RE: setspn persistence

[Brian Desmond]

Well I assure you it's a persistent change so you've got something modifying 
this and taking it out. You should turn on auditing of the 
servicePrincipalNames attribute and enable DS Access auditing on your DCs.

Thanks,
Brian Desmond
br...@briandesmond.com

c - 312.731.3132



-Original Message-
From: Phillip Partipilo [mailto:p...@psnet.com] 
Sent: Monday, July 26, 2010 2:31 PM
To: NT System Admin Issues
Subject: setspn persistence

I'm decommissioning some servers, and to ease the transition, since we have 
some old code that is hardcoded with old server names, I'm going through the 
motions of setting up CNAME DNS records to point any queries to the old server 
to the new server, set up the key in 
HKLM\System\CurrentControlSet\Services\lanmanserver for 
DisableStrictNameChecking to 0x1, set up the key in 
HKLM\System\CurrentControlSet\Control\Lsa for DisableLoopBackCheck to 0x1, and 
then finally used the setspn tool to add SPNs to the new replacement server so 
it will happily accept and authenticate clients that are asking for resources 
and generating Kerberos tickets for the old server name.

Problem is that the setspn additions aren't holding as persistent... Every so 
often they just disappear...  During this transition I don't want to make this 
really ugly by having a scheduled task to run a batch file every minute to add 
these SPNs, so is there a way to force these entries as persistent?

I know this is a severe hack but I'm trying to make my job easy with this 
transition, I'm stretched pretty thin these days :-(



Phillip Partipilo
Parametric Solutions Inc.
Jupiter, Florida
(561) 747-6107



~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ 
  ~



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: setspn persistence

[greg.sweers]

Richard,

That is exactly what we had to do for a migration to make Kerberos work and 
stay working for 3 months while the vendor upgraded some software code.  Worked 
great.

Its primary use is for renaming domain controllers, during the process netdom 
will copy the old name of the server into this additionaldns field.

Disabling strict name checking and using this "hack" works as well to allow 
Kerberos to continue to function and when the spn's are rewritten voila, they 
both stay..

Greg

From: Richard Stovall [mailto:rich...@gmail.com]
Sent: Monday, July 26, 2010 4:36 PM
To: NT System Admin Issues
Subject: Re: setspn persistence

Your machine wouldn't happen to be a domain controller, would it?

See the last 4 comments to a very interesting article.

http://blogs.technet.com/b/askds/archive/2008/05/29/kerberos-authentication-problems-service-principal-name-spn-issues-part-1.aspx
On Mon, Jul 26, 2010 at 3:31 PM, Phillip Partipilo 
mailto:p...@psnet.com>> wrote:
I'm decommissioning some servers, and to ease the transition, since we have 
some old code that is hardcoded with old server names, I'm going through the 
motions of setting up CNAME DNS records to point any queries to the old server 
to the new server, set up the key in 
HKLM\System\CurrentControlSet\Services\lanmanserver for 
DisableStrictNameChecking to 0x1, set up the key in 
HKLM\System\CurrentControlSet\Control\Lsa for DisableLoopBackCheck to 0x1, and 
then finally used the setspn tool to add SPNs to the new replacement server so 
it will happily accept and authenticate clients that are asking for resources 
and generating Kerberos tickets for the old server name.

Problem is that the setspn additions aren't holding as persistent... Every so 
often they just disappear...  During this transition I don't want to make this 
really ugly by having a scheduled task to run a batch file every minute to add 
these SPNs, so is there a way to force these entries as persistent?

I know this is a severe hack but I'm trying to make my job easy with this 
transition, I'm stretched pretty thin these days :-(



Phillip Partipilo
Parametric Solutions Inc.
Jupiter, Florida
(561) 747-6107



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~






~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Re: setspn persistence

[Richard Stovall]

Your machine wouldn't happen to be a domain controller, would it?

See the last 4 comments to a very interesting article.

http://blogs.technet.com/b/askds/archive/2008/05/29/kerberos-authentication-problems-service-principal-name-spn-issues-part-1.aspx

On Mon, Jul 26, 2010 at 3:31 PM, Phillip Partipilo  wrote:

> I'm decommissioning some servers, and to ease the transition, since we have
> some old code that is hardcoded with old server names, I'm going through the
> motions of setting up CNAME DNS records to point any queries to the old
> server to the new server, set up the key in
> HKLM\System\CurrentControlSet\Services\lanmanserver for
> DisableStrictNameChecking to 0x1, set up the key in
> HKLM\System\CurrentControlSet\Control\Lsa for DisableLoopBackCheck to 0x1,
> and then finally used the setspn tool to add SPNs to the new replacement
> server so it will happily accept and authenticate clients that are asking
> for resources and generating Kerberos tickets for the old server name.
>
> Problem is that the setspn additions aren't holding as persistent... Every
> so often they just disappear...  During this transition I don't want to make
> this really ugly by having a scheduled task to run a batch file every minute
> to add these SPNs, so is there a way to force these entries as persistent?
>
> I know this is a severe hack but I'm trying to make my job easy with this
> transition, I'm stretched pretty thin these days :-(
>
>
>
> Phillip Partipilo
> Parametric Solutions Inc.
> Jupiter, Florida
> (561) 747-6107
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: setspn persistence

[Richard Stovall]

Perhaps I should note that I was only moving file shares and no Kerberized
services.

