Re: kerberos tickets and the SPNs

From: "Douglas E. Engert" <deengert@xxxxxxx>
Date: Mon, 11 May 2009 13:36:02 -0500

Markus Moeller wrote:

I use also msktutil and you can find it here http://dag.wieers.com/rpm/packages/msktutil/

That points to:
http://download.systemimager.org/~finley/msktutil/
and Finley is here at ANL.

We now have Debian mods to 0.3.16-7 to work with W2008, and use the
Windows attribute msDs-supportedEncryptionTypes so one can use AES.
Any one interested?

You can also use setspn -A host/fqdn in lowercase. instead of setspn -R.

BTW the original netjoin tool from MS used computer accounts not user accounts. http://msdn.microsoft.com/en-us/library/ms808911.aspx
http://download.microsoft.com/download/win2000pro/2kkerb2/1.0/nt5/en-us/ad-unix.exe I don't know why they changed their mind.

Markus

----- Original Message ----- From: "Ravi Channavajhala" <ravi.channavajhala@xxxxxxxxxx>
To: "Douglas E. Engert" <deengert@xxxxxxx>
Cc: "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>; <kerberos@xxxxxxx>
Sent: Friday, May 08, 2009 8:59 PM
Subject: Re: kerberos tickets and the SPNs

Don't agree here. Natively adding a computer to AD and checking with
setspn -L didn't show any SPNs. Resetting the SPNs with setspn -R,
creates two entries

HOST/HOSTNAME$
HOST/HOSTNAME$.SHORTFORM DOMAIN

Both are incorrect....

The point is, I can manipulate SPNs to no end, but obviously no
success with Kerberos. My real issue is kerberos flip flopping with
'Server not found in Database' to 'Keytable entry incorrect Key
version'.

--

Douglas E. Engert <DEEngert@xxxxxxx>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
.

References:
- Re: kerberos tickets and the SPNs
  - From: Douglas E. Engert
- Re: kerberos tickets and the SPNs
  - From: Markus Moeller
- Re: kerberos tickets and the SPNs
  - From: Ravi Channavajhala
- Re: kerberos tickets and the SPNs
  - From: Markus Moeller

Prev by Date: Re: Principal for Apache httpd vhost
Next by Date: Re: kerberos tickets and the SPNs
Previous by thread: Re: kerberos tickets and the SPNs
Next by thread: Re: kerberos tickets and the SPNs
Index(es):
- Date
- Thread

Relevant Pages

Re: kerberos tickets and the SPNs
... You can also use setspn -A host/fqdn in lowercase. ... BTW the original netjoin tool from MS used computer accounts not user ... kerberos tickets and the SPNs ...
(comp.protocols.kerberos)
Need Help Understanding Kerberos SPN Problem
... I either don't understand how to use SETSPN, or I have some serious problem ... the domain controller are returning errors indicating the account doesn't ... I've read the Microsoft documents on troubleshooting Kerberos, ... understand SPNs any better after reading those than I did before. ...
(microsoft.public.windows.server.active_directory)
Re: Performance issues With Impersonation and Delegation
... Start with the SPNs though. ... service account in AD with an LDAP query and return its servicePrincipalName ... I enabled Kerberos logging on the web service server and now for every web ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: kerberos!
... >no trust btw, they are simply using sam IP addresses range) ... > Administrator account has same password on both ADs. ... In fact this is related to SPNs: if you would use Kerberos authentication you should manually register SPNs for the services you want to connect to. ...
(NT-Bugtraq)
Re: ADAM Bind to alias pointing local server fails
... you do not want duplicate SPNs that will break the Kerberos auth. ... ADAM replica that I will failover to if necessary. ... instance from another server. ...
(microsoft.public.windows.server.active_directory)