Re: kerberos logon to IP address




I am sory to be this impolite, but would you be able to help me with this issue?

The question can be shortened to something simple like this:

"Vista will never use kerberos for servers (at least http, smb/cifs) whos name is specified by an IP address, is that right?
"And if it would use Kerberos, how one could make Vista use it apart creating the SPN and making it member of Local Intranet zone?"

many thanks and appologies for the rudeness.

ondra.


"Mervyn Zhang [MSFT]" <v-mervzh@xxxxxxxxxxxxxxxxxxxx> wrote in message news:LBahzfreJHA.8120@xxxxxxxxxxxxxxxxxxxxxxxxx
Hi,

Thank you for posting.

According to your description, I understand that:

Vista would not use Kerberos against an IP address even if you have created
SPN for the IP address.

If I have misunderstood the problem, please don't hesitate to let me know.

I would like to explain that Service principal names (SPNs) are unique
identifiers for services running on servers. Every service that uses
Kerberos authentication needs to have an SPN set for it so that clients can
identify the service on the network. Could you let us know how do you
create SPN for the IP address?

Also, what do you mean by "Vista is NOT willing to use Kerberos against an
IP address"?

There are some Kerberos Enhancements in Vista but these enhancements should
not affect the work of Kerberos. For more information about those changes,
please refer to the article below:

Kerberos Enhancements
http://technet.microsoft.com/en-us/library/cc749438.aspx

Could you let us know where did you find that Windows XP try to generate a
ticket for IP address? Did you use the tool "Klist"? If there is any log,
report, it?s very helpful. A screenshot is better for troubleshooting.

You can send log file or screenshot to tfwst@xxxxxxxxxxxxxx Or please use
Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file
and then give me the download address.

Sincerely,
Mervyn Zhang
Microsoft Online Community Support

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


.



Relevant Pages

  • kerberos TGS for an IP address
    ... Vista never uses kerberos for servers which name is specified by an IP address, is that right? ... By using the work ASKS I would like to stress the fact XP always asks for a TGS, which may not be available because of an appropriate SPN is missing. ...
    (microsoft.public.windows.vista.security)
  • Re: kerberos logon to IP address
    ... So we are going to create SPN and enable kerberos for the alias. ... the Vista client not even asks for TGT - once again as observed by using Wireshark ...
    (microsoft.public.windows.vista.security)
  • RE: kerberos logon to IP address
    ... Vista would not use Kerberos against an IP address even if you have created ... SPN for the IP address. ... There are some Kerberos Enhancements in Vista but these enhancements should ...
    (microsoft.public.windows.vista.security)
  • Re: Problems with Vista Kerberos Authentication in AD Domain
    ... We are experiencing an intermittent issue regarding Kerberos ... Authentication with some of our 400 or so Vista SP1 clients. ... about not being able to authenticate against our proxy server which only ...
    (microsoft.public.windows.vista.networking_sharing)
  • Re: kerberos TGS for an IP address
    ... I have used klist and also kerbtray ) to trace the problem and still, Vista seems to not use the kerberos for IP addresses. ... DNS server to find the IP addressand send Kerberos request to ... You can also use the Microsoft Network Monitor 3.2 to analyze traffics. ...
    (microsoft.public.windows.vista.security)