R
Roger
Hello
When we use "selective authentication" on the one-way forest trust,
kerberos is not working, only NTLM. When we deselect "selective
authentication" on the forest trust, kerberos works fine to access
ressources in the ressouce domain.
For security reasons we need "selective authentication" on the trust
and we want kerberos as the authentication protocol.
(The Domains are in W2K3 mode, serviceprincipalnames for the accounts
are created)
With "selective authentication" enabled we receive the following error
from a DC in the resource Domain:
No. Time Source Destination
Protocol Info
53 3.896470 159.29.17.56 159.29.193.212 KRB5
KRB Error: KRB5KDC_ERR_POLICY
Frame 53 (196 bytes on wire, 196 bytes captured)
Ethernet II, Src: Cisco_f2:6c:f0 (00:d0:bc:f2:6c:f0), Dst:
CompaqCo_dc:b2:4b (00:08:02:dc:b2:4b)
Internet Protocol, Src: XXX.29.17.56 (159.29.17.56), Dst:
XXX.29.193.212 (XXX.29.193.212)
Transmission Control Protocol, Src Port: kerberos (88), Dst Port: 1853
(1853), Seq: 1, Ack: 1740, Len: 142
Kerberos KRB-ERROR
Record Mark: 138 bytes
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2006-10-27 09:54:51 (Z)
susec: 940079
error_code: KRB5KDC_ERR_POLICY (12)
Realm: SERVICES.XXX.YY
Server Name (Service and Instance): HTTP/personal.services.XXX.YY
Name-type: Service and Instance (2)
Name: HTTP
Name: personal.services.XXX.YY
e-data PA-PW-SALT
Type: PA-PW-SALT (3)
Value: 130400C00000000003000000
NT Status: Unknown (0xc0000413)
Unknown: 0x00000000
Unknown: 0x00000003
Does anyone have an idea?
Greetings Roger
When we use "selective authentication" on the one-way forest trust,
kerberos is not working, only NTLM. When we deselect "selective
authentication" on the forest trust, kerberos works fine to access
ressources in the ressouce domain.
For security reasons we need "selective authentication" on the trust
and we want kerberos as the authentication protocol.
(The Domains are in W2K3 mode, serviceprincipalnames for the accounts
are created)
With "selective authentication" enabled we receive the following error
from a DC in the resource Domain:
No. Time Source Destination
Protocol Info
53 3.896470 159.29.17.56 159.29.193.212 KRB5
KRB Error: KRB5KDC_ERR_POLICY
Frame 53 (196 bytes on wire, 196 bytes captured)
Ethernet II, Src: Cisco_f2:6c:f0 (00:d0:bc:f2:6c:f0), Dst:
CompaqCo_dc:b2:4b (00:08:02:dc:b2:4b)
Internet Protocol, Src: XXX.29.17.56 (159.29.17.56), Dst:
XXX.29.193.212 (XXX.29.193.212)
Transmission Control Protocol, Src Port: kerberos (88), Dst Port: 1853
(1853), Seq: 1, Ack: 1740, Len: 142
Kerberos KRB-ERROR
Record Mark: 138 bytes
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2006-10-27 09:54:51 (Z)
susec: 940079
error_code: KRB5KDC_ERR_POLICY (12)
Realm: SERVICES.XXX.YY
Server Name (Service and Instance): HTTP/personal.services.XXX.YY
Name-type: Service and Instance (2)
Name: HTTP
Name: personal.services.XXX.YY
e-data PA-PW-SALT
Type: PA-PW-SALT (3)
Value: 130400C00000000003000000
NT Status: Unknown (0xc0000413)
Unknown: 0x00000000
Unknown: 0x00000003
Does anyone have an idea?
Greetings Roger