Re: [ActiveDir] w2k sp4 Kerberos changes?
Al Lilianstrom wrote: Steve Linehan wrote: Unfortunately additional logging for the KDC in Windows 2000 is thin. This was added in Windows Server 2003 but we are not there. I really believe that we are not getting to the Windows 2000 KDC anyway, i.e. the client is handed back the referral and then failing to resolve the name. In the referral I assume it is just passing back the generic FQDN for the Windows 2000 domain and the client is querying for that A record and getting back a list of all DCs in that domain. Can you use nslookup to get a list of DCs and then ensure that they are all reachable from the clients perspective? This is assuming that you are getting the same error as before. Same error but some new information. It turns out that one of the other domain admins rebooted one of the root DCs (in WIN) around 7:00am. The scheduled updates from the MIT side worked for a period of time. Once they started failing we rebooted that same dc and updates started working again. I didn't mention that we have a empty root (WIN) with the users and computers in a child domain (FERMI). The MIT realm trust is to WIN. I also just found out that a Fermi DC was patched and booted before a Win DC was up (another UNIX/AD application that had to be up ASAP) so we're thinking the trust isn't stable. We're rebooting the other root dc and then we're going to reboot the child DCs that the Unix app talks to and see what happens. The reboot of the parent DCs followed by a reboot of all the child DCs resolved the problem. In retrospect it makes sense but some kind of error or warning somewhere in a Windows event log would have been nice. Thanks again for all the advice. al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Friday, August 19, 2005 11:01 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] w2k sp4 Kerberos changes? Steve Linehan wrote: A network trace from the server getting the error would be helpful. I imagine you are not getting past the MIT KDC who should be passing back a referral to the Windows KDC. With a trace from the client we can see what is being requested and what errors are returned. I'm trying to arrange that but the system initiating the query to AD is in a different division and is not always easy to work with. A check of our MIT KDC logs looked ok. We see the initial request to the MIT KDC, another for pre-auth, and then the forwarding to AD. Is there a way to see something similar to a MIT KDC log in AD? I've looked for a way to who is getting tickets and when but have never found it. al Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Friday, August 19, 2005 10:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] w2k sp4 Kerberos changes? Al Lilianstrom wrote: Thanks for all the advice. Checked our srv records and they returned all the DCs. It was resolvable from our MIT/Unix systems. The strange part is that between 5:30 and 7:15 this morning access using MIT credentials started working. I'm searching for a reason as to why it happened but no one admits to changing anything. And strangely enough - 2 hours later they started failing again. This is very weird. The Windows event logs are of no help. Any other ideas? al Steve Linehan wrote: I should clarify that I would not expect the MIT KDCs to be using the SRV records however we have seen problems where load from Windows clients, because we had limited servers actually registering SRV records, could cause anomalies. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? Actually it is possible that you are running into this issue: http://support.microsoft.com/default.aspx?scid=KB;EN-US;841395. Check to make sure that your SRV records are being registered in DNS. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? I am not aware of any changes in SP4 or the security patch that would cause the failure you mention below. It is normally a DNS name resolution issue that causes that error. Can you verify that the Windows KDCs can be resolved from the UNIX boxes? Would it be possible to get a network trace of the failure? Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Thursday, August 18, 2005 10:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] w2k sp4 Kerberos
Re: [ActiveDir] w2k sp4 Kerberos changes?
