Hello Jason,
Thank you for your reply.
For your question: that conflict between Windows 2000 Kerberos version and
the MIT version of Kerberos, I am glad to provide some related information
to you:
http://www.blackhat.com/presentations/bh-europe-00/Rooster_Glaser/RoosterJDG
laser.ppt
Windows 2000 Kerberos Interoperability
http://web.mit.edu/pismere/MSR-Summer-2000/DAY1_Finished/KerberosWorkshop_In
teroperability/default.htm
Kerberos Security
http://www.mcmcse.com/win2k/guides/kerberos.shtml
Windows 2000 added some new user attributes such as "Use DES encryption
types for this account" for users. Therefore, the option is not available
for users that migrated from NT domain.
To understand the issue better, I'd like to confirm the following
information with you:
1. If you enable the DES option selected as I suggested, does the WRQ
Reflections program work?
2. What' s the error message?
3. After you add an entry into the host file, does the WRQ program work?
4. You could rejoin your windows 2000 client to domain. Remove the client
from the domain and then rejoin to domain.
This response contains a reference to a third-party World Wide Web site.
Microsoft is providing this information as a convenience to you. Microsoft
does not control these sites and has not tested any software or information
found on these sites; therefore, Microsoft cannot make any representations
regarding the quality, safety, or suitability of any software or
information found there. There are inherent dangers in the use of any
software found on the Internet, and Microsoft cautions you to make sure
that you completely understand the risk before retrieving any software from
the Internet.
I hope the information proves helpful!
If you have any questions please do not hesitate to let me know. I am glad
to be of assistance.
Have a nice day!
Thanks and regards,
Alex Zhang
Microsoft Partner Online Support
Get Secure! -
www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Reply-To: "Jason" <
[email protected]>
| From: "Jason" <
[email protected]>
| References: <#
[email protected]>
<
[email protected]>
| Subject: Re: Kerberos interoperablity with import NT4 users and WRQ
Reflections
| Date: Fri, 12 Mar 2004 13:33:55 -0500
| Lines: 103
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <
[email protected]>
| Newsgroups: microsoft.public.win2000.active_directory
| NNTP-Posting-Host: port29.atlantisplastics.com 65.83.39.93
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.active_directory:69727
| X-Tomcat-NG: microsoft.public.win2000.active_directory
|
| Alex,
| The WRQ Reflections program has a problem with the Kerberos authentication
| when you use it to access a Unix host. I will have to get the exact error
| message for you.
|
| We are using Windows 2000 (SP2,SP3) Pro as the client. We found the DNS
| request failed the authentication, unless you add an entry into the host
| file on the computer. I am to ping/resolve the name easily before modifing
| the host file with no problems. Strange.
|
| We did notice that any users that were import from the old NT4 domain do
not
| have the DES item enbled. Any new users do. Is this a know issue?
|
| Is there any know issues with the Windows 2000 Kerberos version that
| conflict with the MIT version of Kerberos?
|
| Thanks
| | > Hello Jason,
| >
| > Thank you for posting here.
| >
| > To understand the issue better, I'd like to confirm the following
| > information with you:
| > 1. How do you find that clients have not the ability to work the
kerberos
| > authentication? Is there any error related error message or events?
| > 2. Which kind of clients do not have the ability? Do you refer to
| computers
| > or users for ¡°clients¡±?
| >
| > The "Use DES encryption types for this account" and the "Don't require
| > Kerberos Preauthentication" check boxes are controlled by bits that are
| set
| > in the userAccountControl field of the Active Directory.
| >
| > You could try to open the ¡°Active Directory Users and Computers¡± and
set
| > the userAccountControl value to be ¡®66048¡¯. For more information about
| > how to modify the values of userAccountControl you may browse the
| following
| > website:
| >
| > How to Use the UserAccountControl Flags to Manipulate User Account
| > Properties
| >
http://support.microsoft.com/default.aspx?scid=KB;EN-US;305144
| >
| > I hope the information proves helpful!
| > If you have any questions please do not hesitate to let me know. I am
| glad
| > to be of assistance.
| > Thanks and regards,
| > Alex Zhang
| > Microsoft Partner Online Support
| > Get Secure! -
www.microsoft.com/security
| > =====================================================
| > When responding to posts, please "Reply to Group" via your newsreader so
| > that others may learn and benefit from your issue.
| > =====================================================
| > This posting is provided "AS IS" with no warranties, and confers no
| rights.
| > --------------------
| > | Reply-To: "Jason" <
[email protected]>
| > | From: "Jason" <
[email protected]>
| > | Subject: Kerberos interoperablity with import NT4 users and WRQ
| > Reflections
| > | Date: Thu, 11 Mar 2004 16:18:36 -0500
| > | Lines: 15
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| > | Message-ID: <#
[email protected]>
| > | Newsgroups: microsoft.public.win2000.active_directory
| > | NNTP-Posting-Host: port29.atlantisplastics.com 65.83.39.93
| > | Path:
| >
|
cpmsftngxa06.phx.gbl!cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08
| > phx.gbl!TK2MSFTNGP11.phx.gbl
| > | Xref: cpmsftngxa06.phx.gbl
| microsoft.public.win2000.active_directory:69628
| > | X-Tomcat-NG: microsoft.public.win2000.active_directory
| > |
| > | Has any encountered a problem with getting Windows 2000 kerberos
running
| > | with the WRQ client connections?
| > |
| > | We have a problem with any clients that were imported over from the
NT 4
| > | domain not having the ability to work the kerberos authentication. We
| were
| > | able to create new users that did not have the problem.
| > |
| > | I found the NT4 imported users do not have the option "Use DES
| encryption
| > | types for this account" selected, while as the newly created users do.
| > |
| > | Is this a know issue?
| > |
| > | Suggestions?
| > |
| > |
| > |
| >
|
|
|
