Announcement

Collapse
No announcement yet.

Kerberos Policies

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Kerberos Policies

    It seems to be that kerberos policies are not working properly in my domian controller.

    We have default 5 mitunes tolerence level for time difference between DC and client but machines can easily login to DC even if they have discrepancy of more than 8-10 hours.

    Kindly help sorting out this issue,

    I have already tried reapplying the policy.

  • #2
    Re: Kerberos Policies

    Are you talking about client computer with clock skew of 8-10 hours?
    Could it be that the clients are just in different time zone ?
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"

    Comment


    • #3
      Re: Kerberos Policies

      i guess u should review your Default domain policy
      Make sure that all the settings are enabled with proper values

      run gpresult /v >output.txt and review the registry settings
      System\currentcontrolset\control\lsa\kerberos\para meters

      Comment


      • #4
        Re: Kerberos Policies

        Hi,

        I have checked :

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa\Kerberos\Parameters

        But there nothing under this key , that means keberos settigs are corrupted??

        Hi have also ran rsop and checked and kerneros settings are not shown there - Now what should my next action. - I have tried by reaaplying policy but it does not worked.

        Comment


        • #5
          Re: Kerberos Policies

          No, this does not mean that Kerberos settings are corrupted. Just means that you are using defaults.
          Btw, you did not answer my question about time zone. Is there any chance that the clock differences you see are because the client and the DC are in different time zones ?
          Guy Teverovsky
          "Smith & Wesson - the original point and click interface"

          Comment


          • #6
            Re: Kerberos Policies

            Originally posted by guyt View Post
            No, this does not mean that Kerberos settings are corrupted. Just means that you are using defaults.
            Btw, you did not answer my question about time zone. Is there any chance that the clock differences you see are because the client and the DC are in different time zones ?
            No friend , all client machines are in same time zone (gmt). To be more precise I first ran group policy modelling for same user on same computer which is used for rsop. In GP modelling results it is showing kerberos policies but again on rsop (same user and machine) it does not show kerberos entries.

            I caught this issue when there are several calls that client machine are not syn machine with domain controller.

            Why they are not getting sync is another issue , plz help on this too.

            Comment


            • #7
              Re: Kerberos Policies

              Originally posted by Yogesh View Post
              No friend , all client machines are in same time zone (gmt). To be more precise I first ran group policy modelling for same user on same computer which is used for rsop. In GP modelling results it is showing kerberos policies but again on rsop (same user and machine) it does not show kerberos entries.

              I caught this issue when there are several calls that client machine are not syn machine with domain controller.

              Why they are not getting sync is another issue , plz help on this too.

              One good news : time sync issue has been resolved now, issue was with xp image and not with time servers. By defult w23time service on xp should contact ntp server for time sync which was not happening but now it is resolved.

              BUT WHY DOMAIN CONTROLLERS ALLLOW XP MACHINES TO LOGIN EVEN IF THERE TIME DIFFERENCE OF MORE THAN 5 MINS. WE HAVE KERBEROS POLICY SET FOR 5 MINS.

              Comment


              • #8
                Re: Kerberos Policies

                Have you disabled ntlm authentication?
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: Kerberos Policies

                  Originally posted by Dumber View Post
                  Have you disabled ntlm authentication?

                  Hi Friend,

                  Thats seem to be real catch... great...

                  In Domain controller sec. policy it is defined BUT not in domain secuirty policy.

                  Should I eanble it? and whats the implication. If u have any good docs or link for NTLM please post it.

                  Thanks & Regards
                  Yogesh Malhotra

                  Comment


                  • #10
                    Re: Kerberos Policies

                    I believe for windows 2000 Kerberos is used as preferred authentication mechanism. However when Kerberos is unavailable, Windows will fall back on NTLM. The advantage of this is users always can logon to the domain

                    The drawback of NTLM is that it's less secure then Kerberos.

                    NTLM is used by some older clients. 9x clients can give you some headace and I believe NT4 clients/server with sp4 support ntlm v2.
                    It can have implications so read carefully the following documentation

                    http://technet.microsoft.com/windows...s/default.mspx
                    http://technet.microsoft.com/en-us/l.../bb742516.aspx
                    http://support.microsoft.com/kb/232179
                    http://support.microsoft.com/kb/322979
                    http://technet.microsoft.com/en-us/l.../cc728430.aspx
                    http://technet.microsoft.com/en-us/l.../cc772815.aspx
                    Last edited by Dumber; 12th August 2008, 18:42.
                    Marcel
                    Technical Consultant
                    Netherlands
                    http://www.phetios.com
                    http://blog.nessus.nl

                    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                    "No matter how secure, there is always the human factor."

                    "Enjoy life today, tomorrow may never come."
                    "If you're going through hell, keep going. ~Winston Churchill"

                    Comment


                    • #11
                      Re: Kerberos Policies

                      Sorry I am writing in this topic after a long period of time but still I have questions in mind.

                      If NTLM is only used as an alternate to Kerberose then how it is related to time sync when kerberose is already available for authentication.

                      Regards
                      Yogesh

                      Originally posted by Dumber View Post
                      I believe for windows 2000 Kerberos is used as preferred authentication mechanism. However when Kerberos is unavailable, Windows will fall back on NTLM. The advantage of this is users always can logon to the domain

                      The drawback of NTLM is that it's less secure then Kerberos.

                      NTLM is used by some older clients. 9x clients can give you some headace and I believe NT4 clients/server with sp4 support ntlm v2.
                      It can have implications so read carefully the following documentation

                      http://technet.microsoft.com/windows...s/default.mspx
                      http://technet.microsoft.com/en-us/l.../bb742516.aspx
                      http://support.microsoft.com/kb/232179
                      http://support.microsoft.com/kb/322979
                      http://technet.microsoft.com/en-us/l.../cc728430.aspx
                      http://technet.microsoft.com/en-us/l.../cc772815.aspx

                      Comment

                      Working...
                      X