Steve Linehan wrote: Unfortunately additional logging for the KDC in Windows 2000 is thin. This was added in Windows Server 2003 but we are not there. I really believe that we are not getting to the Windows 2000 KDC anyway, i.e. the client is handed back the referral and then failing to resolve the name. In the referral I assume it is just passing back the generic FQDN for the Windows 2000 domain and the client is querying for that A record and getting back a list of all DCs in that domain. Can you use nslookup to get a list of DCs and then ensure that they are all reachable from the clients perspective? This is assuming that you are getting the same error as before. Same error but some new information. It turns out that one of the other domain admins rebooted one of the root DCs (in WIN) around 7:00am. The scheduled updates from the MIT side worked for a period of time. Once they started failing we rebooted that same dc and updates started working again. I didn't mention that we have a empty root (WIN) with the users and computers in a child domain (FERMI). The MIT realm trust is to WIN. I also just found out that a Fermi DC was patched and booted before a Win DC was up (another UNIX/AD application that had to be up ASAP) so we're thinking the trust isn't stable. We're rebooting the other root dc and then we're going to reboot the child DCs that the Unix app talks to and see what happens. al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Friday, August 19, 2005 11:01 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] w2k sp4 Kerberos changes? Steve Linehan wrote: A network trace from the server getting the error would be helpful. I imagine you are not getting past the MIT KDC who should be passing back a referral to the Windows KDC. With a trace from the client we can see what is being requested and what errors are returned. I'm trying to arrange that but the system initiating the query to AD is in a different division and is not always easy to work with. A check of our MIT KDC logs looked ok. We see the initial request to the MIT KDC, another for pre-auth, and then the forwarding to AD. Is there a way to see something similar to a MIT KDC log in AD? I've looked for a way to who is getting tickets and when but have never found it. al Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Friday, August 19, 2005 10:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] w2k sp4 Kerberos changes? Al Lilianstrom wrote: Thanks for all the advice. Checked our srv records and they returned all the DCs. It was resolvable from our MIT/Unix systems. The strange part is that between 5:30 and 7:15 this morning access using MIT credentials started working. I'm searching for a reason as to why it happened but no one admits to changing anything. And strangely enough - 2 hours later they started failing again. This is very weird. The Windows event logs are of no help. Any other ideas? al Steve Linehan wrote: I should clarify that I would not expect the MIT KDCs to be using the SRV records however we have seen problems where load from Windows clients, because we had limited servers actually registering SRV records, could cause anomalies. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? Actually it is possible that you are running into this issue: http://support.microsoft.com/default.aspx?scid=KB;EN-US;841395. Check to make sure that your SRV records are being registered in DNS. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? I am not aware of any changes in SP4 or the security patch that would cause the failure you mention below. It is normally a DNS name resolution issue that causes that error. Can you verify that the Windows KDCs can be resolved from the UNIX boxes? Would it be possible to get a network trace of the failure? Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Thursday, August 18, 2005 10:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] w2k sp4 Kerberos changes? Hi, We applied sp4 to our w2k based AD this morning. It was a tad hurried as one of the ms05-039 based worms showed up inside our border router (laptop from home) so not everything got tested in our test domain. We noticed that Unix based application
RE: [ActiveDir] w2k sp4 Kerberos changes?
Unfortunately additional logging for the KDC in Windows 2000 is thin. This was added in Windows Server 2003 but we are not there. I really believe that we are not getting to the Windows 2000 KDC anyway, i.e. the client is handed back the referral and then failing to resolve the name. In the referral I assume it is just passing back the generic FQDN for the Windows 2000 domain and the client is querying for that A record and getting back a list of all DCs in that domain. Can you use nslookup to get a list of DCs and then ensure that they are all reachable from the clients perspective? This is assuming that you are getting the same error as before. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Friday, August 19, 2005 11:01 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] w2k sp4 Kerberos changes? Steve Linehan wrote: > A network trace from the server getting the error would be helpful. I > imagine you are not getting past the MIT KDC who should be passing > back a referral to the Windows KDC. With a trace from the client we > can see what is being requested and what errors are returned. I'm trying to arrange that but the system initiating the query to AD is in a different division and is not always easy to work with. A check of our MIT KDC logs looked ok. We see the initial request to the MIT KDC, another for pre-auth, and then the forwarding to AD. Is there a way to see something similar to a MIT KDC log in AD? I've looked for a way to who is getting tickets and when but have never found it. al > Thanks, > > -Steve > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Al > Lilianstrom > Sent: Friday, August 19, 2005 10:28 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] w2k sp4 Kerberos changes? > > Al Lilianstrom wrote: > >>Thanks for all the advice. >> >>Checked our srv records and they returned all the DCs. It was >>resolvable from our MIT/Unix systems. >> >>The strange part is that between 5:30 and 7:15 this morning access >>using MIT credentials started working. I'm searching for a reason as >>to why it happened but no one admits to changing anything. > > > And strangely enough - 2 hours later they started failing again. This > is very weird. The Windows event logs are of no help. > > Any other ideas? > > al > > >>Steve Linehan wrote: >> >> >>>I should clarify that I would not expect the MIT KDCs to be using the > > >>>SRV records however we have seen problems where load from Windows >>>clients, because we had limited servers actually registering SRV >>>records, could cause anomalies. >>>Thanks, >>> >>>-Steve >>> >>>-Original Message- >>>From: [EMAIL PROTECTED] >>>[mailto:[EMAIL PROTECTED] On Behalf Of Steve >>>Linehan >>>Sent: Thursday, August 18, 2005 10:48 PM >>>To: ActiveDir@mail.activedir.org >>>Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? >>> >>>Actually it is possible that you are running into this issue: >>>http://support.microsoft.com/default.aspx?scid=KB;EN-US;841395. Check > > >>>to make sure that your SRV records are being registered in DNS. >>> >>>Thanks, >>> >>>-Steve >>> >>>-Original Message- >>>From: [EMAIL PROTECTED] >>>[mailto:[EMAIL PROTECTED] On Behalf Of Steve >>>Linehan >>>Sent: Thursday, August 18, 2005 10:37 PM >>>To: ActiveDir@mail.activedir.org >>>Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? >>> >>>I am not aware of any changes in SP4 or the security patch that would > > >>>cause the failure you mention below. It is normally a DNS name >>>resolution issue that causes that error. Can you verify that the >>>Windows KDCs can be resolved from the UNIX boxes? Would it be >>>possible to get a network trace of the failure? >>> >>>Thanks, >>> >>>-Steve >>> >>>-Original Message- >>>From: [EMAIL PROTECTED] >>>[mailto:[EMAIL PROTECTED] On Behalf Of Al >>>Lilianstrom >>>Sent: Thursday, August 18, 2005 10:04 PM >>>To: ActiveDir@mail.activedir.org >>>Subject: [ActiveDir] w2k sp4 Kerberos changes? >>> >>>Hi, >>> >>>We applied sp4 to our w2k based AD this morning. It was a tad hurried > > >>>as >>> >>>one of the ms05-039 based worms showed up inside our bor
Re: [ActiveDir] w2k sp4 Kerberos changes?
Steve Linehan wrote: A network trace from the server getting the error would be helpful. I imagine you are not getting past the MIT KDC who should be passing back a referral to the Windows KDC. With a trace from the client we can see what is being requested and what errors are returned. I'm trying to arrange that but the system initiating the query to AD is in a different division and is not always easy to work with. A check of our MIT KDC logs looked ok. We see the initial request to the MIT KDC, another for pre-auth, and then the forwarding to AD. Is there a way to see something similar to a MIT KDC log in AD? I've looked for a way to who is getting tickets and when but have never found it. al Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Friday, August 19, 2005 10:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] w2k sp4 Kerberos changes? Al Lilianstrom wrote: Thanks for all the advice. Checked our srv records and they returned all the DCs. It was resolvable from our MIT/Unix systems. The strange part is that between 5:30 and 7:15 this morning access using MIT credentials started working. I'm searching for a reason as to why it happened but no one admits to changing anything. And strangely enough - 2 hours later they started failing again. This is very weird. The Windows event logs are of no help. Any other ideas? al Steve Linehan wrote: I should clarify that I would not expect the MIT KDCs to be using the SRV records however we have seen problems where load from Windows clients, because we had limited servers actually registering SRV records, could cause anomalies. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? Actually it is possible that you are running into this issue: http://support.microsoft.com/default.aspx?scid=KB;EN-US;841395. Check to make sure that your SRV records are being registered in DNS. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? I am not aware of any changes in SP4 or the security patch that would cause the failure you mention below. It is normally a DNS name resolution issue that causes that error. Can you verify that the Windows KDCs can be resolved from the UNIX boxes? Would it be possible to get a network trace of the failure? Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Thursday, August 18, 2005 10:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] w2k sp4 Kerberos changes? Hi, We applied sp4 to our w2k based AD this morning. It was a tad hurried as one of the ms05-039 based worms showed up inside our border router (laptop from home) so not everything got tested in our test domain. We noticed that Unix based applications that used Kerberos authentication (we have a MIT Kerberos infrastructure for the Unix systems) to read and write to AD started failing. The error isn't very helpful either - "Miscellaneous failure (Cannot re solve KDC for requested realm)". All w2k DCs are on line and functional. The trusts to the MIT side are still there. I've been looking through the sp4 docs and I don't see anything obvious but I may have missed something. We also applied the ms05-042 Kerberos spoofing patch but according to the docs it doesn't change functionality without a registry change. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] w2k sp4 Kerberos changes?
