Windows Client resolve Realm KDC over DNS
Andrin Vocat
avocat at novell.com
Thu Aug 28 12:08:21 EDT 2008
Hello
I read some threads with the same problem but without any solution, so I will try it again.
Today we have four completely separated Active Directory with thousands of clients.
I implemented a MIT KDC to build a shared resource Realm for SSO.
Now I want to deploy that to all client.
The client send a TGS to his AD Controller, the DC sends a referral with the resource Realm.
At this point the client needs to evaluate what KDC is responsible for the Realm.
Easiest way is to configure it on client (ksetup /AddKdc [Realm] [KDC]). If there is no configuration the client try to
resolve the KDC over DNS (SVR _kerberos._tcp.dc._msdcs.[domain]).
ksetup on each client would take a long time and be a lot of work. I add this DNS settings entry with a pointer to the
KDC.
The client resolved it successfully and does a CLDAP query —> No Response (or icmp).
I read CLDAP query is something like a AD ping, to check if the AD is responsible for the domain and available.
Is there a way to switch this setting off (CLDAP Query)? Or could I emulate the required response, for example with
Samba?
Any Ideas?
Regards
Andrin Vocat
More information about the Kerberos
mailing list