Keberos is not working when "selective authentication" on the forest trust is enabled


R

Roger

Hello

When we use "selective authentication" on the one-way forest trust,
kerberos is not working, only NTLM. When we deselect "selective
authentication" on the forest trust, kerberos works fine to access
ressources in the ressouce domain.


For security reasons we need "selective authentication" on the trust
and we want kerberos as the authentication protocol.


(The Domains are in W2K3 mode, serviceprincipalnames for the accounts
are created)


With "selective authentication" enabled we receive the following error
from a DC in the resource Domain:


No. Time Source Destination
Protocol Info
53 3.896470 159.29.17.56 159.29.193.212 KRB5
KRB Error: KRB5KDC_ERR_POLICY


Frame 53 (196 bytes on wire, 196 bytes captured)
Ethernet II, Src: Cisco_f2:6c:f0 (00:d0:bc:f2:6c:f0), Dst:
CompaqCo_dc:b2:4b (00:08:02:dc:b2:4b)
Internet Protocol, Src: XXX.29.17.56 (159.29.17.56), Dst:
XXX.29.193.212 (XXX.29.193.212)
Transmission Control Protocol, Src Port: kerberos (88), Dst Port: 1853
(1853), Seq: 1, Ack: 1740, Len: 142
Kerberos KRB-ERROR
Record Mark: 138 bytes
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2006-10-27 09:54:51 (Z)
susec: 940079
error_code: KRB5KDC_ERR_POLICY (12)
Realm: SERVICES.XXX.YY
Server Name (Service and Instance): HTTP/personal.services.XXX.YY
Name-type: Service and Instance (2)
Name: HTTP
Name: personal.services.XXX.YY
e-data PA-PW-SALT
Type: PA-PW-SALT (3)
Value: 130400C00000000003000000
NT Status: Unknown (0xc0000413)
Unknown: 0x00000000
Unknown: 0x00000003


Does anyone have an idea?


Greetings Roger
 
Ad

Advertisements

M

Mike Shepperd

Have you enabled Kerberos Logging?
http://support.microsoft.com/kb/262177

It would also be good to see the previous packet from the client to the
server. The whole conversation would be ideal, but I can understand not
posting that info on the net...

If you're stuck beyond what can be done on the newsgroups (I'm pretty
experienced in troubleshooting Kerb issues, but not an expert), I've got a
consultant on my team who is a Kerberos expert and could probably get it
resolved pretty quickly.

--
Mike Shepperd
Sunfire Solutions LLC
Seattle, WA

**********************************************************
"This posting is provided "AS IS" with no warranties, and confers no
rights."
**********************************************************
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top