Over 1 million tech questions and answers.

Kerberos Protocol Transition and Constrained Delegation Whitepaper Samples: Feb 20

Q: Kerberos Protocol Transition and Constrained Delegation Whitepaper Samples: Feb 20

Hiya

Source code for Kerberos Protocol Transition and Constrained Delegation whitepaper sample scenarios

System Requirements
Supported Operating Systems: Windows Server 2003

All editions of Windows Server 2003 for code samples on Microsoft IIS servers;
All editions of Windows Server 2003, Windows 2000 professsional and all editions of Windows 2000 Server for code samples on Microsoft SQL server;
All but Web edition of Windows Server 2003 for running Active Directory

http://www.microsoft.com/downloads/...10-7c48-453a-a1af-d6a8b1944ce2&DisplayLang=en

Regards

eddie

RELEVANCY SCORE 200
Preferred Solution: Kerberos Protocol Transition and Constrained Delegation Whitepaper Samples: Feb 20

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

A: Kerberos Protocol Transition and Constrained Delegation Whitepaper Samples: Feb 20

Originally posted by eddie5659:
Source code for Kerberos Protocol Transition and Constrained Delegation whitepaper sample scenarios
Click to expand...

Whachutalkinbout Willis?

Read other 2 answers
RELEVANCY SCORE 93.6

I have the GA installed and working, and would like to add a few more ATA administrators.
Problem is they don't have passwords, just smartcards. Can I set up the ATA Console for Windows authentication, Smartcard auth or Kerberos Constrained instead of the (albeit very pretty) username/password only configuration that's default?

Read other answers
RELEVANCY SCORE 91.6

Hiya

This white paper explains how to troubleshoot delegation issues that can arise in Kerberos authentication scenarios. The paper summarizes required infrastructure and describes Windows authentication scenarios. The central discussion is organized around four troubleshooting checklists: one each for Active Directory, client application, middle tier, and back-end. The appendices detail diagnostic tools and give examples of how to resolve problems in typical IIS to SQL delegation scenarios

System Requirements
Supported Operating Systems: Windows Server 2003

Microsoft Word or Word Viewer

http://www.microsoft.com/downloads/...4f-e28a-4726-bffe-2f64ae2f59a2&DisplayLang=en

Regards

eddie
 

Read other answers
RELEVANCY SCORE 78

Can someone please explain me the basics of the kerberos protocol. I cannot understand anything.
 

A:kerberos protocol

http://en.wikipedia.org/wiki/Kerberos_(protocol)
 

Read other 1 answers
RELEVANCY SCORE 74.4

i received the following alert many and many times on 2 of my exchange CAS Servers and don't know
whether it's a real attack or a false positive , as i check my security and scanned servers and didn't found anything
Suspicious account enumeration activity using Kerberos protocol, originating from   ( EXCAS01
)
, was detected. The attacker performed a total of 188
guess attempts for account names, 11
guess attempts matched existing account names in Active Directory.
Kindly advice !!

Read other answers
RELEVANCY SCORE 74.4

Got an alert from the Microsoft Advanced Threat Analytics that I think has to be legit.  It is in my sharepoint 2013 environment and it says the following.

Suspicious account enumeration activity using Kerberos protocol, originating from SERVER, was detected. The attacker performed a total of 346 guess attempts for account names, 296 guess attempts matched existing account names in
Active Dir
Sounds like a real attack to me but does anyone know if this is sharepoint doing something, highly unlikely since sharepoint wouldnt be guessing accounts like this.

thanks,

Jason VanCise

Read other answers
RELEVANCY SCORE 50.8

Hiya

Self-extracting EXE files install information for customizing the Outlook Today page. Download OutToday.exe for the white paper. Download OutExmple.exe for source files and samples.
System Requirements
Supported Operating Systems: Windows 2000, Windows 98, Windows ME, Windows NT, Windows XP

Offce 2000 with Outlook 2000; compatible operating system.

http://www.microsoft.com/downloads/...74-5a60-469e-9160-b1cbaaade443&DisplayLang=en

Regards

eddie
 

Read other answers
RELEVANCY SCORE 50.8

Interesting read about firewalls: http://www.securityfocus.com/infocus/1750

Home User Security: Personal Firewalls
by Sarah Granger
last updated December 8, 2003

Looks at the subject of Personal Firewalls ... IMO, this should be considered an essential read, as it contains useful comparison tables of the various products.
 

