RE: [ActiveDir] Kerberos question

[Mulnick, Al]

Title: Kerberos question

There are tools to monitor kerberos conversations (capture), but I think you're likely better off using success/failure audit logging to see what's going on, what's being attempted and where authentication is failing.    I think the following is most likely to be helpful http://support.microsoft.com/default.aspx?kbid=326985  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 2:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question Question,: is there a utility that would use Kerberos to login (Kind of like a test login utility)?   We are not experiencing any problem with logins anywhere  (except as mentioned).. This is the first non windows application we are deploying that uses Kerberos (outside of windows). IT does recognize a bad password as a bad password, but throws an error with the correct password is given:   ERROR(1006) An error occurred in WebCT authorization.     Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA  18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 2:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question   So that leads to the next question then: do you have a problem going on?  If so, can you give some details?   Al   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 11:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question The application is called WebCT. www.webct.com. It is a distance learning app that runs off a web server. Their documentation is some what lacking, and their support is not really that good.   I do have everything set up as they request, so I was thinking that my problem is on my end.   I do have a support call scheduled with them later today. I wanted to try to rule out a AD problem.   Thanks     Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA  18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 10:44 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question   Sorry Rick.  Thread overlap. :)   Whether or not you need to make a change depends on the application.  For example, if they use the operating system to handle the authentication calls, then it should work fine, right? If they do something else, they should have documented it and should tell you what is needed. What is the application saying they need to do?   Which application is it out of curiosity?   Al   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 10:29 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question I think we have a miscom here: I have no 5.5 server-- I assume that you mean exchange 5.5 (we are all ex2k3).   More details:   I have an app that runs on a win2k3 that uses either LDAP or Kerberos to authenticate it’s users against our 2003 active directory. The app server is part of our domain but the app that runs on it is a third party app that says it can authenticate using Kerberos or LDAP.   My question is: Do I need to do anything to our Domain controller to allow the app to talk to the domain controller?   Thanks, Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA  18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 9:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question   Before going any further, how about trying to get the information from a 5.5 server locally using the admin utility?   The goal of looking there is to isolate whether the problem is on the 5.5 side or if the problem is elsewhere; just need to rule out there's a problem with the 5.5 admin :)   Al   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 9:49 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question It is also windows 2003, but the software is a web app (webct). I am confused as the whether the OS it doing the authentication or the app is.       Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA  18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Thursday, August 05, 2004 9:08 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Kerberos question   What OS is the remote system and how is it connected?       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gasper, Rick Sent: Thursday, August 05, 2004 9:04 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Kerberos question   Quick question: I have a remote system that needs to authenticate to our 2003 dcs, I have the choices of Kerberos and ldap. I would perfer to use Kerberos for security reasons, but I do not know if I need to do anything on the DC server in order to make this work. Does anyone have place they could point me to? I have the Kerberos trouble shooting guide and am working through this. Thanks Rick Gasper Manager, Network Services King's College 133 N. River St Wilkes-Barre PA  18711 PH: 570-208-5845 Fax: 570-208-6072 Cell: 570-760-0335 [EMAIL PROTECTED]