RPC and Kerberos error
hi,
i have following set up:
in doamin 1: rpc server (win 32 service) - running in system account. registered spn myservice\fqdn. ( myservice\machine.domain1.com and myservice\machine)
in domain 2: rpc client (desktop applicaiton): running in domain administrator account. using above spn connect server. logged in system domain administrator.
both domains , machines win2k3 server. same problem observed in win2k8r2 domain.
using rpc_c_authn_gss_negotiate both rpc server , client. , found client not able find server , returns access denied error. however, if change service type rpc_c_authn_winnt, client able communicate server.
i did network capture , observed :
75505 75.431571 10.216.125.241 10.216.121.214 krb5 tgs-req
75506 75.432846 10.216.121.214 10.216.125.241 krb5 krb error: krb5kdc_err_s_principal_unknown
75508 75.433783 10.216.129.188 10.216.125.241 smb write andx response, fid: 0x000d, 132 bytes
75509 75.433974 10.216.125.241 10.216.129.188 smb read andx request, fid: 0x000d, 1024 bytes @ offset 0
75510 75.434398 10.216.129.188 10.216.125.241 dcerpc bind_ack: call_id: 2738, ntlmssp_challenge accept max_xmit: 4280 max_recv: 4280
75511 75.434792 10.216.125.241 10.216.129.188 dcerpc auth3: call_id: 2738, ntlmssp_auth, user: clientdomain\administrator
75512 75.435255 10.216.129.188 10.216.125.241 smb write andx response, fid: 0x000d, 214 bytes
75513 75.435431 10.216.125.241 10.216.129.188 winreg openhklm request
75514 75.447385 10.216.129.188 10.216.125.241 dcerpc fault: call_id: 2738 ctx_id: 0 status: nca_s_fault_access_denied
kerberos debug logs shows:
[472] 472.568> kerb-warn: spinitlsamodecontext failed outbound ticket, kerbgetserviceticket failed with 0xc000018b
[472] 472.568> kerb-warn: spn not found
[472] 472.568> kerb-cred: cant go off box w/ non-fwdble logon session & no supp creds.
my questions are:
1) does kerberos requires cross domain trust work correctly? cross domain, need supply explicit credentials or other configuration. how verify these configuration?. why not requried winnt.
2) if rpc_c_authn_winnt works why not rpc_c_authn_gss_negotiate ?
why fallback ntlm not working? if spn not found , should fallback ntlm , should work winnt service type.
please me on this.
regards..
Windows Server > Security
Comments
Post a Comment