A network trace from the server getting the error would be helpful. I imagine you are not getting past the MIT KDC who should be passing back a referral to the Windows KDC. With a trace from the client we can see what is being requested and what errors are returned. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Friday, August 19, 2005 10:28 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] w2k sp4 Kerberos changes? Al Lilianstrom wrote: > Thanks for all the advice. > > Checked our srv records and they returned all the DCs. It was > resolvable from our MIT/Unix systems. > > The strange part is that between 5:30 and 7:15 this morning access > using MIT credentials started working. I'm searching for a reason as > to why it happened but no one admits to changing anything. And strangely enough - 2 hours later they started failing again. This is very weird. The Windows event logs are of no help. Any other ideas? al > Steve Linehan wrote: > >> I should clarify that I would not expect the MIT KDCs to be using the >> SRV records however we have seen problems where load from Windows >> clients, because we had limited servers actually registering SRV >> records, could cause anomalies. >> Thanks, >> >> -Steve >> >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Steve >> Linehan >> Sent: Thursday, August 18, 2005 10:48 PM >> To: ActiveDir@mail.activedir.org >> Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? >> >> Actually it is possible that you are running into this issue: >> http://support.microsoft.com/default.aspx?scid=KB;EN-US;841395. Check >> to make sure that your SRV records are being registered in DNS. >> >> Thanks, >> >> -Steve >> >> -Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Steve >> Linehan >> Sent: Thursday, August 18, 2005 10:37 PM >> To: ActiveDir@mail.activedir.org >> Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? >> >> I am not aware of any changes in SP4 or the security patch that would >> cause the failure you mention below. It is normally a DNS name >> resolution issue that causes that error. Can you verify that the >> Windows KDCs can be resolved from the UNIX boxes? Would it be >> possible to get a network trace of the failure? >> >> Thanks, >> >> -Steve >> >> -Original Message- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf Of Al >> Lilianstrom >> Sent: Thursday, August 18, 2005 10:04 PM >> To: ActiveDir@mail.activedir.org >> Subject: [ActiveDir] w2k sp4 Kerberos changes? >> >> Hi, >> >> We applied sp4 to our w2k based AD this morning. It was a tad hurried >> as >> >> one of the ms05-039 based worms showed up inside our border router >> (laptop from home) so not everything got tested in our test domain. >> We noticed that Unix based applications that used Kerberos >> authentication (we have a MIT Kerberos infrastructure for the Unix >> systems) to read and >> >> write to AD started failing. >> >> The error isn't very helpful either - "Miscellaneous failure (Cannot >> re solve KDC for requested realm)". All w2k DCs are on line and functional. >> >> The trusts to the MIT side are still there. >> >> I've been looking through the sp4 docs and I don't see anything >> obvious but I may have missed something. We also applied the ms05-042 >> Kerberos spoofing patch but according to the docs it doesn't change >> functionality >> >> without a registry change. >> >> Any ideas? >> >> al > > -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] w2k sp4 Kerberos changes?
Al Lilianstrom wrote: Thanks for all the advice. Checked our srv records and they returned all the DCs. It was resolvable from our MIT/Unix systems. The strange part is that between 5:30 and 7:15 this morning access using MIT credentials started working. I'm searching for a reason as to why it happened but no one admits to changing anything. And strangely enough - 2 hours later they started failing again. This is very weird. The Windows event logs are of no help. Any other ideas? al Steve Linehan wrote: I should clarify that I would not expect the MIT KDCs to be using the SRV records however we have seen problems where load from Windows clients, because we had limited servers actually registering SRV records, could cause anomalies. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? Actually it is possible that you are running into this issue: http://support.microsoft.com/default.aspx?scid=KB;EN-US;841395. Check to make sure that your SRV records are being registered in DNS. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? I am not aware of any changes in SP4 or the security patch that would cause the failure you mention below. It is normally a DNS name resolution issue that causes that error. Can you verify that the Windows KDCs can be resolved from the UNIX boxes? Would it be possible to get a network trace of the failure? Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Thursday, August 18, 2005 10:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] w2k sp4 Kerberos changes? Hi, We applied sp4 to our w2k based AD this morning. It was a tad hurried as one of the ms05-039 based worms showed up inside our border router (laptop from home) so not everything got tested in our test domain. We noticed that Unix based applications that used Kerberos authentication (we have a MIT Kerberos infrastructure for the Unix systems) to read and write to AD started failing. The error isn't very helpful either - "Miscellaneous failure (Cannot re solve KDC for requested realm)". All w2k DCs are on line and functional. The trusts to the MIT side are still there. I've been looking through the sp4 docs and I don't see anything obvious but I may have missed something. We also applied the ms05-042 Kerberos spoofing patch but according to the docs it doesn't change functionality without a registry change. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] w2k sp4 Kerberos changes?
