Marcus: Miguel's problem is that his Unix KDC does not support TCP connections.
Jeffrey Altman Markus Moeller wrote: > Miguel, > > I use an XP SP2 client and can't recreate your problem. I have > > AD <-transitive trust->MIT > | > XPSP2 > > I login to my XP box with a Windows id with 25 groups. Use Vintella Putty > to login to a Unix server which is registered on the MIT kdc and I can login > straight away. Is that your setup or do you login to a client which is part > of your child domain ? > > Thank you > Markus > > > > "Miguel Sanders" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] >> Ok I narrowed the problem. >> It seems that whever the user has more than 20 groups, SSO on XP2 >> won't work. Below 20 groups it works OK. In XP1 there is no problem on >> the amount of group memberhips. I assume that the Cross Realm Object >> needs the NO_AUTH_REQUIRED field set in userAccountControl. However >> the DNS admin reports that he gets "Access Denied" when trying to edit >> that field of the Cross Realm object... >> >> On 31 jul, 23:24, "Markus Moeller" <[EMAIL PROTECTED]> wrote: >>> Can you add the SPN with REALM into the SPN field under ssh->GSSAPI e.g. >>> >>> host/[EMAIL PROTECTED] >>> >>> I think Vintella is adding the default domain otherwise. Not sure if that >>> is >>> a bug or if I missed configuration setting. >>> >>> Markus >>> >>> "Miguel Sanders" <[EMAIL PROTECTED]> wrote in message >>> >>> news:[EMAIL PROTECTED] >>> >>> >>> >>>> I see that I receive the cross realm ticket. >>>> However I don't receive any service ticket! >>>> On 30 jul, 21:53, "Markus Moeller" <[EMAIL PROTECTED]> wrote: >>>>> Can you use kerbtray to see if you get the service principal ? >>>>> Markus >>>>> "Miguel Sanders" <[EMAIL PROTECTED]> wrote in message >>>>> news:[EMAIL PROTECTED] >>>>>> Markus, I already tried editing that setting but no luck either... >>>>>> Everytime I think I am done with this setup, there is a new issue... >>>>>> However, the SSO from the Linux clients to the UNIX KDCs worked >>>>>> instantly! >>>>>> On 30 jul, 20:52, "Markus Moeller" <[EMAIL PROTECTED]> wrote: >>>>>>> You might need this: >>>>>>> "This new feature has been seen in Windows 2003 Server, Windows >>>>>>> 2000 >>>>>>> Server >>>>>>> SP4, and Windows XP SP2. We assume that it will be implemented in >>>>>>> all >>>>>>> future Microsoft operating systems supporting the Kerberos SSPI. >>>>>>> Microsoft >>>>>>> does work closely with MIT and has provided a registry key to >>>>>>> disable >>>>>>> this >>>>>>> new feature. >>>>>>> HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters >>>>>>> AllowTGTSessionKey = 0x01 (DWORD)On Windows XP SP2 the key is >>>>>>> specified >>>>>>> as >>>>>>> HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos >>>>>>> AllowTGTSessionKey = >>>>>>> 0x01 (DWORD)"as described >>>>>>> herehttp://web.mit.edu/kerberos/kfw-2.6/kfw-2.6.5/relnotes.html#mslsa >>>>>>> Regards >>>>>>> Markus >>>>>>> "Miguel Sanders" <[EMAIL PROTECTED]> wrote in message >>>>>>> news:[EMAIL PROTECTED] >>>>>>>> Dear all >>>>>>>> I don't know whether or not I should post this here or in >>>>>>>> microsoft.xp.client but I will do both. >>>>>>>> After successfully implementing a cross realm trust between AD >>>>>>>> and a >>>>>>>> UNIX realm, it seems that the clients that user SP1 can >>>>>>>> successfully >>>>>>>> have SSO to the UNIX machine whereas the SP2 people can't. Can >>>>>>>> anyone >>>>>>>> help me out, since I am not a Windows expert :-) >>>>>>>> The tool I use for SSO on the Windows clients is Vintella Putty >>>>>>>> 0.60 >>>>>>>> q1.129. >>>>>>>> Kind regards >>>>>>>> Miguel >>>>>>>> ________________________________________________ >>>>>>>> Kerberos mailing list [EMAIL PROTECTED] >>>>>>>> https://mailman.mit.edu/mailman/listinfo/kerberos-Tekstuit >>>>>>>> oorspronkelijk bericht niet weergeven - >>>>>>> - Tekst uit oorspronkelijk bericht weergeven - >>>>>> ________________________________________________ >>>>>> Kerberos mailing list [EMAIL PROTECTED] >>>>>> https://mailman.mit.edu/mailman/listinfo/kerberos-Tekst uit >>>>>> oorspronkelijk bericht niet weergeven - >>>>> - Tekst uit oorspronkelijk bericht weergeven - >>>> ________________________________________________ >>>> Kerberos mailing list [EMAIL PROTECTED] >>>> https://mailman.mit.edu/mailman/listinfo/kerberos- Tekst uit >>>> oorspronkelijk bericht niet weergeven - >>> - Tekst uit oorspronkelijk bericht weergeven - >> >> ________________________________________________ >> Kerberos mailing list Kerberos@mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > > > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos