We have a problem which sounds related to, but different from, that described in thread http://marc.info/?l=kerberos&m=126927485320222&w=2 and addressed by http://support.microsoft.com/?kbid=978055
We use Kerberos authentication against AD for controlling access to web resources using shibboleth (java IdP, Tomcat, Apache, Centos 5.2). Initial problem was that one account was intermittently failing authorisation after changing password. This happened to be my account so after deciding that it wasn't just poor typing we investigated further. We have five AD servers; four running 2008 and one still running 2003. Resetting the password for the test account (always to the same password) and then using a script with webisoget to login we found the following ... 1. Resetting password on the 2003 AD server gave 100% success. 2. Resetting on any of the 2008 AD servers results in roughly 20% success (ie login failed 4 times out of 5). Implies that auth works when talking to the 2003 server but not the 2008 servers. [straight forward kinit works 100% in both cases] This seems counter to the notes attached to 978055 which suggest that problem goes away when password is reset on 2008. We're not getting reports of user problems (but that could just mean that no-one ever changes their password). We're scheduled to upgrade the last 2003 AD server to 2008 in a couple of weeks. My hope is that this will make the problem go away rather than moving to 100% failure (but I'd like something a bit more than hope). Has anyone seen this before and come out the other end? We've tried tweaking enctype settings on the IDP side. What we might do next week is set up a test AD domain and experiment on that (though our Windows admins point out that as our production domain started out as 2000 and so a fresh install of 2003+2008 may not give identical results). Paul -- Paul Haldane Information Systems and Services Newcastle University ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
