locked
Kerberos behavior in Windows XP vs Windows 7 RRS feed

  • Question

  • All,

    We're seeing an odd issue with all of our Windows XP (SP3) workstations where they are unable to access domain resources whereas Windows 7 workstations are. All workstations are part of an AD domain (WIN.DOMAIN1.COM), but using MIT Kerberos servers for the Kerberos authentication (DOMAIN2.COM realm). Each AD user account is mapped to a corresponding kerberos account. All workstations have the Kerberos setting set the same in the registry. RealmFlags is set to 0x0000000e, I have a HostToRealm mapping set up for WIN.DOMAIN1.COM with the SpnMappings value set to .win.domain1.com. I've tried many iterations of that, with both REG_SZ as well as MULTI_SZ; with and without the initial period, capitalized and non-capitalized.

    I captured the network traffic during the connect attempt and I see the following:

    1) SMB Protocol request

    2) SMB Protocol response with principal DCservername$@WIN.DOMAIN1.COM

    3) DNS query for the kerberos server and a response with proper IP address

    4) AS-REQ with principal user.name@DOMAIN2.COM

    5) AS-REP with ticket for user.name@DOMAIN2.COM

    And here's where Windows XP and Windows 7 diverge.

    Windows 7 then makes a TGS-REQ to the MIT Kerberos server for krbtgt/WIN.DOMAIN1.COM but Windows XP makes a TGS-REQ to the MIT Kerberos server for cifs/dcservername@win.domain1.com. Windows 7 gets the ticket, then connects to the domain resource. Windows XP gets a PRINCIPAL_UNKNOWN to its request then tries NTLM, which fails since the Kerberos and domain passwords don't match.

    These symptoms are happening with every user account that's tried and with every Windows XP system in our domain. Windows XP and Windows 7 should have all of the same group policies applied, except where said policy is not supported on that platform. Both Windows XP and Windows 7 are in the same network, same OU, same DHCP scope, etc. so I don't believe it's an issue on the servers or any resource outside of the workstations.

    If anyone has any ideas on why Windows XP makes that TGS-REQ for cifs/dcservername@win.domain1.com instead of krbtgt/WIN.DOMAIN1.COM, it would be greatly appreciated. That's what it seems to boil down to and I'm not sure what setting could be causing this.

    Thanks,

    Hugh

     

    Friday, April 29, 2011 3:33 PM

All replies

  • I think SpnMappings should be set to "win.domain1.com", without the leading dot.

    -= F1 is the Key =-

    Friday, October 26, 2012 9:47 PM