A:Personal Firewalls: Whitepaper from Securityfocus.com

Nice one Winch................Added to favourites.
 

Read other 1 answers
RELEVANCY SCORE 49.6

Hi,
I have a strange problem with my uncles desktop pc. That pc has to be always on for video recording but once in a while Windows will automatically reboot and i just can't exactly find out why.
But why i did found out is that he's always getting 3 error messages (in the Windows event viewer) about 20 min prior to the unplanned reboot. 
These are the error message in the event viewer:
1) The following fatal alert was generated: 10. The internal error state is 1203 --> Schannel ID3688 --> time: 19:00
2) The same as above on the exact same time with same event
3) RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client --> TermDD ID50 --> Time: 19:48 (about 25 min prior to the reboot)
Who can help me out here. This is driving me crazy. Sometimes we miss days of recording, while we aren't using that PC for other things.
Thanks in advance!

Read other answers
RELEVANCY SCORE 49.6

I did quite a bit of online research prior to asking my own question, but none of  the solutions I've found online really pertain to the issue we're experiencing.  
We have 2 Windows 7 Pro PCs in the office.  They are accessed via RDP from within the same network/location.  The systems that are accessing these 2 PCs are an XP Pro machine and a Mac.  The clients stay connected for randomly lengths of time
(no longer than 1 hour) before the session goes black and disconnects them randomly.  When the disconnect occurs, it's not due to inactivity.  The user has to wait several minutes before they are able to reconnect.  
On the Windows 7 PCs, Event Viewer gives:
Event ID: 50  The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.
Event ID: 56  The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. 
I've seen suggestions of checking registry keys and a lot of suggestions regarding Windows Server and Terminal Server, but they don't apply to our situation.  Please let me know if more information is required.  Thank you!

A:The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client.

Hi,

 

Do you enable the
IEEE 802.1x authentication?

 

Regarding the issue, I suggest updating the network adapter driver manually on Windows 7 PCs. Also update the router's driver and firmware.

 

If the issue persists, you could disable the TCP Offload. To do this,

 

a.      
Run the following commands on both the client and the server to disable NIC offloading.

 

netsh int tcp set global chimney=disabled

netsh int tcp set global rss=disabled

 

b.     
Modify the following registry key to disable netDMA on the client and the server.

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableTCPA

 

Note: If this registry entry does not exist, right-click Parameters, point to New, click DWORD Value, type EnableTCPA, and then press ENTER.

 

Value: 0

 

You can also refer to the following KB to troubleshoot the issue. Hope it helps.

 

http://support.microsoft.com/kb/2477023


 

Best Regards,

Niki
Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Read other 10 answers
RELEVANCY SCORE 49.6

Hiya

This whitepaper provides detailed instructions for deploying Microsoft® Commerce Server 2002 in a secure configuration. These instructions assume you are performing a new deployment, and therefore instruct you to install and configure each server in this sample deployment. It is recommended that you use these instructions as a guideline for deploying your own secure site

System Requirements

Windows 2000

Operating System - Windows 2000

http://www.microsoft.com/downloads/release.asp?ReleaseID=40672&area=search&ordinal=7

Regards

eddie
 

Read other answers
RELEVANCY SCORE 47.6

Dear all,

one of my user encounter an outlook delegation error. it say that the delegate were not save correctly. cannot modify access control list.



The troubleshoot step i did. User test on another machine which is running on outlook 2007 no issue with that. But when change to outlook 2010 the delegation error take places. i re-create the profile but still same issue. i have also added this dword IgnoreSOBError and modify to value 1 HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\x.0\Outlook\Preferences

Re-install and un-install outlook 2010

unfortunately, i still encounter the same problem. But when i try to delegate on my site using outlook client version 2010. i have no problem at all.

can anyone advise me on this?

i kindly appreciate your kindness help.



thank you.

A:outlook 2010 delegation error

If you meant 2010 Exchange see this: https://support.microsoft.com/kb/2545238
If not, choose the correct fix it here: https://support.microsoft.com/kb/2593557 or do it manually as instructed.

