RE: Kerberos logon to Terminal Server prevents folder redirection

Found that we don't have kerberos enabled on our clustered file shares.
Would still like to know if there is a way to have the logon process revert
to NTLM if kerberos authentication fails (because the user logged onto the
Terminal Server with kerberos and the file share doesn't currently support
kerberos).

"McDavid" wrote:

Environment:
- Terminal Server
- Windows 2008 x64 Server Standard
- Kerberos Token Size set to maximum
- Profile and Folder Redirection hosts
- Windows 2003 x64 Server Standard
- Kerberos Token Size set to maximum

Issue:
When our users logon to our Terminal Servers using kerberos, they receive a
temporary profile and none of the Folder Redirection policies are applied.
The event log reports both processing failing with "Logon failure: unknown
user name or bad password.". However the user is successfully logged onto
the server using kerberos. The server hosting the profiles also reports
"unknown user name or bad password" in the security log and the
authentication package as NTLM. The users can navigate to the network
locations of their roaming profiles and redirected folders just fine without
any errors.

If the users logon to our Terminal Servers using NTLM, their roaming profile
is loaded and folder redirection policies applied successfully.

Kerberos is the required authentication method for logging into our Terminal
Servers. We are using Citrix Web Interface and single signon leverages
kerberos.

Initial Troubleshooting:
I turned on Kerberos logging on the Terminal Server. When the user logs into
the Terminal Server using kerberos, the logon process attempts to load their
profile and redirect their profiles using kerberos. This is failing because
we don't have SPNs registered for these resources. I'm guessing the logon
process then attempts NTLM and that is failing because they didn't login with
NTLM.

Is there any way to get the fallback to NTLM to function? If not, how does
one go about registering SPNs for file-shares that are cluster resources
(virtual IPs and computer names that aren't regisered in Active Directory).
In addition, how does one go about registering SPNs for DFS roots?

Any/all help is appreciated.

Thanks.

.

Relevant Pages

  • RE: Kerberos logon to Terminal Server prevents folder redirection.
    ... I turned on Kerberos logging on the Terminal Server. ... I'm guessing the logon ... temporary profile and none of the Folder Redirection policies are applied. ...
    (microsoft.public.security)
  • Kerberos logon to Terminal Server prevents folder redirection
    ... Kerberos Token Size set to maximum ... temporary profile and none of the Folder Redirection policies are applied. ... I turned on Kerberos logging on the Terminal Server. ...
    (microsoft.public.windows.server.security)
  • Re: Kerberos logon to Terminal Server prevents folder redirection
    ... when you sign on to the WI server, it authenticates you to other servers in the farm: I don't think this is AD Kerberos, although it is Kerberos-like. ... temporary profile and none of the Folder Redirection policies are applied. ... I turned on Kerberos logging on the Terminal Server. ...
    (microsoft.public.windows.server.security)
  • Re: Help with a configuration of profiles
    ... I assume that you are talking about the user's TS-specific profile, ... There are many ways to define a logon script for all users on a TS. ... Note that if you start the frontend in the environment tab of the ... MCSE, CCEA, Microsoft MVP - Terminal Server ...
    (microsoft.public.windows.terminal_services)
  • Re: Win 2003 svr/ASP.NET 2.0 UNC share
    ... hmmmm.....auth seems to work using Kerberos between the webserver and client: ... Successful Network Logon: ... Logon Process: Kerberos ... Caller User Name: - ...
    (microsoft.public.dotnet.framework.aspnet.security)
Quantcast