none
ForestA to ForestB AD final export failed - kerberos-no-logon-server

    Question

  • Hello,

    I've tried all the possibilities (i believe) from the forums, but i am experiencing the above error on my final export to the AD and i can seem to resolve it.

    The scenario is a Poc environment, with a simple User Sync between on forest "FORESTA" to "FORESTB" domain in a dmz zone.

    - Firewalls ports for kerberos 88/464, ldap, dns have been opened...i can telnet
    - I am importing the standard samAcctname, UPN, displa, sn, givenname, etc and a static "FORESTB" as the domain to fim portal, applying rules ready for export
    - i am exporting the all the values including DN, userAccountControl, and unicodePWD, both of which are correct (512 and adheres to domain policy)
    - i am using host file to define the domain controller address and the domain forest address.
    - i am using fqdn of the DC and forest in the AD config
    - the service account has full permission to the OUS and replicating changes permission to the Domain as per the requirements...

    Does anyone have anything else i can try/test? I understand what is happening (the domain cant be found to logon to, to send the "useraccountcontrol" attribute) but i dont understand how to fix it...

    Cheers
    Stu

     

    Monday, November 19, 2012 7:03 AM

Answers

  • Note that the Windows Kerberos implementation does *not* depend on reverse DNS (PTR records).  It does depend on DNS generally however, and hosts files can't fill this role.  The only workaround, if you do not control the current DNS servers, would be to set up a new DNS infrastructure that is authoritative for the necessary zones only.

    FIM must authenticate to AD via Kerberos, but that doesn't mean you'd have to open Kerberos ports in the firewall for applications that wish to use it for LDAP only.

    I'm not sure what question you are posing about LDS, but the Sharepoint boards might the best place to ask.

    Monday, November 26, 2012 2:35 AM

All replies

  • It sounds like you have an improper or incomplete DNS configuration (the mention of hosts files is kind of a tip-off here).  Hosts files cannot contain the SRV or other records needed for KDC location.
    Monday, November 19, 2012 4:06 PM
  • Agree with Steve - pls check your DNS configuration and name resolution
    Monday, November 19, 2012 10:06 PM
  • okay thanks guys...

    I don't have direct access to add dns records..hence the host addition...
    can i get around dns by using ip addresses or will there still be and issue with SRV for KDC location? Is there any other short cut around this...ive deployed fim before but never between forests without trust established and never through so many firewalls.
    In  the mean time i will try and get the dns record added.

    cheers
    stu

    Monday, November 19, 2012 11:12 PM
  • Kerberos protocol depends on DNS reverse zone entries for A records. Both sides would need to be able to lookup DNS entries. Use A records rather than C-NAME. Generally speaking it's not a good idea to use Kerberos through a firewall.

    Unless you absolutely need an AD in the DMZ, instead you should be using AD LDS (a.k.a ADAM) in the DMZ and set it to sync from the AD behind the firewall using LDAP protocol (firewall friendly).

    Thursday, November 22, 2012 3:38 AM
  • Hi Davot

    thanks for this advice, only names and passwords need to be in this AD as an auth source, will LDS still provide authentication to applications like sharepoint?

    Stu

    Sunday, November 25, 2012 10:23 PM
  • Note that the Windows Kerberos implementation does *not* depend on reverse DNS (PTR records).  It does depend on DNS generally however, and hosts files can't fill this role.  The only workaround, if you do not control the current DNS servers, would be to set up a new DNS infrastructure that is authoritative for the necessary zones only.

    FIM must authenticate to AD via Kerberos, but that doesn't mean you'd have to open Kerberos ports in the firewall for applications that wish to use it for LDAP only.

    I'm not sure what question you are posing about LDS, but the Sharepoint boards might the best place to ask.

    Monday, November 26, 2012 2:35 AM