Windows Crossrealm trust with MIT Kerberos

Robert Wehn robert.wehn at
Wed Mar 27 10:00:09 EDT 2013

Hello Chris

On 26.03.2013 20:58, C.Racky at wrote:
> 	My Issue is now:
> If I try as MIT authenticated (mapped) user "usera" on system "windc"
> to access an published CIFS shared 
> on server" memberhost" this works great via UNC. e.g.
> \memberhostpublishedFolder [2]
> But if I use instead the IP adresses in UNC it does not work. e.g.
> \ [3]
usually The Windows Computer should try to find out the service
principal name for the server with DNS forward/backward lookup:

forward: nslookup "memberhost" fqdn => IP
reverse: nslookup IP => memberhostfqdn

- Is the reverse lookup working for your server?
- if i look at my AD i usually have for Computer accounts Principal
Names like this:
> C:\>dsquery * -filter
> "(&(objectCategory=Computer)(objectClass=user)(sAMAccountName=MYCOMPUTER*))"
> -attr distinguishedname sAMAccountName servicePrincipalName
>   distinguishedname                                         
> sAMAccountName    servicePrincipalName
>   CN=MYCOMPUTER,OU=someou,DC=mydomain,DC=com                
=> so by default there is an HOST/* entry for the fqdn and the short
WINS hostname, not the IP

If reverse lookup is not possible (=> no canonicalization) or fqdn does
not match the entry in AD you may need to add the entries HOST/ip-nr

To debug that you can wireshark the Client<->DNS and
Client<->kerberos(AD and MIT) traffic and find out what Tickets your
client tries to get (and why this fails)
>  	One simple request leads to a lockout of the account. 
> Checking the traffic with network monitor shows that during one trial
> the NTLM login was executed exactly 27 times
> with the domain user and the password used by the current session
> which is wrong for the domain account.
This seems to happen because of the Windows fall back to NTLM when
Kerberos fails
-> but of course the username/password (which is in the user session's
memory) is not the one you need for the fall back:
"usera" with"password" does not exist in the NTLM Database, where it is
"usera" with "randompassword"

Did I understand correctly, that the user "usera" is locked in AD after
the 27 wrong Password tries with NTLM?
Maybe there's a GPO setting to avoid the fall back mechanism.



Dr. Robert Wehn ........................
Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047
86135 Augsburg .................................. Fax. (0821) 598-2028

More information about the Kerberos mailing list