I have been looking at several threads in this forum and many others. But I am clueless on how to proceed with my problem. I have a windows 2003 Native domain with two DC's. On my default domain controller policy I have disabled SMB Microsoft Network Server (digitally sign communications always). But I do have Microsoft Network Server (Digtially sign communications if client agrees) Enabled. I also have "Network Security Lan Manager authentication level: Send LM & NTLM - use NTLMv2 session security if negotiated" enabled. This is because I have windows 98 clients and DOS 6.2 clients on my network. Now on my default domain policy I have enabled Send NTLMv2 response only and refuse LM & NTLM and Digitally sign communication always. This is just for NTLM and SMB signing, I know that! Windows 2K and above the default authentication package is Kerberos. Basically my problem is that I am seeing windows xp, windows 2000, and windows 2003 servers authenticating via NTLM and not Kerberos. I have done some Network Monitoring and kerberos logging, I get the following in kerberos error:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Date: 2/27/2007
Time: 3:35:16 PM
User: N/A
Computer: %Computer Name%
Description:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 23:35:16.0000 2/27/2007 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: SCOPE.LOCAL
Server Name: host/%server%
Target Name: host/%server%
Error Text:
File: 9
Line: ae0
Error Data is in record data.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 30 15 a1 03 02 01 03 a2 0.¡....¢
0008: 0e 04 0c bb 00 00 c0 00 ...»..À.
0010: 00 00 00 03 00 00 00 .......
I get this error on both domain controlllers. So I am thinking that I have a kerberos problem that is causing some of the members in the domain to authenticate via NTLM. I do not see any Kerberos traffic in Network Monitor. When a client reboots the last thing I see before several SMB packets is the LDAP request from the client looking for Netlogon service. I thought the problem could be the time service in my domain so I verified that I am not recieving time errors durning these authentication times. I l also have a login in script to set the time with the PDC Emulator. Like I said it happens to some clients and member servers. This what I see on both domain controllers:
Logon attempt by: MICROSOFT_AUTHENTICATION_P
ACKAGE_V1_
0
Logon account: %user%
Source Workstation: %Computer Name%
Error Code: 0x0
On one domain controller that as doubles up as a file server I see these:
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 2/28/2007
Time: 10:17:55 AM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: DC1
Description:
Successful Network Logon:
User Name:
Domain:
Logon ID: (0x0,0x37E6B2E)
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: %Computer Name%
Logon GUID: -
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: %IP Address%
Source Port: 0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Both DC's are W2K3 with SP1. I ran Kerbtray on the DC's and on some of these clients that authenticate with NTLM and they are getting ST and TGT's. What can be the problem and how do I make my W2K and above clients authenticate only via kerberos. The kerberos GPO is following for the defualt domain policy:
Enforce user logon restrictions Enabled
Maximum lifetime for service ticket 720 minutes
Maximum lifetime for user ticket 12 hours
Maximum lifetime for user ticket renewal 7 days
Maximum tolerance for computer clock synchronization 5 minutes
For the Default Domain Controller policy is the following:
Maximum tolerance for computer clock synchronization 5 minutes
Dennis
Start Free Trial
