GPO problems when logon to kerberos-realm

  • Thread starter =?iso-8859-1?Q?Michael_Sundstr=F6m?=
  • Start date
?

=?iso-8859-1?Q?Michael_Sundstr=F6m?=

Hej from Sweden,

We have a Terminal Server running on Windows Server 2003. We locked it down
according to Microsoft white paper how to lock down a Terminal Server.

We configured a kerberos realm with "ksetup" and using kerberos as
authentication method for our users.

Because our user are not placed in the same OU as the Terminal Server we
have enabled "User Group Policy loopback processing mode" and it works
perfectly as long as the users logon to the normal windows domain. But when
the users logon to the kerberos-realm the GPO settings will not be applied.
It seems that the loopback processing mode does not work when logon to the
kerberos-realm.

Does anybody know why there should be such a problem when using GPO and
logon to a kerberos-realm?
Could it be possible that we have to "activate" that the GPO settings also
should work for the kerberos-realm?

Thanks in advance!

/Michael
 
T

Tim Springston [MS]

Hi Michael-

If I understand correctly you have used KSETUP.EXE to map users your domain
users (ALLUSERS). That sounds like it would work, however the other realm
(the non-Microsoft one) will not have the information that the group policy
processing will need to identify the user principal and verify that they
have the required permissions and access to that policy or policies (the AD
portion of it and the file system portion located in the SYSVOL).

This access is identified by using security identifiers (SID) attributes on
the Active Directory account for the user principal. I don't know how a
non-Microsoft realm would be able to pass that along to your terminal server
when creating the user environment at logon. If I recall correctly, most
other environments do not have a security identfier (SID) to pass along at
logon. That being the case, the loopback processing mode would not be an
option when your users logon using their credentials from the other Kerberos
realm (the non-Microsoft one).

If anyone in the newsgroup has some good interopability experience to pass
along for Michael please add to this thread.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Laptop Logoff Painfully Slow when a Kerberos Realm user is logged on 10
Vista compatibility with mixed system kerberos authentication? 3
kerberos errors 1
GPO IE Zone Mapping issue on TS 2
Problems with Group Policies being applied 4
Kerberos Error 1
[FATAL] Kerberos does not have a ticket for <any of my servers> 5
Kerberos Errors on Domain Controllers 2

Top