kerberos logon to IP address

Posted: 01-19-2009, 09:55 PM
hello,

as I investigated the Kerberos implementation in Vista, Vista is NOT willing
to use Kerberos against an IP address. I was not able to make Vista uses
Kerberos against IP address not even by creating SPN for the IP address.

Although windows XP actually try to generate a ticket even for IP addresses,
and if an appropriate SPN is available, they receive the ticket, Vista
doesn't seam to do it under any circumstances, right ?

Vista just doesn't ask for a ticket for an IP address at all. Can this be
changed somehow?

many thanks.

ondra.

kerberos logon to IP address


Responses to "kerberos logon to IP address"

Peter Foldes
Guest
Posts: n/a
 
Re: kerberos logon to IP address
Posted: 01-20-2009, 02:32 AM
Which version of Vista. I think only the Enterprise version will accept the Kerberos
ticket. This is a no brainer for W2K3 Server SP2 and R2

--
Peter

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.

"Ondrej Sevecek" <ondass@community.nospam> wrote in message
news:%23ZspnCoeJHA.3864@TK2MSFTNGP05.phx.gbl...
> hello,
>
> as I investigated the Kerberos implementation in Vista, Vista is NOT willing to
> use Kerberos against an IP address. I was not able to make Vista uses Kerberos
> against IP address not even by creating SPN for the IP address.
>
> Although windows XP actually try to generate a ticket even for IP addresses, and
> if an appropriate SPN is available, they receive the ticket, Vista doesn't seam to
> do it under any circumstances, right ?
>
> Vista just doesn't ask for a ticket for an IP address at all. Can this be changed
> somehow?
>
> many thanks.
>
> ondra.
>
Mervyn Zhang [MSFT]
Guest
Posts: n/a
 
RE: kerberos logon to IP address
Posted: 01-20-2009, 04:31 AM
Hi,

Thank you for posting.

According to your description, I understand that:

Vista would not use Kerberos against an IP address even if you have created
SPN for the IP address.

If I have misunderstood the problem, please don't hesitate to let me know.

I would like to explain that Service principal names (SPNs) are unique
identifiers for services running on servers. Every service that uses
Kerberos authentication needs to have an SPN set for it so that clients can
identify the service on the network. Could you let us know how do you
create SPN for the IP address?

Also, what do you mean by "Vista is NOT willing to use Kerberos against an
IP address"?

There are some Kerberos Enhancements in Vista but these enhancements should
not affect the work of Kerberos. For more information about those changes,
please refer to the article below:

Kerberos Enhancements
http://technet.microsoft.com/en-us/l.../cc749438.aspx

Could you let us know where did you find that Windows XP try to generate a
ticket for IP address? Did you use the tool "Klist"? If there is any log,
report, itís very helpful. A screenshot is better for troubleshooting.

You can send log file or screenshot to tfwst@microsoft.com. Or please use
Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file
and then give me the download address.

Sincerely,
Mervyn Zhang
Microsoft Online Community Support

==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Ondrej Sevecek
Guest
Posts: n/a
 
Re: kerberos logon to IP address
Posted: 01-21-2009, 10:06 AM

Vista Ulitmate SP1 English, clear installation with SP1, AD 2008 level, 2003
forest level, single domain

correctly WORKING test:

a) have server SRV1.domain.local, IP address 10.10.0.11
b) create DNS A record intranet.domain.local, IP address 10.10.0.11
c) add site "intranet.domain.local" to the Local Intranet sites (IEESC
turned off)
d) purge Kerberos ticket cache
e) restart IE
e) try IE to http://intranet.domain.local (exactly this, not using the short
form)
f) only TGT received, but both TGT and TGS were requested as was seen in
wireshark - this is stil correct because no SPN was still created. So we are
going to create SPN and enable kerberos for the alias.
g) create SPN http/intranet.domain.local
h) purge Kerberos ticket cache
i) restart IE
j) try IE to http://intranet.domain.local (exactly this, not using the short
form)
k) both TGT and TGS were received successfully

the same procedure works the same way even for SMB/CIFS access (certainly,
the DisableStrictNameChecking must have been set up to 1)

but when I try to access http://10.10.0.11 or \\10.10.0.11 (Local Intranet
site addess, the caches purged out, SPN created etc.)
the Vista client not even asks for TGT - once again as observed by using
Wireshark
the client doesn't try Kerberos at all, it uses NTLM as the first method
without trying Kerberos first

