Re: Kerberos Authentication to VWMare...

Thanks DavMo.

We figured by looking at the event log on the domain controller server that
there were multiple SPNs defined. Once we removed one of the SPN, Kerberose
authentication started working fine from VMWare system.

But, we ran into other issues but they are related to deleted SPS being used
by the client intranet and our web services application pool configured using
Network Services.

"DaveMo" wrote:

On Mar 4, 8:24 pm, Praveen Kumar D
<PraveenKum...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
When we enabled Kerberos Debugging find the following warnings in LSASS.log
file:

456.580> Kerb-Warn: SPN not found HTTP <systemname>.domain.local
456.580> Kerb-Warn: SpInitLsaModeContext failed to get outbound ticket,
KerbGetServiceTicket failed with 0xc000018b

Sometimes in the Windows Event Log following errors:

A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 15:41:50.0000 3/4/2009 Z
Error Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
Extended Error: 0xc0000035 KLIN(0)
Client Realm:
Client Name:
Server Realm: <domain>
Server Name: HTTP/<domain>
Target Name: HTTP/<domain>
Error Text:
File: 9
Line: ae0
Error Data is in record data.

For more information, see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp.

A Kerberos Error Message was received:
on logon session <domain>\<user>
Client Time:
Server Time: 14:11:24.0000 3/4/2009 Z
Error Code: 0x12 KDC_ERR_CLIENT_REVOKED
Extended Error: 0xc0000072 KLIN(0)
Client Realm:
Client Name:
Server Realm: DOMAIN
Server Name: krbtgt/<domain>
Target Name: krbtgt/<domain>
Error Text:
File: e
Line: 6c0
Error Data is in record data.

For more information, see Help and Support Center athttp://go.microsoft.com/fwlink/events.asp.

We have checked the SPN using SetSPN with -L option and see that both MOSS
and VMWare are part of the same domain.



"Praveen Kumar D" wrote:
Hello All,

We are running into authentication issues when we use Kerberos based
authentication from MOSS webpart (installed on physical machine) when it
communicate with web services installed on Windows Server 2003 on VMWare.

Both MOSS and VMWare server are part of the same domain and use same domain
admin credentials.

Scenario: When we try to access the MOSS website which contains our webpart
from anywhere (on a new system or from the VMWare system where web services
are installed) we running into authentication issues. But, when we acces the
MOSS website from MOSS system, authentication to web services installed on
VMWare goes through and everything works fine.

Environment:
MOSS system: Windows Server 2003 R2, MOSS 2007
VWMare system: Windows Server 2003 R2, .NET Framework 2.0

Any help or inputs would be greatly appreciated.

Thanks in advance.- Hide quoted text -

- Show quoted text -

Where are you configuring Kerberos authenticaton to be used MOSS ->
VMWare? What you might be configuring is Negotiate and when it works
you are actually using NTLM. This would likely be the case if you
start from a session on the MOSS machine.

When you are remote, the system will try Kerberos and start that
process by trying to find an SPN. This looks to be failing, so there
is something going wrong. If you want to have additional tools to
troubleshoot this issue try the updated klist from my website
www.securitay.com/support. You can try to get a ticket directly
without going through the app layer which might help. You can also use
it to clear the SPN lookup cache which can cause problems in testing.

KDC_ERR_CLIENT_REVOKED is more puzzling because this typically
indicates that the client account has been locked out in AD. Can you
use the account to log on? Are you sure that the service account for
the VMWare "service" is really running as who you think it is?

HTH,
Dave

.

Relevant Pages

  • Re: AD, Kerberos, MOSS, Fails are remote site, works locally.
    ... (somewhat, it's not IE, so it's not entirely compatible with MOSS). ... IIS on another server works... ... to use kerberos at this point. ... However, I've got a few remote sites, and they have a firewall / ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegation: IIS Server setup in typical 3-tier scenario.
    ... doesn't already have an SPN and/or you need to change the existing SPN. ... Kerberos is being used - it just means that an API is used to determine what ... so I'm trying to set up delegation. ... Authenticated using NTLM not Kerberos on the Web Server. ...
    (microsoft.public.inetserver.iis.security)
  • Re: AD, Kerberos, MOSS, Fails are remote site, works locally.
    ... There are no systems that are not part of the domain that can hit the MOSS ... Server, but when kerberos is turned on, the client Pc just sits there. ... However, I've got a few remote sites, and they have a firewall / tipping ...
    (microsoft.public.windows.server.active_directory)
  • Re: Kerberos NTLM
    ... I'll assume it was just a typo, and you do have an SPN registered for your IIS computer account as HTTP/server1.domain.com. ... you want to follow some basic Kerberos troubleshooting steps (like making sure the time is correct on both client and server). ... Joseph T. Corey MCSE, Security+ ...
    (microsoft.public.windows.server.active_directory)
  • Re: Kerberos w/ SQL and WIN2000
    ... are not using Linked Servers then you don't need to set up an SPN AFAIK ... Win2000 will default to using kerberos to connect to the server anyway ... For my server called sqlnlb01 in domain domsql.com using a service account ...
    (microsoft.public.sqlserver.security)