Thanks for all the advice. Checked our srv records and they returned all the DCs. It was resolvable from our MIT/Unix systems. The strange part is that between 5:30 and 7:15 this morning access using MIT credentials started working. I'm searching for a reason as to why it happened but no one admits to changing anything. al Steve Linehan wrote: I should clarify that I would not expect the MIT KDCs to be using the SRV records however we have seen problems where load from Windows clients, because we had limited servers actually registering SRV records, could cause anomalies. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? Actually it is possible that you are running into this issue: http://support.microsoft.com/default.aspx?scid=KB;EN-US;841395. Check to make sure that your SRV records are being registered in DNS. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? I am not aware of any changes in SP4 or the security patch that would cause the failure you mention below. It is normally a DNS name resolution issue that causes that error. Can you verify that the Windows KDCs can be resolved from the UNIX boxes? Would it be possible to get a network trace of the failure? Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Thursday, August 18, 2005 10:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] w2k sp4 Kerberos changes? Hi, We applied sp4 to our w2k based AD this morning. It was a tad hurried as one of the ms05-039 based worms showed up inside our border router (laptop from home) so not everything got tested in our test domain. We noticed that Unix based applications that used Kerberos authentication (we have a MIT Kerberos infrastructure for the Unix systems) to read and write to AD started failing. The error isn't very helpful either - "Miscellaneous failure (Cannot re solve KDC for requested realm)". All w2k DCs are on line and functional. The trusts to the MIT side are still there. I've been looking through the sp4 docs and I don't see anything obvious but I may have missed something. We also applied the ms05-042 Kerberos spoofing patch but according to the docs it doesn't change functionality without a registry change. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] w2k sp4 Kerberos changes?
I should clarify that I would not expect the MIT KDCs to be using the SRV records however we have seen problems where load from Windows clients, because we had limited servers actually registering SRV records, could cause anomalies. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:48 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? Actually it is possible that you are running into this issue: http://support.microsoft.com/default.aspx?scid=KB;EN-US;841395. Check to make sure that your SRV records are being registered in DNS. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? I am not aware of any changes in SP4 or the security patch that would cause the failure you mention below. It is normally a DNS name resolution issue that causes that error. Can you verify that the Windows KDCs can be resolved from the UNIX boxes? Would it be possible to get a network trace of the failure? Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Thursday, August 18, 2005 10:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] w2k sp4 Kerberos changes? Hi, We applied sp4 to our w2k based AD this morning. It was a tad hurried as one of the ms05-039 based worms showed up inside our border router (laptop from home) so not everything got tested in our test domain. We noticed that Unix based applications that used Kerberos authentication (we have a MIT Kerberos infrastructure for the Unix systems) to read and write to AD started failing. The error isn't very helpful either - "Miscellaneous failure (Cannot re solve KDC for requested realm)". All w2k DCs are on line and functional. The trusts to the MIT side are still there. I've been looking through the sp4 docs and I don't see anything obvious but I may have missed something. We also applied the ms05-042 Kerberos spoofing patch but according to the docs it doesn't change functionality without a registry change. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] w2k sp4 Kerberos changes?
