InitialzeSecurityContext() returns error when DNS domain name is different from AD domain name.

InitialzeSecurityContext() returns error when DNS domain name is different from AD domain name.

Post by heni » Sat, 21 Jan 2006 17:37:12



Hi Jeffrey,

Apart for the KRB_AP_ERR_MODIFIED error I note that the netlogon
reports these errors

Attempt to update HOST Service Principal Names (SPNs) of the computer
object in Active Directory failed.
Attempt to update DNS Host Name of the computer object in Active
Directory failed.

Is this all because the primary DNS suffix of DNS and AD are different.

Thanks,
Henin.
 
 
 

InitialzeSecurityContext() returns error when DNS domain name is different from AD domain name.

Post by heni » Tue, 24 Jan 2006 17:42:23

This is a multi-part message in MIME format.


Hi Jeffrey,

I have followed the following from

http://www.yqcomputer.com/ ;en-us;258503

If the disjoint namespace is unintended, click to select the
Change primary DNS suffix when domain membership changes
check box and reboot the computer.

After which I am noticing AP_MODIFIED error.

rgds,
Henin.





<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
<title></title>
</head>
<body text="#000000" bgcolor="#ffffff">
<br>
Hi Jeffrey,<br>
<br>
I have followed the following from <br>
<pre wrap=""><a class="moz-txt-link-freetext" href=" http://www.yqcomputer.com/ ;en-us;258503"> http://www.yqcomputer.com/ ;en-us;258503</a></pre>
If the disjoint namespace is unintended, click to select the <strong
class="uiterm"><br>
Change primary DNS suffix when domain membership changes</strong> <br>
check box and reboot the computer.<br>
<br>
After which I am noticing AP_MODIFIED error.<br>
<br>
rgds,<br>
Henin.<br>
<pre wrap="">
</pre>
<br>

<blockquote type="cite"
cite="midSOCAw4% XXXX@XXXXX.COM ">
<pre wrap="">Hi Henin,

Thanks for your feedback.

First, in the KB below, there is only one workaround, I am not sure what is
"first workaround", can you confirm what you have done?
<a class="moz-txt-link-freetext" href=" http://www.yqcomputer.com/ ;en-us;258503"> http://www.yqcomputer.com/ ;en-us;258503</a>

If the workaround steps were done correctly, your further problem should
not occur. When the SPN is correct, the AP_MODIFIED error will go away. So
let's first confirm you have followed the KB steps correctly.

Thanks

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - <a class="moz-txt-link-abbreviated" href=" http://www.yqcomputer.com/ ">www.microsoft.com/security</a>
This posting is provided "as is" with no warranties and confers no rights.

</pre>
</blockquote>
</body>
</html>

 
 
 

InitialzeSecurityContext() returns error when DNS domain name is different from AD domain name.

Post by heni » Wed, 25 Jan 2006 15:07:29

his is a multi-part message in MIME format.


Hi Jeffrey,
Yes you are right the DC and the DNS name difference are intended.
As a security feature we do not allow dynamic changes to the DNS as
well as AD.

The issue happens only when the service is started with log-on as Local
System.
If the service is started with log-on as a domain user everything works
fine.

So does this mean that we do not have the SPN in the AD
with service logged as Local System and as we do not have access
to AD the server is not able to find the SPN.

I am still not sure how does it matter with domain of DNS and AD being
different here.

This issue is getting critical, any pointers or help would really be
appreciated.

Thanks and regards,
Henin.


Jeffrey Tan[MSFT] wrote:


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
<title></title>
</head>
<body text="#000000" bgcolor="#ffffff">
<br>
Hi Jeffrey,<br>
Yes you are right the DC and the DNS name difference are intended.<br>
<b>As a security feature we do not allow dynamic changes to the DNS as<br>
well as AD.<br>
<br>
</b>The issue happens only when the service is started with log-on as
Local System.<br>
If the service is started with log-on as a domain user everything works
fine.<br>
<br>
So does this mean that we do not have the SPN in the AD <br>
with service logged as Local System and as we do not have access <br>
to AD the server is not able to find the SPN.<br>
<br>
I am still not sure how does it matter with domain of DNS and AD being<br>
different here.<br>
<br>
This issue is getting critical, any pointers or help would really be
appreciated.<br>
<br>
Thanks and regards,<br>
Henin.<br>
<b><br>
</b><br>
Jeffrey Tan[MSFT] wrote:<br>
<blockquote type="cite" cite="midIb$4zz$ XXXX@XXXXX.COM ">
<pre wrap="">Hi Henin,

Thanks for your feedback.

However, in your scenario, your DC and DNS name difference is intended,
yes? So I think you should make sure that the Change primary DNS suffix
when domain membership changes check box is not selected and follow that 8
steps, instead of select the Change primary DNS suffix when domain
membership changes check box(which used when this difference is not
intended ).

