HI,
As I know off clients and
servers that can talk kerberos will talk kerberos. NTLM will only be used if the
client or the server cannot use kerberos.
Are there other errors in the
event log? (MRXSmb messages...)
0x29 (KRB_AP_ERR_MODIFIED) "Message stream modified"
This indicates that the server was unable to decrypt the ticket sent by a client meaning that the server does not know the secret key used to encrypt the ticket, or the client got the ticket from a KDC that did not know the server's key. This can be tested by determining if the server can obtain a ticket to itself, or if anybody else can locate the server. The secure channel used by NTLM is also an indicator of the validity of the password on local machine accounts.
Try connecting to some share on that
server to test connectivity and also try to connect from that server to some
other server to test connectivity
Cheers
Cheers
Jorge
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manjeet
Sent: maandag 14 februari 2005 10:41
To: activedir@mail.activedir.org
Subject: [ActiveDir] Authentication issue with Outlook 2003
The Outlook 2003 fails (running on a user's desktop) to authenticate with
exchange 2003 (after restarting the Outlook The user logon dialog comes up
and despite putting correct credentials, it cannot connect to Exchange.
My Exchange is failing to do the Kerberos authentication with Outlook
clients.Incidentally Outlook 2003 is the first OL client which uses Kerberos (if
available). Also Exchange 2003 is the first Exchange which uses Kerberos
for client authentication. All other combinations (of OL and Exchg) always
use NTLM. My exchange has no problems authenticating over
NTLM
Even Outlook 2003, when forced to use NTLM, succeeds to authenticate to
exchange.On enabling extended Kerberos logging on the client machine, the exact
error received is : (The kerberos client received a KRB_AP_ERR_MODIFIED
error from the server host/aca-beta1-03.ca-beta-03.test.com. The target name
used was exchangeRFR/PROD-BETA1-03.prod-beta-03.test.com. This indicates that
the password used to encrypt the kerberos service ticket is different than that
on the target server. Commonly, this is due to identically named machine
accounts in the target realm (CA-BETA-03.test.COM), and the client realm. Please
contact your system administrator.).
can I some how force my outlook clients
to use NTLM ?
Thanks for yours valuable
response.
Manjeet
Do you Yahoo!?
Yahoo! Search presents - Jib Jab's 'Second Term'
This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
