Kerberos Authentication
- This may sound like a silly question.... i have been trouble shooting an issue with kerberos for a particular application and its looking like an issue with the SPN.
Anyway, other services and apps run fine so suggests kerberos is ok as a whole. My question is, what happens if the whole 2003 domain had a problem with kerberos ? which services would it affect ? i.e ad replication / log ons etc ? or will it just fail over to NTLM and go un noticed ?
Answers
Some of the applications heavily dependent on Kerberos such as Federated search, SAP Integration, and RSS Viewer Web Parts will fail (iis); as Kerberos authentication falls back to NTLM.
http://blogs.technet.com/surama/archive/2009/04/06/kerberos-authentication-problem-with-active-directory.aspx
http://technet.microsoft.com/en-us/library/cc772897(WS.10).aspx
http://technetfaqs.wordpress.com- Marked As Answer byJoson ZhouMSFT, ModeratorTuesday, November 10, 2009 10:52 AM
The failback mechanism applies primarily to the authentication between domain members and domain controlers and is highly dependent on a type of service involved (as Syed has pointed out). You will likely see variety of issues resulting from problems with DC-to-DC communication, loss of trust transitivity/forest trusts, failing delegation, or malfunctioning kerberized applications, just to mention a few...
hth
Marcin- Marked As Answer byJoson ZhouMSFT, ModeratorTuesday, November 10, 2009 10:52 AM
This may sound like a silly question.... i have been trouble shooting an issue with kerberos for a particular application and its looking like an issue with the SPN.
Anyway, other services and apps run fine so suggests kerberos is ok as a whole. My question is, what happens if the whole 2003 domain had a problem with kerberos ? which services would it affect ? i.e ad replication / log ons etc ? or will it just fail over to NTLM and go un noticed ?
Hi what errors/issues are you troubleshooting? What tests did you made to think that there's an issue with kerberos?
To troubleshoot kerberos you may start here:
http://technet.microsoft.com/en-us/library/cc786325(WS.10).aspx
I hope that the information above helps you. This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.- Marked As Answer byJoson ZhouMSFT, ModeratorTuesday, November 10, 2009 10:52 AM
All Replies
Some of the applications heavily dependent on Kerberos such as Federated search, SAP Integration, and RSS Viewer Web Parts will fail (iis); as Kerberos authentication falls back to NTLM.
http://blogs.technet.com/surama/archive/2009/04/06/kerberos-authentication-problem-with-active-directory.aspx
http://technet.microsoft.com/en-us/library/cc772897(WS.10).aspx
http://technetfaqs.wordpress.com- Marked As Answer byJoson ZhouMSFT, ModeratorTuesday, November 10, 2009 10:52 AM
The failback mechanism applies primarily to the authentication between domain members and domain controlers and is highly dependent on a type of service involved (as Syed has pointed out). You will likely see variety of issues resulting from problems with DC-to-DC communication, loss of trust transitivity/forest trusts, failing delegation, or malfunctioning kerberized applications, just to mention a few...
hth
Marcin- Marked As Answer byJoson ZhouMSFT, ModeratorTuesday, November 10, 2009 10:52 AM
This may sound like a silly question.... i have been trouble shooting an issue with kerberos for a particular application and its looking like an issue with the SPN.
Anyway, other services and apps run fine so suggests kerberos is ok as a whole. My question is, what happens if the whole 2003 domain had a problem with kerberos ? which services would it affect ? i.e ad replication / log ons etc ? or will it just fail over to NTLM and go un noticed ?
Hi what errors/issues are you troubleshooting? What tests did you made to think that there's an issue with kerberos?
To troubleshoot kerberos you may start here:
http://technet.microsoft.com/en-us/library/cc786325(WS.10).aspx
I hope that the information above helps you. This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.- Marked As Answer byJoson ZhouMSFT, ModeratorTuesday, November 10, 2009 10:52 AM