If I misunderstand you, please feel free to tell me, thanks

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - <a class="moz-txt-link-abbreviated" href="http://www.microsoft.com/security">www.microsoft.com/security</a>
This posting is provided "as is" with no warranties and confers no rights.


</pre>
</blockquote>
</body>
</html>

 
 
 

InitialzeSecurityContext() returns error when DNS domain name is different from AD domain name.

Post by heni » Wed, 25 Jan 2006 18:05:23

his is a multi-part message in MIME format.


Hi Jeffrey,

Q1)Just for confirmation, I think you have applied the workaround listed in
"namespace intended" section

Answer ----I have not used any workaround listed.

Q2)domain account works well for the service. However, Local System
account will still fail for the service.

Answer ---In my case only the domain account always works and Local System
account always fails.

Q3)Can you show me what error you got when using Local System account?

Answer ---error KDC_ERR_S_PRINCIPLE_UNKNOWN.

Q4)So it seems that the problem only lieswith domain account.

Answer ----Problem is with Local System account only.

As said before I do not have access to DNS as well as AD.

Thanks and regards,
Henin.


Jeffrey Tan[MSFT] wrote:


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
<title></title>
</head>
<body text="#000000" bgcolor="#ffffff">
<br>
Hi Jeffrey,<br>
<pre wrap="">Q1)Just for confirmation, I think you have applied the workaround listed in
"namespace intended" section</pre>
 Answer ----I have not used any workaround listed.<br>
<br>
Q2)domain account works well for the service. However, Local System
account will still fail for the service. <br>
<br>
Answer ---In my case only the domain account always works and<b> Local
System<br>
   account always fails.</b><br>
<pre wrap="">Q3)Can you show me what error you got when using <b>Local System account</b>? </pre>
Answer ---error <b>KDC_ERR_S_PRINCIPLE_UNKNOWN</b>.<br>
<br>
Q4)So it seems that the problem only lieswith domain account. <br>
<br>
Answer ----Problem is with Local System account only.<br>
<br>
As said before I do not have access to DNS as well as AD.<br>
<br>
Thanks and regards,<br>
Henin.<br>
<br>
<br>
Jeffrey Tan[MSFT] wrote:<br>
<blockquote type="cite" cite=" XXXX@XXXXX.COM ">
<pre wrap="">Hi Henin,

Thanks for your feedback.

Just for confirmation, I think you have applied the workaround listed in
"namespace intended" section, and then domain account works well for the
service. However, Local System account will still fail for the service.

Can you show me what error you got when using Local System account?

If a service runs under Local System account, it will use machine account
to doing Kerberos authentication. So it seems that the problem only lies
with domain account.

As domain admin, you can manually set the DNS host name property of the
machine's account object to the DNS host name of the machine.
If you do this, then the machine will be able to set SPNs itself just as if
the default namespaces had been used instead of disjoint namespaces.

Hope this helps

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - <a class="moz-txt-link-abbreviated" href="http://www.microsoft.com/security">www.microsoft.com/security</a>
This posting is provided "as is" with no warranties and confers no rights.

</pre>
</blockquote>
</body>
</html>

 
 
 

InitialzeSecurityContext() returns error when DNS domain name is different from AD domain name.

Post by heni » Thu, 26 Jan 2006 18:20:14

This is a multi-part message in MIME format.


Hi Jeffrey,
Thanks for the pointers, I have logged in a request with domain admin.

Thanks and regards,
Henin.




<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
<title></title>
</head>
<body text="#000000" bgcolor="#ffffff">
<br>
Hi Jeffrey,<br>
Thanks for the pointers, I have logged in a request with domain admin.<br>
<br>
Thanks and regards,<br>
Henin.<br>
<br>

<blockquote type="cite" cite=" XXXX@XXXXX.COM ">
<pre wrap="">Hi Henin,

</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">Q4)So it seems that the problem only lieswith domain account.
</pre>
</blockquote>
</blockquote>
<pre wrap=""><!---->Sorry, this is a typo in my reply. It should be "machine account"(Local
System account is expressed as your machine account in domain)

</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">As said before I do not have access to DNS as well as AD.
</pre>
</blockquote>
</blockquote>
<pre wrap=""><!---->Do you mean you do not have Domain Admin right in your domain?

Currently, this issue means that the domain policy does not allow your
machine account(Local System account is expressed) to do this, so if you do
not have enough right to change it, there is no way to workaround
it.(Security is all of trust)

Can you send a change request to your domain admin? Thanks

Best regards,
Jeffrey Tan
Microsoft Online Partner Support
Get Secure! - <a class="moz-txt-link-abbreviated" href=" http://www.yqcomputer.com/ ">www.microsoft.com/security</a>
This posting is provided "as is" with no warranties and confers no rights.

</pre>
</blockquote>
</body>
</html>