Announcement

Collapse
No announcement yet.

Parent/Child Authentication Issue

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Parent/Child Authentication Issue

    So I've tried doing some searching but have been unable to come up with a definite answer to why this is happening.

    We have a parent and child domain, as my title states, that seems to have lost the ability to authenticate from the child domain to the parent domain.

    If i'm logged into the parent domain on server ParentDC1, for sake of argument whitesnake.int, and try to go to the netlogon folder of the server ChildDC1 on trouble.whitesnake.int all is dandy.

    However, if I am logged into any machine (logged in as a domain admin btw), even ChildDC1, and try to get to the netlogon folder on the ParentDC1 server it asks for my credentials. Once I put the creds in I'm fine.

    I've already reset the trust relationship with the domains, twice, and to no avail. I'm thinking it's a DNS issue but I'm not sure. I don't see any replication errors. On my GFI server I do see a connection authentication error with the parent domain servers.

    Any help would be appreciated. A little backstory too, I came along to this configuration I didn't create it and have been trying to get it stable for a bit now. We did have 2000 domain controllers but they are gone. I've upgraded the forest and domain to 2003 native as well. I've cleaned up DNS and the AD database as best as I could from lingering entries of past wrongs. But perhaps I've missed something.
    Last edited by stamandster; 27th January 2009, 15:10.
    GoogleFu is strong with this one ^

  • #2
    Re: Parent/Child Authentication Issue

    post a wireshark capture

    Comment


    • #3
      Re: Parent/Child Authentication Issue

      Thanks, from which side? Parent or child?
      GoogleFu is strong with this one ^

      Comment


      • #4
        Re: Parent/Child Authentication Issue

        Hi,

        Have you run anything to test? DCDiag etc?

        http://technet.microsoft.com/en-us/l.../cc756944.aspx
        cheers
        Andy

        Please read this before you post:


        Quis custodiet ipsos custodes?

        Comment


        • #5
          Re: Parent/Child Authentication Issue

          Yeah they all seems fine.

          I have found something interesting. I can connect via IP without having to enter my credentials and authenticates automatically, but I can not connect via the host name.

          If I nslookup the ip addresses and host names they come back fine.
          GoogleFu is strong with this one ^

          Comment


          • #6
            Re: Parent/Child Authentication Issue

            How about the wireshark using those details maybe?
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment


            • #7
              Re: Parent/Child Authentication Issue

              I'll do a WS capture soon.
              GoogleFu is strong with this one ^

              Comment


              • #8
                Re: Parent/Child Authentication Issue

                Originally posted by stamandster View Post
                Yeah they all seems fine.

                I have found something interesting. I can connect via IP without having to enter my credentials and authenticates automatically, but I can not connect via the host name.

                If I nslookup the ip addresses and host names they come back fine.
                Then its most likely a Kerberos issue. Take the capture on the client.

                Comment


                • #9
                  Re: Parent/Child Authentication Issue

                  10-4! Running it shortly. Is there any specific setting I need within WS?
                  GoogleFu is strong with this one ^

                  Comment


                  • #10
                    Re: Parent/Child Authentication Issue

                    not really just do a

                    klist purge, ipconfig /flushdns, start the capture then try to authenticate

                    Comment


                    • #11
                      Re: Parent/Child Authentication Issue

                      I did that and tried to connect

                      After querying for the name, it finds the IP of the server, it pings it fine... Then it starts a session to negotiate a protocol. I get good TGS-REQ and TGS-REP

                      I received a couple different things...

                      DNS - Standard query for SRV _kerberos._tcp.Highstreet._sites.dc._msdcs.PBCorp. int
                      DNS - Standard Query response, No such name
                      DNS - query SRV _kerberos._tcp.dc._msdcs.PBCorp.Int
                      DNS - Standard query response, No such name

                      KRB5 - KRB Error: KRB5KRB_ERR_RESPONSE_TOO_BIG

                      I guess something isn't setup correctly in the HighStreet site.
                      Last edited by stamandster; 28th January 2009, 19:21.
                      GoogleFu is strong with this one ^

                      Comment


                      • #12
                        Re: Parent/Child Authentication Issue

                        Can you post the .cap file.

                        Comment


                        • #13
                          Re: Parent/Child Authentication Issue

                          Hi,
                          It appears that the the kerberos packet size is getting fragmented, you can try the steps outlined in KB244474 on the child DC, this should fix ur problem.

                          Thanks
                          Milind Pisal

                          Comment


                          • #14
                            Re: Parent/Child Authentication Issue

                            Out of interest what firewall is between you, if any?
                            cheers
                            Andy

                            Please read this before you post:


                            Quis custodiet ipsos custodes?

                            Comment


                            • #15
                              Re: Parent/Child Authentication Issue

                              No no firewall. I'll post the WS log today. Also I'll check that KB out.

                              Thanks all for your help!
                              GoogleFu is strong with this one ^

                              Comment

                              Working...
                              X