Windows Crossrealm trust with MIT Kerberos
robert.wehn at rz.uni-augsburg.de
Wed Mar 27 10:00:09 EDT 2013
On 26.03.2013 20:58, C.Racky at t-online.de wrote:
> My Issue is now:
> If I try as MIT authenticated (mapped) user "usera" on system "windc"
> to access an published CIFS shared
> on server" memberhost" this works great via UNC. e.g.
> \memberhostpublishedFolder 
> But if I use instead the IP adresses in UNC it does not work. e.g.
> \192.168.1.12publishedFOlder 
usually The Windows Computer should try to find out the service
principal name for the server with DNS forward/backward lookup:
forward: nslookup "memberhost" fqdn => IP
reverse: nslookup IP => memberhostfqdn
- Is the reverse lookup working for your server?
- if i look at my AD i usually have for Computer accounts Principal
Names like this:
> C:\>dsquery * -filter
> -attr distinguishedname sAMAccountName servicePrincipalName
> sAMAccountName servicePrincipalName
> MYCOMPUTER$ HOST/mycomputer.mydomain.com;HOST/MYCOMPUTER;
=> so by default there is an HOST/* entry for the fqdn and the short
WINS hostname, not the IP
If reverse lookup is not possible (=> no canonicalization) or fqdn does
not match the entry in AD you may need to add the entries HOST/ip-nr
To debug that you can wireshark the Client<->DNS and
Client<->kerberos(AD and MIT) traffic and find out what Tickets your
client tries to get (and why this fails)
> One simple request leads to a lockout of the account.
> Checking the traffic with network monitor shows that during one trial
> the NTLM login was executed exactly 27 times
> with the domain user and the password used by the current session
> which is wrong for the domain account.
This seems to happen because of the Windows fall back to NTLM when
-> but of course the username/password (which is in the user session's
memory) is not the one you need for the fall back:
"usera" with"password" does not exist in the NTLM Database, where it is
"usera" with "randompassword"
Did I understand correctly, that the user "usera" is locked in AD after
the 27 wrong Password tries with NTLM?
Maybe there's a GPO setting to avoid the fall back mechanism.
Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de
Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047
86135 Augsburg .................................. Fax. (0821) 598-2028
More information about the Kerberos