RE: Kerberos authentication
You probably need RPC access to the file server. Do a network sniff and
you'll see there's RPC traffic as well as SMB. You've only catered for the
end-point mapper, not the dynamic ports.
Also, you need to pass Kerberos tickets to the file server. So I would
imagine you need at least 88, unless this all happens over NETLOGON. I'll
have to check and get back to you. Can't you see what's being droped?
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
RE: Kerberos authentication
Actually, I'm mistaken. I think I was thinking about something else (been
looking at nothing but network traces of the trust creation process for
days). You don't need RPC or Kerberos ports. Which suggests that this issue
is something else. The main culprits, based on a quick search, seem to
suggest SP2 firewall and/ or Dodgy NIC drivers. Take a look at the following
for some suggestions:
--
http://www.eventid.net/display.asp?e...LsaSrv&phase=1
--
http://www.eventid.net/display.asp?e...LsaSrv&phase=1
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
RE: Kerberos authentication
Originally, that's what I thought. But the issue is ocurring on a per-user,
not per-workstation basis. Different users logging on to the same PC give
different results.
One of the articles I cited says that users with too many group memberships
may lead to these symptoms, and that may be the case in this environment.
"Paul Williams [MVP]" wrote:
> Actually, I'm mistaken. I think I was thinking about something else (been
> looking at nothing but network traces of the trust creation process for
> days). You don't need RPC or Kerberos ports. Which suggests that this issue
> is something else. The main culprits, based on a quick search, seem to
> suggest SP2 firewall and/ or Dodgy NIC drivers. Take a look at the following
> for some suggestions:
>
> --
> http://www.eventid.net/display.asp?e...LsaSrv&phase=1
> --
> http://www.eventid.net/display.asp?e...LsaSrv&phase=1
>
> --
> Paul Williams
> Microsoft MVP - Windows Server - Directory Services
> http://www.msresource.net | http://forums.msresource.net
>
>
RE: Kerberos authentication
Take a peek at %systemroot%\debug\usermode\userenv.log for some additional
info. You might need to enable verbose logging for the best amount of info.
Also, logon as one of the users and list all the groups in their token
(whoami /groups or gpresult /scope user /v) and respond with the number of
groups.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
RE: Kerberos authentication
42 groups
From userenv.log when the errors were occuring:
USERENV(284.e54) 08:29:00:437 MyGetUserName: GetUserNameEx failed with 1359.
USERENV(284.e54) 08:32:01:703 MyGetUserName: GetUserNameEx failed with 1359.
USERENV(284.e54) 08:34:06:671 MyGetUserName: GetUserNameEx failed with 10065.
USERENV(284.e54) 08:34:07:203 MyGetUserName: GetUserNameEx failed with 1355.
USERENV(284.e54) 08:34:07:203 ProcessGPOs: MyGetUserName failed with 1355.
And I should have mentioned before that ICMP is enabled to both DC's as well.
Re: Kerberos authentication
C:\WINNT\ADAM>net helpmsg 1359
An internal error occurred.
C:\WINNT\ADAM>net helpmsg 1355
The specified domain either does not exist or could not be contacted.
C:\WINNT\ADAM>net helpmsg 10065
A socket operation was attempted to an unreachable host.
Looks like name resolution, but could be something weird with the token
size. Have a look at this, and see if you can test whether or not this is
the case.
-- http://support.microsoft.com/?id=327825
Note. This isn't token bloat, but some stupid default in XP:
Normally, you'd jump on DNS or firewall issues, but as this is working for
some but not all users, we have to consider the MaxTokenSize key.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Re: Kerberos authentication
This article says that this situaiton does not apply to Windows XP/2003 -
only 2000.
"Paul Williams [MVP]" wrote:
> C:\WINNT\ADAM>net helpmsg 1359
>
> An internal error occurred.
>
>
> C:\WINNT\ADAM>net helpmsg 1355
>
> The specified domain either does not exist or could not be contacted.
>
>
> C:\WINNT\ADAM>net helpmsg 10065
>
> A socket operation was attempted to an unreachable host.
>
>
> Looks like name resolution, but could be something weird with the token
> size. Have a look at this, and see if you can test whether or not this is
> the case.
> -- http://support.microsoft.com/?id=327825
>
>
> Note. This isn't token bloat, but some stupid default in XP:
>
>
> Normally, you'd jump on DNS or firewall issues, but as this is working for
> some but not all users, we have to consider the MaxTokenSize key.
>
> --
> Paul Williams
> Microsoft MVP - Windows Server - Directory Services
> http://www.msresource.net | http://forums.msresource.net
>
>
>
>
Re: Kerberos authentication
The default value is larger in XP but can still be too small. Try it.
Here's another one:
-- http://support.microsoft.com/?id=263693
Again, earlier versions of 2k are mentioned because their default was even
smaller.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net