Re: kerberos logon to IP address
- From: "Ondrej Sevecek" <ondass@xxxxxxxxxxxxxxxx>
- Date: Wed, 21 Jan 2009 11:06:11 +0100
Vista Ulitmate SP1 English, clear installation with SP1, AD 2008 level, 2003 forest level, single domain
correctly WORKING test:
a) have server SRV1.domain.local, IP address 10.10.0.11
b) create DNS A record intranet.domain.local, IP address 10.10.0.11
c) add site "intranet.domain.local" to the Local Intranet sites (IEESC turned off)
d) purge Kerberos ticket cache
e) restart IE
e) try IE to http://intranet.domain.local (exactly this, not using the short form)
f) only TGT received, but both TGT and TGS were requested as was seen in wireshark - this is stil correct because no SPN was still created. So we are going to create SPN and enable kerberos for the alias.
g) create SPN http/intranet.domain.local
h) purge Kerberos ticket cache
i) restart IE
j) try IE to http://intranet.domain.local (exactly this, not using the short form)
k) both TGT and TGS were received successfully
the same procedure works the same way even for SMB/CIFS access (certainly, the DisableStrictNameChecking must have been set up to 1)
but when I try to access http://10.10.0.11 or \\10.10.0.11 (Local Intranet site addess, the caches purged out, SPN created etc.)
the Vista client not even asks for TGT - once again as observed by using Wireshark
the client doesn't try Kerberos at all, it uses NTLM as the first method without trying Kerberos first
With Windows XP client on the other hand, both types used - intranet.domain.local and also 10.10.0.11 work the same and if the SPN is in place, in both cases XP asks and receives the tickets.
ondra.
"Mervyn Zhang [MSFT]" <v-mervzh@xxxxxxxxxxxxxxxxxxxx> wrote in message news:LBahzfreJHA.8120@xxxxxxxxxxxxxxxxxxxxxxxxx
Hi,
Thank you for posting.
According to your description, I understand that:
Vista would not use Kerberos against an IP address even if you have created
SPN for the IP address.
If I have misunderstood the problem, please don't hesitate to let me know.
I would like to explain that Service principal names (SPNs) are unique
identifiers for services running on servers. Every service that uses
Kerberos authentication needs to have an SPN set for it so that clients can
identify the service on the network. Could you let us know how do you
create SPN for the IP address?
Also, what do you mean by "Vista is NOT willing to use Kerberos against an
IP address"?
There are some Kerberos Enhancements in Vista but these enhancements should
not affect the work of Kerberos. For more information about those changes,
please refer to the article below:
Kerberos Enhancements
http://technet.microsoft.com/en-us/library/cc749438.aspx
Could you let us know where did you find that Windows XP try to generate a
ticket for IP address? Did you use the tool "Klist"? If there is any log,
report, it?s very helpful. A screenshot is better for troubleshooting.
You can send log file or screenshot to tfwst@xxxxxxxxxxxxxx Or please use
Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file
and then give me the download address.
Sincerely,
Mervyn Zhang
Microsoft Online Community Support
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
.
- References:
- kerberos logon to IP address
- From: Ondrej Sevecek
- RE: kerberos logon to IP address
- From: Mervyn Zhang [MSFT]
- kerberos logon to IP address
- Prev by Date: Re: Error message and desktop will not display
- Next by Date: Re: CredSSP and kerberos credentials delegation
- Previous by thread: RE: kerberos logon to IP address
- Next by thread: Re: kerberos logon to IP address
- Index(es):
Relevant Pages
|
