Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 1

re: Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 1

DRappaport — Fri, 30 May 2008 10:53:51 GMT

Hi,

again an excellent post that helps me to better understand Kerberos authentication and related problems.

In particular, I like most that you include the network traces so that I can see what really happens on the wire.

Regards,

Dominik

Interesting Links - 6/3/2008

Matt Johnson's Technical Adventures — Wed, 04 Jun 2008 04:39:59 GMT

This week's collection of interesting links! Understanding HTTP Flow with Netmon 3 - Interesting article

Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 2

Ask the Directory Services Team — Mon, 09 Jun 2008 20:35:18 GMT

So, we saw in Part 1 what kind of error you could expect when there is no Service Principal Name defined

Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 3

Ask the Directory Services Team — Wed, 11 Jun 2008 21:30:28 GMT

Now we have seen what it looks like when there is no Service Principal Name defined , and when the Service

re: Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 1

jsmith — Fri, 08 May 2009 21:43:36 GMT

Thanks for making a difficult subject understandable.

How do you set a spn on a domain controller? No matter what I do, ADSIedit or Setspn, in about 15 minutes or a reboot, the DC removes the entries.

We have a CNAME record "ldap" pointing to a domain controller DNS A record. This is because we don't want our many developers explicitly using a domain controller hostname in their code. When I create "ldap/ldap" and "ldap/ldap.mydomain.com", the ldap queries successfully use Kerberos. However, after a few minutes, the DC removes the SPN's and then the queries fall back to NTLM. I thought maybe the "ldap/ldap" or "ldap/ldap.mydomain.com" was special so I simply created a "host/tobeornottobe", rebooted, and the dc removed it. Any suggestions?

re: Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 1

Rob Greene — Tue, 12 May 2009 01:42:35 GMT

Hey JSmith,

First let me say thank you for the kind remarks from all of us here that write content for AskDS.

So I think I know at some level what might be happening to you.

I think that Netlogon on the domain controller is writing or doing something with the DNSHostName attribute on the domain controller computer account in Active Direcotry.

So I worked this case one time, where the customer thought it would be cool to change the computers DNS suffix based on the AD site that they belonged to which caused what we call a Disjointed name space on for the client machines.

When a computer boots up it checks the DNSHostName attribute on the account. If the name does not reflect the current DNS suffix on the machine it changes it.

Then later in LSASS code on the domain controller it will go through and change the Service Principal Name attributes to match the DNSHostName attribute. Since this is a domain controller it is going to re-write all service names and delete ones that should not be there.

I am currently not sure why we would be writing these values back if the name is not changing. However there is some very specific code in LSASS in regards to domain controllers that you might be seeing this behavior. Another thought that a coworker had is that the KCC might be causing this since it does run every 15 minutes.

Thinking about your problem, you might try to use the optionalNames registry key on the domain controller. I am not positive if this will resolve the issue or not but you might want to give it a try.

891607 The supported method of using the OptionalNames registry entry on a computer that is running Windows 2000 or Windows Server 2003

http://vkbexternal/VKBWebService/ViewContent.aspx?scid=KB;EN-US;891607

Rob Greene

re: Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 1

Rob Greene — Tue, 12 May 2009 21:09:08 GMT

Hey JSmith,

So I did some testing today. Here is how you should be able to make this work on your domain controller.

Launch ADSIEdit.msc and select the properties of the domain controller. You will want to add the other DNS name to the following attribute on the DC Computer object.

msds-additionalDnsHostName

Hope this helps.

re: Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 1

jsmith — Fri, 29 May 2009 00:01:47 GMT

Rob,

Your suggestion about using msds-additionalDnsHostName solved the problem. Thanks for your expertise and help!