Read other 2 answers
RELEVANCY SCORE 47.6

HI,

I am trying to fix the issue in which I am not able to do remote desktop .I have came across the solution which says we need to set "Encrytion Oracle remediation " as "vulnerable"But when I am trying to fix this I am not able to find "Credence Delagation " option in my group policy.
Any help and suggestion will be appreciated.


Thanks,
RG

Read other answers
RELEVANCY SCORE 47.6

How to Delegate User Account Unlocking capability to Team Leader and Managers via Active Directory? 
1, I need clear cut steps which I can perform in AD
2, Also how Manager or Team lead will access that for user account unlocking?

ST

Read other answers
RELEVANCY SCORE 47.6

Dear all,

one of my user encounter an outlook delegation error. it say that the delegate were not save correctly. cannot modify access control list.



The troubleshoot step i did. User test on another machine which is running on outlook 2007 no issue with that. But when change to outlook 2010 the delegation error take places. i re-create the profile but still same issue. i have also added this dword IgnoreSOBError and modify to value 1 HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\x.0\Outlook\Preferences

Re-install and un-install outlook 2010

unfortunately, i still encounter the same problem. But when i try to delegate on my site using outlook client version 2010. i have no problem at all.

can anyone advise me on this?

i kindly appreciate your kindness help.



thank you.

A:outlook 2010 delegation error

If you meant 2010 Exchange see this: http://support.microsoft.com/kb/2545238
If not, choose the correct fix it here: http://support.microsoft.com/kb/2593557 or do it manually as instructed.

Read other 2 answers
RELEVANCY SCORE 47.6

Greetings!

Stats: Outlook 2002, Exchange 2000, Delegated Mailboxes

Here are the issues we're having:

Person A gave rights to Person B to manage their mailbox (delegation). The delegation is set up correctly, but its hindering some functionality (which may not even exist).

1) Can Person B (the controller of A's box) utilize A's contacts via the Address Book? At this point, we cannot. We tried to add it via the Address book 'Tools --> Options' menu, but its not even listed. We also verified the properties of the delegated contact list and its checked to generate Exchange Views.

* Basic problem: Person B cannot utilize the contact list from anything except for manually clicking on the 'Contacts' folder in the delegated mailbox. (So, using the To... doesn't work)
2) Can Person B set 'reminders' in Person A's calendar? If so, we have something set up incorrectly. Presently, reminders in the delegated mailbox do not pop up for the controller. Ideas?

* Basic Problem: Events come and go in the delegated calendar without reminding the controller (Person B).
 

A:Outlook Delegation: Bane of my existance

1. As far as I know, "no". But did you double-check that the Person A's address book is an "Outlook address book"?

2. Unsure

Check www.slipstick.com (the ultimate Outlook resource, IMHO)
 

Read other 1 answers
RELEVANCY SCORE 45.6

Im running AGPM 4 SP3 using a least privileged access service account, and when ever I deploy a GPO to production all of the users from Change Controls Production Delegation tab (Domain Admins / Enterprise Admins / Enterprise Domain Controllers / SYSTEM
/as well as my personal account I'm logged in with) get added to the security filtering of the deployed GPO. Not only is this for all current production GPOS but also if I create a new GPO within AGPM the same groups get added to the security filter. Any Ideas
what could be causing this?

Read other answers
RELEVANCY SCORE 44.4

Please help

I am trying to install OneBridge client onto my mobile phone & when i start to install i get the above error...... I have run a search on this error & cannot find any relevant info.

As always any help would be greatly appreciated x

 

Read other answers
RELEVANCY SCORE 44

Appreciate if anyone can advise of the RPTester tool is a publicly available tool glimpsed in forum question

Delegation Authorization Rules / ActAs removed in ADFS 4.0? (Windows Server 2016)

Read other answers
RELEVANCY SCORE 43.6

Hi Expert! 
May i know what's the maximum days of kerberos token per machine. ? Somebody's idea ? 

Homer Sibayan

Read other answers
RELEVANCY SCORE 43.6

I had this on my HP which I returned for MCE's and now I see it here on my new Dell XP430 as well.

The ERROR is an HTTP Event 15016 and under General it says "Unable to initialize the security package Kerberos for server side authentication. The data field contains the error number."