On Mon, Jul 26, 2010 at 4:08 PM, Richard Stovall  wrote:

> What OS?  I had to do this about a year ago on a 2003 Server and I did not
> have to use the setspn tool that I recall.  I did have to create a string
> value at HKLM\System\CurrentControlSet\Services\lanmanserver\parameters
> called OptionalNames, and put the secondary names there (each on its own
> line).
>
> On Mon, Jul 26, 2010 at 3:31 PM, Phillip Partipilo  wrote:
>
>> I'm decommissioning some servers, and to ease the transition, since we
>> have some old code that is hardcoded with old server names, I'm going
>> through the motions of setting up CNAME DNS records to point any queries to
>> the old server to the new server, set up the key in
>> HKLM\System\CurrentControlSet\Services\lanmanserver for
>> DisableStrictNameChecking to 0x1, set up the key in
>> HKLM\System\CurrentControlSet\Control\Lsa for DisableLoopBackCheck to 0x1,
>> and then finally used the setspn tool to add SPNs to the new replacement
>> server so it will happily accept and authenticate clients that are asking
>> for resources and generating Kerberos tickets for the old server name.
>>
>> Problem is that the setspn additions aren't holding as persistent... Every
>> so often they just disappear...  During this transition I don't want to make
>> this really ugly by having a scheduled task to run a batch file every minute
>> to add these SPNs, so is there a way to force these entries as persistent?
>>
>> I know this is a severe hack but I'm trying to make my job easy with this
>> transition, I'm stretched pretty thin these days :-(
>>
>>
>>
>> Phillip Partipilo
>> Parametric Solutions Inc.
>> Jupiter, Florida
>> (561) 747-6107
>>
>>
>>
>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
>> ~   ~
>>
>>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: setspn persistence

[Richard Stovall]

What OS?  I had to do this about a year ago on a 2003 Server and I did not
have to use the setspn tool that I recall.  I did have to create a string
value at HKLM\System\CurrentControlSet\Services\lanmanserver\parameters
called OptionalNames, and put the secondary names there (each on its own
line).

On Mon, Jul 26, 2010 at 3:31 PM, Phillip Partipilo  wrote:

> I'm decommissioning some servers, and to ease the transition, since we have
> some old code that is hardcoded with old server names, I'm going through the
> motions of setting up CNAME DNS records to point any queries to the old
> server to the new server, set up the key in
> HKLM\System\CurrentControlSet\Services\lanmanserver for
> DisableStrictNameChecking to 0x1, set up the key in
> HKLM\System\CurrentControlSet\Control\Lsa for DisableLoopBackCheck to 0x1,
> and then finally used the setspn tool to add SPNs to the new replacement
> server so it will happily accept and authenticate clients that are asking
> for resources and generating Kerberos tickets for the old server name.
>
> Problem is that the setspn additions aren't holding as persistent... Every
> so often they just disappear...  During this transition I don't want to make
> this really ugly by having a scheduled task to run a batch file every minute
> to add these SPNs, so is there a way to force these entries as persistent?
>
> I know this is a severe hack but I'm trying to make my job easy with this
> transition, I'm stretched pretty thin these days :-(
>
>
>
> Phillip Partipilo
> Parametric Solutions Inc.
> Jupiter, Florida
> (561) 747-6107
>
>
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~   ~
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

Re: setspn persistence

[Joseph Heaton]

I take it that it would be too difficult to have your developers go back and do 
away with the hardcoded names?

>>> Phillip Partipilo  7/26/2010 12:31 PM >>>
I'm decommissioning some servers, and to ease the transition, since we have 
some old code that is hardcoded with old server names, I'm going through the 
motions of setting up CNAME DNS records to point any queries to the old server 
to the new server, set up the key in 
HKLM\System\CurrentControlSet\Services\lanmanserver for 
DisableStrictNameChecking to 0x1, set up the key in 
HKLM\System\CurrentControlSet\Control\Lsa for DisableLoopBackCheck to 0x1, and 
then finally used the setspn tool to add SPNs to the new replacement server so 
it will happily accept and authenticate clients that are asking for resources 
and generating Kerberos tickets for the old server name.

Problem is that the setspn additions aren't holding as persistent... Every so 
often they just disappear...  During this transition I don't want to make this 
really ugly by having a scheduled task to run a batch file every minute to add 
these SPNs, so is there a way to force these entries as persistent?

I know this is a severe hack but I'm trying to make my job easy with this 
transition, I'm stretched pretty thin these days :-(



Phillip Partipilo
Parametric Solutions Inc.
Jupiter, Florida
(561) 747-6107



~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~





~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~