Keberos is not working when "selective authentication" on the forest trust is enabled




When we use "selective authentication" on the one-way forest trust,
kerberos is not working, only NTLM. When we deselect "selective
authentication" on the forest trust, kerberos works fine to access
ressources in the ressouce domain.

For security reasons we need "selective authentication" on the trust
and we want kerberos as the authentication protocol.

(The Domains are in W2K3 mode, serviceprincipalnames for the accounts
are created)

With "selective authentication" enabled we receive the following error
from a DC in the resource Domain:

No. Time Source Destination
Protocol Info
53 3.896470 KRB5

Frame 53 (196 bytes on wire, 196 bytes captured)
Ethernet II, Src: Cisco_f2:6c:f0 (00:d0:bc:f2:6c:f0), Dst:
CompaqCo_dc:b2:4b (00:08:02:dc:b2:4b)
Internet Protocol, Src: XXX.29.17.56 (, Dst:
XXX.29.193.212 (XXX.29.193.212)
Transmission Control Protocol, Src Port: kerberos (88), Dst Port: 1853
(1853), Seq: 1, Ack: 1740, Len: 142
Kerberos KRB-ERROR
Record Mark: 138 bytes
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2006-10-27 09:54:51 (Z)
susec: 940079
error_code: KRB5KDC_ERR_POLICY (12)
Server Name (Service and Instance): HTTP/
Name-type: Service and Instance (2)
Name: HTTP
e-data PA-PW-SALT
Type: PA-PW-SALT (3)
Value: 130400C00000000003000000
NT Status: Unknown (0xc0000413)
Unknown: 0x00000000
Unknown: 0x00000003

Does anyone have an idea?

Greetings Roger

Mike Shepperd

Have you enabled Kerberos Logging?

It would also be good to see the previous packet from the client to the
server. The whole conversation would be ideal, but I can understand not
posting that info on the net...

If you're stuck beyond what can be done on the newsgroups (I'm pretty
experienced in troubleshooting Kerb issues, but not an expert), I've got a
consultant on my team who is a Kerberos expert and could probably get it
resolved pretty quickly.

Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

"This posting is provided "AS IS" with no warranties, and confers no