I understand that MS later came out with a clarification of their recommendation of “restrictAnonymous” to mitigate against 039 vuln. I think it is proper that I point this out. In the clarification, they pointed out that doing “restrictAnonymous” may break “something”. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Dir. Services / Security www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Thursday, August 18, 2005 8:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? Do you perhaps have restrictAnonymous enabled? I have first-hand knowledge of someone flipping this switch because they couldn't install 039 yet and they read the tech doc that came with 039 where it says restrictanonymous could be used to remediate the vuln IF 039 can not be installed immediately. On a side note, I think 039 is responsible for my "exceeded 32-bits" issue. Need to find out. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Thu 8/18/2005 8:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] w2k sp4 Kerberos changes? Hi, We applied sp4 to our w2k based AD this morning. It was a tad hurried as one of the ms05-039 based worms showed up inside our border router (laptop from home) so not everything got tested in our test domain. We noticed that Unix based applications that used Kerberos authentication (we have a MIT Kerberos infrastructure for the Unix systems) to read and write to AD started failing. The error isn't very helpful either - "Miscellaneous failure (Cannot re solve KDC for requested realm)". All w2k DCs are on line and functional. The trusts to the MIT side are still there. I've been looking through the sp4 docs and I don't see anything obvious but I may have missed something. We also applied the ms05-042 Kerberos spoofing patch but according to the docs it doesn't change functionality without a registry change. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] w2k sp4 Kerberos changes?
Actually it is possible that you are running into this issue: http://support.microsoft.com/default.aspx?scid=KB;EN-US;841395. Check to make sure that your SRV records are being registered in DNS. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 18, 2005 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] w2k sp4 Kerberos changes? I am not aware of any changes in SP4 or the security patch that would cause the failure you mention below. It is normally a DNS name resolution issue that causes that error. Can you verify that the Windows KDCs can be resolved from the UNIX boxes? Would it be possible to get a network trace of the failure? Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Thursday, August 18, 2005 10:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] w2k sp4 Kerberos changes? Hi, We applied sp4 to our w2k based AD this morning. It was a tad hurried as one of the ms05-039 based worms showed up inside our border router (laptop from home) so not everything got tested in our test domain. We noticed that Unix based applications that used Kerberos authentication (we have a MIT Kerberos infrastructure for the Unix systems) to read and write to AD started failing. The error isn't very helpful either - "Miscellaneous failure (Cannot re solve KDC for requested realm)". All w2k DCs are on line and functional. The trusts to the MIT side are still there. I've been looking through the sp4 docs and I don't see anything obvious but I may have missed something. We also applied the ms05-042 Kerberos spoofing patch but according to the docs it doesn't change functionality without a registry change. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] w2k sp4 Kerberos changes?
I am not aware of any changes in SP4 or the security patch that would cause the failure you mention below. It is normally a DNS name resolution issue that causes that error. Can you verify that the Windows KDCs can be resolved from the UNIX boxes? Would it be possible to get a network trace of the failure? Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Thursday, August 18, 2005 10:04 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] w2k sp4 Kerberos changes? Hi, We applied sp4 to our w2k based AD this morning. It was a tad hurried as one of the ms05-039 based worms showed up inside our border router (laptop from home) so not everything got tested in our test domain. We noticed that Unix based applications that used Kerberos authentication (we have a MIT Kerberos infrastructure for the Unix systems) to read and write to AD started failing. The error isn't very helpful either - "Miscellaneous failure (Cannot re solve KDC for requested realm)". All w2k DCs are on line and functional. The trusts to the MIT side are still there. I've been looking through the sp4 docs and I don't see anything obvious but I may have missed something. We also applied the ms05-042 Kerberos spoofing patch but according to the docs it doesn't change functionality without a registry change. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] w2k sp4 Kerberos changes?
Do you perhaps have restrictAnonymous enabled? I have first-hand knowledge of someone flipping this switch because they couldn't install 039 yet and they read the tech doc that came with 039 where it says restrictanonymous could be used to remediate the vuln IF 039 can not be installed immediately. On a side note, I think 039 is responsible for my "exceeded 32-bits" issue. Need to find out. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Thu 8/18/2005 8:03 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] w2k sp4 Kerberos changes? Hi, We applied sp4 to our w2k based AD this morning. It was a tad hurried as one of the ms05-039 based worms showed up inside our border router (laptop from home) so not everything got tested in our test domain. We noticed that Unix based applications that used Kerberos authentication (we have a MIT Kerberos infrastructure for the Unix systems) to read and write to AD started failing. The error isn't very helpful either - "Miscellaneous failure (Cannot re solve KDC for requested realm)". All w2k DCs are on line and functional. The trusts to the MIT side are still there. I've been looking through the sp4 docs and I don't see anything obvious but I may have missed something. We also applied the ms05-042 Kerberos spoofing patch but according to the docs it doesn't change functionality without a registry change. Any ideas? al -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/