Re: 2k3 (SP1) and PDC Emulator difference

Thu, 29 Sep 2005 08:52:47 -0700 


Markus Moeller wrote:

Check also the kvno (key version number). 2000 doesn't increment it, whereas 
2003 does, so you can get different kvnos from 2000 and 2003 kdcs. But there 
is a patch form MS which allows to configure 2003 to act like a 2000 kdc wrt 
to kvnos.


If you have the MIT KfW or Unix, try the kvno utility to get a service ticket,
and see what kvno the KDC returnes. Then make sure the keytab file has the key
with that kvno.




Regards
Markus


"amol dixit" <[EMAIL PROTECTED]> wrote in message 
news:[EMAIL PROTECTED]



Hi,
I have Windows 2k and 2k3 (SP1) AD servers in a
domain, and if I set the 2k server as the
OperationsMaster->PDC (aka. PDC Emulator), then
DES_CBC_MD5 key generated using the SPN (and
corresponding Salt) fails to authenticate on 2k3
server. It automatically forwards the kerberos ticket
request (AS_REQ) to the PDC Emulator (which is the 2k
server), which in turn authenticates the SPN using the
same key. Also, kinit can get a ticket from 2k3 for
the same account without forwarding to PDC.
I am at a loss to explain how come the same kerberos
DES key works on 2k but not on 2k3, even though the
account is created on 2k3 AD.
Interestingly, if I make the 2k3 server as PDC master,
it will authenticate using the same key and not
forward the request to the 2k server anymore.
PDC emulators are for legacy windows clients, I dont
see what role is plays here.
Any ideas, please let me know.
TIA,
Amol




__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos






________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos




--

 Douglas E. Engert  <[EMAIL PROTECTED]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos














    











					Reply via email to