With Windows XP client on the other hand, both types used -
intranet.domain.local and also 10.10.0.11 work the same and if the SPN is in
place, in both cases XP asks and receives the tickets.

ondra.



"Mervyn Zhang [MSFT]" <v-mervzh@online.microsoft.com> wrote in message
news:LBahzfreJHA.8120@TK2MSFTNGHUB02.phx.gbl...
> Hi,
>
> Thank you for posting.
>
> According to your description, I understand that:
>
> Vista would not use Kerberos against an IP address even if you have
> created
> SPN for the IP address.
>
> If I have misunderstood the problem, please don't hesitate to let me know.
>
> I would like to explain that Service principal names (SPNs) are unique
> identifiers for services running on servers. Every service that uses
> Kerberos authentication needs to have an SPN set for it so that clients
> can
> identify the service on the network. Could you let us know how do you
> create SPN for the IP address?
>
> Also, what do you mean by "Vista is NOT willing to use Kerberos against
> an
> IP address"?
>
> There are some Kerberos Enhancements in Vista but these enhancements
> should
> not affect the work of Kerberos. For more information about those changes,
> please refer to the article below:
>
> Kerberos Enhancements
> http://technet.microsoft.com/en-us/l.../cc749438.aspx
>
> Could you let us know where did you find that Windows XP try to generate a
> ticket for IP address? Did you use the tool "Klist"? If there is any log,
> report, itís very helpful. A screenshot is better for troubleshooting.
>
> You can send log file or screenshot to tfwst@microsoft.com. Or please use
> Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file
> and then give me the download address.
>
> Sincerely,
> Mervyn Zhang
> Microsoft Online Community Support
>
> ==================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
Ondrej Sevecek
Guest
Posts: n/a
 
Re: kerberos logon to IP address
Posted: 01-21-2009, 10:06 AM

Vista Ulitmate SP1 English, clear installation with SP1, AD 2008 level, 2003
forest level, single domain

correctly WORKING test:

a) have server SRV1.domain.local, IP address 10.10.0.11
b) create DNS A record intranet.domain.local, IP address 10.10.0.11
c) add site "intranet.domain.local" to the Local Intranet sites (IEESC
turned off)
d) purge Kerberos ticket cache
e) restart IE
e) try IE to http://intranet.domain.local (exactly this, not using the short
form)
f) only TGT received, but both TGT and TGS were requested as was seen in
wireshark - this is stil correct because no SPN was still created. So we are
going to create SPN and enable kerberos for the alias.
g) create SPN http/intranet.domain.local
h) purge Kerberos ticket cache
i) restart IE
j) try IE to http://intranet.domain.local (exactly this, not using the short
form)
k) both TGT and TGS were received successfully

the same procedure works the same way even for SMB/CIFS access (certainly,
the DisableStrictNameChecking must have been set up to 1)

but when I try to access http://10.10.0.11 or \\10.10.0.11 (Local Intranet
site addess, the caches purged out, SPN created etc.)
the Vista client not even asks for TGT - once again as observed by using
Wireshark
the client doesn't try Kerberos at all, it uses NTLM as the first method
without trying Kerberos first

With Windows XP client on the other hand, both types used -
intranet.domain.local and also 10.10.0.11 work the same and if the SPN is in
place, in both cases XP asks and receives the tickets.

ondra.



