Re: SSO Fails on XP SP2

Miguel,

I use an XP SP2 client and can't recreate your problem. I have

AD <-transitive trust->MIT
|
XPSP2

I login to my XP box with a Windows id with 25 groups. Use Vintella Putty
to login to a Unix server which is registered on the MIT kdc and I can login
straight away. Is that your setup or do you login to a client which is part
of your child domain ?

Thank you
Markus



"Miguel Sanders" <miguelsanders@xxxxxxxxxx> wrote in message
news:1185959509.025577.286370@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Ok I narrowed the problem.
It seems that whever the user has more than 20 groups, SSO on XP2
won't work. Below 20 groups it works OK. In XP1 there is no problem on
the amount of group memberhips. I assume that the Cross Realm Object
needs the NO_AUTH_REQUIRED field set in userAccountControl. However
the DNS admin reports that he gets "Access Denied" when trying to edit
that field of the Cross Realm object...

On 31 jul, 23:24, "Markus Moeller" <hua...@xxxxxxxxxxxxxxxx> wrote:
Can you add the SPN with REALM into the SPN field under ssh->GSSAPI e.g.

host/server.com@REALM

I think Vintella is adding the default domain otherwise. Not sure if that
is
a bug or if I missed configuration setting.

Markus

"Miguel Sanders" <miguelsand...@xxxxxxxxxx> wrote in message

news:1185858011.253554.141040@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx



I see that I receive the cross realm ticket.
However I don't receive any service ticket!

On 30 jul, 21:53, "Markus Moeller" <hua...@xxxxxxxxxxxxxxxx> wrote:
Can you use kerbtray to see if you get the service principal ?

Markus

"Miguel Sanders" <miguelsand...@xxxxxxxxxx> wrote in message

news:1185823586.577161.78640@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Markus, I already tried editing that setting but no luck either...
Everytime I think I am done with this setup, there is a new issue...
However, the SSO from the Linux clients to the UNIX KDCs worked
instantly!

On 30 jul, 20:52, "Markus Moeller" <hua...@xxxxxxxxxxxxxxxx> wrote:
You might need this:

"This new feature has been seen in Windows 2003 Server, Windows
2000
Server
SP4, and Windows XP SP2. We assume that it will be implemented in
all
future Microsoft operating systems supporting the Kerberos SSPI.
Microsoft
does work closely with MIT and has provided a registry key to
disable
this
new feature.

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
AllowTGTSessionKey = 0x01 (DWORD)On Windows XP SP2 the key is
specified
as

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos
AllowTGTSessionKey =
0x01 (DWORD)"as described
herehttp://web.mit.edu/kerberos/kfw-2.6/kfw-2.6.5/relnotes.html#mslsa

Regards
Markus

"Miguel Sanders" <miguelsand...@xxxxxxxxxx> wrote in message

news:1185818694.532130.67160@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Dear all

I don't know whether or not I should post this here or in
microsoft.xp.client but I will do both.
After successfully implementing a cross realm trust between AD
and a
UNIX realm, it seems that the clients that user SP1 can
successfully
have SSO to the UNIX machine whereas the SP2 people can't. Can
anyone
help me out, since I am not a Windows expert :-)
The tool I use for SSO on the Windows clients is Vintella Putty
0.60
q1.129.

Kind regards

Miguel

________________________________________________
Kerberos mailing list Kerbe...@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos-Tekstuit
oorspronkelijk bericht niet weergeven -

- Tekst uit oorspronkelijk bericht weergeven -

________________________________________________
Kerberos mailing list Kerbe...@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos-Tekst uit
oorspronkelijk bericht niet weergeven -

- Tekst uit oorspronkelijk bericht weergeven -

________________________________________________
Kerberos mailing list Kerbe...@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos- Tekst uit
oorspronkelijk bericht niet weergeven -

- Tekst uit oorspronkelijk bericht weergeven -


________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos




.

Relevant Pages

  • RE: Cannot connect to client resources with hostname, but can with IP
    ... I understand the problem is that you're not able to browse Windows XP SP2 ... whether the XP SP2 clients are able to browse SBS 2003 share folders? ... Test whether the 2 computers are able to access each other. ...
    (microsoft.public.windows.server.sbs)
  • RE: Users forced to re-logon
    ... your clients do not fit for the new server. ... How to Enable Automatic Logon in Windows ... What do you mean by "Now all my clients have to login again when they ...
    (microsoft.public.windows.server.migration)
  • Re: Unbearable Login Delays for SBS 2008
    ... Windows IP Configuration ... Ethernet adapter Local Area Connection: ... Clients are XP Pro. ... very slow login, if network plug is pulled login will come up. ...
    (microsoft.public.windows.server.sbs)
  • RE: Slow Login with Folder Redirection
    ... Further research reveals that the problem only exists on Windows XP SP2. ... Remember that when the first login happens, ... >> forced policy refresh occurs. ...
    (microsoft.public.windows.server.general)
  • Re: XP SP2 Probs on 2003 domain
    ... > I am maintaining a network that I just upgraded to 2003, 4 servers ... > and over 100 clients running xp. ... > that xp with sp2 on client pc's caused the "The Windows Installer ...
    (microsoft.public.windows.server.active_directory)