Re: kerberos tickets and the SPNs

---

• From: Brian Elliott Finley <finley@xxxxxxx>
• Date: Mon, 11 May 2009 13:54:20 -0500

---

I've uploaded the latest changes:

http://download.systemimager.org/~finley/msktutil/



Douglas E. Engert wrote:

Markus Moeller wrote:

I use also msktutil and you can find it here
http://dag.wieers.com/rpm/packages/msktutil/

That points to:
http://download.systemimager.org/~finley/msktutil/
and Finley is here at ANL.

We now have Debian mods to 0.3.16-7 to work with W2008, and use the
Windows attribute msDs-supportedEncryptionTypes so one can use AES.
Any one interested?

You can also use setspn -A host/fqdn in lowercase. instead of setspn -R.

BTW the original netjoin tool from MS used computer accounts not user
accounts. http://msdn.microsoft.com/en-us/library/ms808911.aspx
http://download.microsoft.com/download/win2000pro/2kkerb2/1.0/nt5/en-us/ad-unix.exe
I don't know why they changed their mind.

Markus

----- Original Message ----- From: "Ravi Channavajhala"
<ravi.channavajhala@xxxxxxxxxx>
To: "Douglas E. Engert" <deengert@xxxxxxx>
Cc: "Markus Moeller" <huaraz@xxxxxxxxxxxxxxxx>; <kerberos@xxxxxxx>
Sent: Friday, May 08, 2009 8:59 PM
Subject: Re: kerberos tickets and the SPNs


Don't agree here. Natively adding a computer to AD and checking with
setspn -L didn't show any SPNs. Resetting the SPNs with setspn -R,
creates two entries

HOST/HOSTNAME$
HOST/HOSTNAME$.SHORTFORM DOMAIN

Both are incorrect....

The point is, I can manipulate SPNs to no end, but obviously no
success with Kerberos. My real issue is kerberos flip flopping with
'Server not found in Database' to 'Keytable entry incorrect Key
version'.

--
Brian Elliott Finley
Deputy Manager, Unix, Storage, and Operations
Computing and Information Systems
Argonne National Laboratory
Office: 630.252.4742
Mobile: 630.631.6621
.

---

• References:
  • Re: kerberos tickets and the SPNs
    • From: Douglas E. Engert
  • Re: kerberos tickets and the SPNs
    • From: Markus Moeller
  • Re: kerberos tickets and the SPNs
    • From: Ravi Channavajhala
  • Re: kerberos tickets and the SPNs
    • From: Markus Moeller

• Prev by Date: Re: kerberos tickets and the SPNs
• Next by Date: RE: auth_to_local struggle
• Previous by thread: Re: kerberos tickets and the SPNs
• Next by thread: Re: kerberos tickets and the SPNs
• Index(es):
  • Date
  • Thread

---

Relevant Pages Need Help Understanding Kerberos SPN Problem ... I either don't understand how to use SETSPN, or I have some serious problem ... the domain controller are returning errors indicating the account doesn't ... I've read the Microsoft documents on troubleshooting Kerberos, ... understand SPNs any better after reading those than I did before. ... (microsoft.public.windows.server.active_directory) Re: Need Help Understanding Kerberos SPN Problem ... And so I figure you're probably spending a while troubleshooting this. ... manually, using Setspn. ... with Kerberos in our domain. ... understand SPNs any better after reading those than I did before. ... (microsoft.public.windows.server.active_directory) Re: kerberos tickets and the SPNs ... kerberos tickets and the SPNs ... Resetting the SPNs with setspn -R, ... Argonne National Laboratory ... (comp.protocols.kerberos) Re: kerberos tickets and the SPNs ... You can also use setspn -A host/fqdn in lowercase. ... BTW the original netjoin tool from MS used computer accounts not user accounts. ... kerberos tickets and the SPNs ... (comp.protocols.kerberos) Re: Performance issues With Impersonation and Delegation ... Start with the SPNs though. ... service account in AD with an LDAP query and return its servicePrincipalName ... I enabled Kerberos logging on the web service server and now for every web ... (microsoft.public.dotnet.framework.aspnet.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)