Kerberos realm referral problem

Hello,

I am troubleshooting what I believe to be a Kerberos realm referral problem.
This is all Win 2003 and XP.

The environment looks like this: resource servers are in the peanut.com
domain, the users are in the cashew.nut domain. Peanut.com is a single domain
forest. Cashew is the child domain of nut. Peanut.com trusts cashew.nut, this
is an external trust. Users in cashew.nut access resources in peanut.com
There is no DNS forwarding between the domains/forest, all DNS records have
been created manually.

Now the question. When user1, in cashew.nut, requests a ticket for
RPCSS\server1.peanut.com, the ticket request is sent to the KDC/DC in
cashew.nut. I think this shouldn't be a problem since the KDC should respond
with a referral to the KDC/DC in the peanut.com domain. However this doesn't
happen, instead the KDC/DC responds with KDC_ERR_S_PRINCIPAL_UNKNOWN and
thats the end of it, the system proceeds with NTLM authen. Presumably there
is some DNS misconfiguation somewhere that is causing the referral to fail
however I have been unable to determine exactly what info the KDC uses in
making the decision to provide a referral. The best description I can find is
here http://tools.ietf.org/html/draft-iet...s-referrals-11

A little guidance on what needs to be in place for the referral to work
would be really appreciated.

Thanks,

-Wes

Joseph,

Thanks for the info, that explains a lot.

-Wes

"Joseph Corey" wrote:

> Wes,
>
> You don't have a Kerberos referral problem. External trusts don't use
> Kerberos. What you're seeing is the client going to the DC to check for
> any
> SPNs that might be configured for RPCSS\server1.peanut.com. When nothing
> is
> found, you get a KDC_ERR_S_PRINCIPAL_UNKNOWN back.
>
> The only way to use Kerberos across a trust is with a Forest trust or an
> MIT
> Realm trust.
>
> --
> Joseph T. Corey MCSE, MCITP-EA
> Windows Systems Administrator
>
> -----Original Message-----
> From: WesE [private.php?do=newpm&u=]
> Posted At: Tuesday, September 30, 2008 4:11 PM
> Posted To: microsoft.public.windows.server.active_directory
> Conversation: Kerberos realm referral problem
> Subject: Kerberos realm referral problem
>
> Hello,
>
> I am troubleshooting what I believe to be a Kerberos realm referral
> problem.
> This is all Win 2003 and XP.
>
> The environment looks like this: resource servers are in the peanut.com
> domain, the users are in the cashew.nut domain. Peanut.com is a single
> domain
> forest. Cashew is the child domain of nut. Peanut.com trusts cashew.nut,
> this
> is an external trust. Users in cashew.nut access resources in peanut.com
> There is no DNS forwarding between the domains/forest, all DNS records
> have
> been created manually.
>
> Now the question. When user1, in cashew.nut, requests a ticket for
> RPCSS\server1.peanut.com, the ticket request is sent to the KDC/DC in
> cashew.nut. I think this shouldn't be a problem since the KDC should
> respond
> with a referral to the KDC/DC in the peanut.com domain. However this
> doesn't
> happen, instead the KDC/DC responds with KDC_ERR_S_PRINCIPAL_UNKNOWN and
> thats the end of it, the system proceeds with NTLM authen. Presumably
> there
> is some DNS misconfiguation somewhere that is causing the referral to fail
> however I have been unable to determine exactly what info the KDC uses in
> making the decision to provide a referral. The best description I can find
> is
> here http://tools.ietf.org/html/draft-iet...s-referrals-11
>
> A little guidance on what needs to be in place for the referral to work
> would be really appreciated.
>
> Thanks,
>
> -Wes
>
>
>
>