Environment:\n- Terminal Server\n- Windows 2008 x64 Server Standard\n- Kerberos Token Size set to maximum\n- Profile and Folder Redirection hosts\n- Windows 2003 x64 Server Standard\n- Kerberos Token Size set to maximum\n\nIssue:\nWhen our users logon to our Terminal Servers using kerberos, they receive a\ntemporary profile and none of the Folder Redirection policies are applied.\nThe event log reports both processing failing with "Logon failure: unknown\nuser name or bad password.". However the user is successfully logged onto\nthe server using kerberos. The server hosting the profiles also reports\n"unknown user name or bad password" in the security log and the\nauthentication package as NTLM. The users can navigate to the network\nlocations of their roaming profiles and redirected folders just fine without\nany errors.\n\nIf the users logon to our Terminal Servers using NTLM, their roaming profile\nis loaded and folder redirection policies applied successfully.\n\nKerberos is the required authentication method for logging into our Terminal\nServers. We are using Citrix Web Interface and single signon leverages\nkerberos.\n\nInitial Troubleshooting:\nI turned on Kerberos logging on the Terminal Server. When the user logs into\nthe Terminal Server using kerberos, the logon process attempts to load their\nprofile and redirect their profiles using kerberos. This is failing because\nwe don't have SPNs registered for these resources. I'm guessing the logon\nprocess then attempts NTLM and that is failing because they didn't login with\nNTLM.\n\nIs there any way to get the fallback to NTLM to function? If not, how does\none go about registering SPNs for file-shares that are cluster resources\n(virtual IPs and computer names that aren't regisered in Active Directory).\nIn addition, how does one go about registering SPNs for DFS roots?\n\nAny/all help is appreciated.\n\nThanks.