Fl, 222 Broadway, New York,
    EN> NY 10007, USA Phone : +1-212-670-1546 Cell: +1-917-975-2356
    EN> --------------------------------------------------------

    EN> This message w/attachments (message) may be privileged,
    EN> confidential or proprietary, and if you are not an intended
    EN> recipient, please notify the sender, do not use or share it and
    EN> delete it. Unless specifically indicated, this message is not an
    EN> offer to sell or a solicitation of any investment products or
    EN> other financial product or service, an official confirmation of
    EN> any transaction, or an official statement of Merrill
    EN> Lynch. Subject to applicable law, Merrill Lynch may monitor,
    EN> review and retain e-communications (EC) traveling through its
    EN> networks/systems. The laws of the country of each sender/recipient
    EN> may impact the handling of EC, and EC may be archived, supervised
    EN> and produced in countries other than the country in which you are
    EN> located. This message cannot be guaranteed to be secure or
    EN> error-free. This message is subject to terms available at the
    EN> following link: http://www.ml.com/e-communications_terms/. By
    EN> messaging with Merrill Lynch you consent to the foregoing.
    EN> --------------------------------------------------------

-- 
  Richard Silverman
  res at qoxp.net

More information about the Kerberos mailing list