|
Posted by chen on June 15, 2007, 5:08 pm
Please log in for more thread options On Jun 15, 12:11 pm, "Joe Kaplan"
> I've seen this issue reported before, but I can't remember the details. The
> exact behavior you are seeing, ticket being requested initially with the
> full DNS-based SPN but then switching over to the NetBIOS style and
> potentially causing failure, is a known issue that I think may have
> something to do with IE. I believe if you do some additional searches on
> the newsgroups and MS KB, you'll find more info.
>
> It may be possible to work around the issue by creating the other SPN as
> well.
>
> Another thing you might consider would be protocol transition logon and
> constrained delegation. If you are using 2003 web servers throughout and
> have a 2003 native AD, then it is possible to configure things so that the
> front end can authenticate with any protocol you want (Kerb, NTLM, Digest,
> basic, etc.) and then transition to Kerberos to do the delegated call when
> needed. This feature requires you to use constrained delegation as well,
> but that is generally a good idea anyway as unconstrained delegation is a
> potentially serious security risk.
>
> Good luck with this one!
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services
Programming"http://www.directoryprogramming.net
>
>
>
>
> > One thing we noticed in the NetMon captures, the TGS request usually
> > looks for the SPN using the FQDN as in: Realm: xyz.com SName: http/
> > ServerA.xyz.com.
>
> > Sometimes, we see the SName in TGS request as http/ServerA instead of
> > the FQDN. This returns the KRB_ERROR- KDC_ERR_S_PRINCIPAL_UNKNOWN
> > which probably leads to Kerberos failure to switch back to using NTLM
> > authentication.
>
> > Under what scenarios will a client be sending a TGS request which does
> > not use the FQDN?- Hide quoted text -
>
> - Show quoted text -
Thanks Joe. We'll explore the constrained delegation option more. And
yes, all the web servers & DCs are running Windows Server 2003.
Originally, we thought that this is somehow IE related (or browser
related as Firefox exhibits the same symptoms). But the netmon capture
shows that other service classes exhibiting similar behavior as well.
For e.g. we see TGS requests for 'cifs/<fileserver>' fail for almost
identical reasons as well. Again the fileserver is not the FQDN but
the NetBIOS name.
This leads me to believe that it is not the client processes that are
issuing these requests - more a system component (LSASS perhaps?) that
affects all processes running under the context of the logged on user.
So once again, under what scenarios does the TGS request flip from
using FQDN to NetBIOS style server names?
chen
PS: We've added the SPN for the NetBIOS style names as well & so far
based one days worth of testing everything looks good but we aren't
sure if we fixed or even understood the underlying problem.
| 
XML Sitemap