RPC and Kerberos error


hi,

i have following set up:

in doamin 1: rpc server (win 32 service) - running in system account. registered spn myservice\fqdn. ( myservice\machine.domain1.com  and  myservice\machine)

in domain 2: rpc client (desktop applicaiton): running in domain administrator account. using above spn connect server. logged in system domain administrator.

both domains , machines win2k3 server. same problem observed in win2k8r2 domain.

using rpc_c_authn_gss_negotiate both rpc server , client. , found client not able find server , returns access denied error. however, if change service type rpc_c_authn_winnt, client able communicate server.

i did network capture , observed :

75505    75.431571            10.216.125.241   10.216.121.214   krb5      tgs-req

75506    75.432846            10.216.121.214   10.216.125.241   krb5      krb error: krb5kdc_err_s_principal_unknown

75508    75.433783            10.216.129.188   10.216.125.241   smb       write andx response, fid: 0x000d, 132 bytes

75509    75.433974            10.216.125.241   10.216.129.188   smb       read andx request, fid: 0x000d, 1024 bytes @ offset 0

75510    75.434398            10.216.129.188   10.216.125.241   dcerpc               bind_ack: call_id: 2738, ntlmssp_challenge accept max_xmit: 4280 max_recv: 4280

75511    75.434792            10.216.125.241   10.216.129.188   dcerpc               auth3: call_id: 2738, ntlmssp_auth, user: clientdomain\administrator

75512    75.435255            10.216.129.188   10.216.125.241   smb       write andx response, fid: 0x000d, 214 bytes

75513    75.435431            10.216.125.241   10.216.129.188   winreg                openhklm request

75514    75.447385            10.216.129.188   10.216.125.241   dcerpc               fault: call_id: 2738 ctx_id: 0 status: nca_s_fault_access_denied

 

kerberos debug logs shows:
[472] 472.568> kerb-warn: spinitlsamodecontext failed outbound ticket, kerbgetserviceticket failed  with 0xc000018b

[472] 472.568> kerb-warn: spn not found

[472] 472.568> kerb-cred: cant go off box w/ non-fwdble logon session & no supp creds.

my questions are:

1)     does kerberos requires cross domain trust work correctly? cross domain, need supply explicit credentials or other configuration. how verify these configuration?. why not requried winnt.

2)     if rpc_c_authn_winnt works why not rpc_c_authn_gss_negotiate ?
 why fallback ntlm not working? if spn not found , should fallback  ntlm , should work winnt service type.

please me on this.

 regards..

 



Windows Server  >  Security



Comments

Popular posts from this blog

CRL Revocation always failed

Failed to query the results of bpa xpath

0x300000d errors in Microsoft Remote Desktop client