"Mervyn Zhang [MSFT]" <v-mervzh@online.microsoft.com> wrote in message
news:LBahzfreJHA.8120@TK2MSFTNGHUB02.phx.gbl...
> Hi,
>
> Thank you for posting.
>
> According to your description, I understand that:
>
> Vista would not use Kerberos against an IP address even if you have
> created
> SPN for the IP address.
>
> If I have misunderstood the problem, please don't hesitate to let me know.
>
> I would like to explain that Service principal names (SPNs) are unique
> identifiers for services running on servers. Every service that uses
> Kerberos authentication needs to have an SPN set for it so that clients
> can
> identify the service on the network. Could you let us know how do you
> create SPN for the IP address?
>
> Also, what do you mean by "Vista is NOT willing to use Kerberos against
> an
> IP address"?
>
> There are some Kerberos Enhancements in Vista but these enhancements
> should
> not affect the work of Kerberos. For more information about those changes,
> please refer to the article below:
>
> Kerberos Enhancements
> http://technet.microsoft.com/en-us/l.../cc749438.aspx
>
> Could you let us know where did you find that Windows XP try to generate a
> ticket for IP address? Did you use the tool "Klist"? If there is any log,
> report, itís very helpful. A screenshot is better for troubleshooting.
>
> You can send log file or screenshot to tfwst@microsoft.com. Or please use
> Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file
> and then give me the download address.
>
> Sincerely,
> Mervyn Zhang
> Microsoft Online Community Support
>
> ==================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
Ondrej Sevecek
Guest
Posts: n/a
 
Re: kerberos logon to IP address
Posted: 01-24-2009, 10:14 AM

I am sory to be this impolite, but would you be able to help me with this
issue?

The question can be shortened to something simple like this:

"Vista will never use kerberos for servers (at least http, smb/cifs) whos
name is specified by an IP address, is that right?
"And if it would use Kerberos, how one could make Vista use it apart
creating the SPN and making it member of Local Intranet zone?"

many thanks and appologies for the rudeness.

ondra.


"Mervyn Zhang [MSFT]" <v-mervzh@online.microsoft.com> wrote in message
news:LBahzfreJHA.8120@TK2MSFTNGHUB02.phx.gbl...
> Hi,
>
> Thank you for posting.
>
> According to your description, I understand that:
>
> Vista would not use Kerberos against an IP address even if you have
> created
> SPN for the IP address.
>
> If I have misunderstood the problem, please don't hesitate to let me know.
>
> I would like to explain that Service principal names (SPNs) are unique
> identifiers for services running on servers. Every service that uses
> Kerberos authentication needs to have an SPN set for it so that clients
> can
> identify the service on the network. Could you let us know how do you
> create SPN for the IP address?
>
> Also, what do you mean by "Vista is NOT willing to use Kerberos against
> an
> IP address"?
>
> There are some Kerberos Enhancements in Vista but these enhancements
> should
> not affect the work of Kerberos. For more information about those changes,
> please refer to the article below:
>
> Kerberos Enhancements
> http://technet.microsoft.com/en-us/l.../cc749438.aspx
>
> Could you let us know where did you find that Windows XP try to generate a
> ticket for IP address? Did you use the tool "Klist"? If there is any log,
> report, itís very helpful. A screenshot is better for troubleshooting.
>
> You can send log file or screenshot to tfwst@microsoft.com. Or please use
> Windows Live SkyDrive (http://www.skydrive.live.com/) to upload the file
> and then give me the download address.
>
> Sincerely,
> Mervyn Zhang
> Microsoft Online Community Support
>
> ==================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
 
LinkBack Thread Tools Display Modes
 


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Forum Jump


Similar Threads
Thread Thread Starter Forum Replies Last Post
Kerberos Prompt extremis@officeformac.com Mac Windows Messenger 2 05-05-2008 04:28 PM
Kerberos errors Bfreeman Windows XP Security & Administration 0 05-11-2004 05:07 PM
OS 10.3.3 SERVER AND KERBEROS? AB PP Apple Macintosh 0 05-05-2004 02:02 PM
Kerberos Bobby McMillan [MSFT] Windows XP Security & Administration 0 12-03-2003 08:16 AM
Kerberos Error Alberto Windows XP Security & Administration 0 11-10-2003 07:05 PM