And under Details it says:
" Name] Microsoft-Windows-HttpEvent
[ Guid] {7b6bc78c-898b-4170-bbf8-1a469ea43fc5}
[ EventSourceName] HTTP


- EventID 15016
[ Qualifiers] 49152



Version 0


Level 2


Task 0


Opcode 0


Keywords 0x80000000000000

- TimeCreated
[ SystemTime] 2009-04-12T21:13:07.363Z



EventRecordID 24054


Correlation

- Execution
[ ProcessID] 4
[ ThreadID] 52



Channel System


Computer DellXPS430


Security
- EventData

DeviceObject \Device\Http\ReqQueue

SecurityPackage Kerberos
000004000200300000000000A83A00C00000000000000000000000000000000000000000000000000E030980
Binary data:

In Words
0000: 00040000 00300002 00000000 C0003AA8
0008: 00000000 00000000 00000000 00000000
0010: 00000000 00000000 8009030E

In Bytes
0000: 00 00 04 00 02 00 30 00 ......0.
0008: 00 00 00 00 A8 3A 00 C0 ....?:.?
0010: 00 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 0E 03 09 80 ...?
----------------... Read more

A:Anyone else having Kerberos errors?

Kerberos is a computer network authentication protocol, which allows individuals communicating over a non-secure network to prove their identity to one another in a secure manner. It is also a suite of free software published by Massachusetts Institute of Technology (MIT) that implements this protocol. Its designers aimed primarily at a client-server model, and it provides mutual authentication — both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.
Kerberos builds on symmetric key cryptography and requires a trusted third party. Extensions to Kerberos can provide for the use of public-key cryptography during certain phases of authentication.
source:http://en.wikipedia.org/wiki/Kerberos_(protocol)

Read other 11 answers
RELEVANCY SCORE 43.6

HI, Iam getting a blue screen then reboot after physical memory dump. This happens whenever I watch a .avi file or if I'm watching a streaming site like youtube, it even happened when i was on a myspace page yesterday. It plays the video but when ever i close the media player or website down I get the Blue Screen.

The Blue screen says Bad Pool Header and the main number at the bottom is 0x00000019 (0x00000021 0xD18BE000 0x00070808 0xFFFE0176)

In the event viewer under errors it says "Unable to initialize the security package kerberos for server side authentication. the data field contains the error number " It is an httpevent and has an ID of 15016.

There are also some updats that I cannot install, KB951698. not sure if this has anything to do with the kerberos thing.

I just installed vista 3 days ago from a dell upgrade dvd and put SP1 in yesterday. I have no idea what to do. There was another problem with sonic before but I found a patch for that, that problem gave me the same blue screen (I think, both had 0x00000019 though unsure if the drvmcdb.sys problem had same bracketed numbers).

Here the log from the debugger WINDBG

BugCheck 19, {21, 8608b000, 70808, ffff}
*** WARNING: Unable to verify timestamp for sthda.sys
*** ERROR: Module load completed but symbols could not be loaded for sthda.sys
Probably caused by : sthda.sys ( sthda+148ec )
Followup: MachineOwner
---------
1: kd> !analyze -v
********************************************************... Read more

Read other answers
RELEVANCY SCORE 43.6

Hi all,

I am using Windows 2000 Professional. I wish to configure the Kerberos Policy in the system but do not know where to find policy and configure the settings.

Thanks all for ur help.....
 

A:Kerberos Policy

See if the MS article below helps. Let us know what happens.
http://support.microsoft.com/defaul...port/kb/articles/Q232/1/79.ASP&NoWebContent=1
 

Read other 2 answers
RELEVANCY SCORE 43.2

Hi all,
I really does not know what is happening. We have 1 secure vlan default blocked all port IN/OUT. We had setup on the firewall to opened ports which are required allow the Windows 7 Enterprise able to work. The system is in a domain west.ads.cc.com example.
We have 3 issue came up for all systems located in this secure vlan as describe below:

IT systems in a different vlan cannot offer Remote Assistant. There is no issue with IT systems machines since they still can Remote Assistant to other vlan fine.
Users in this secure vlan cannot access to a shared drive from a different domain but still in the same forest level. Example our forest is ads.cc.com, the the different domain is east.ads.cc.com. There is no issue with the shared drive in east.ads.cc.com
since other user in different vlan located in domain west.ads.cc.com still able to access without any issue.Users in this secure vlan cannot connect to 1 SQL Server in west.ads.cc.com if using Windows Authentication. They still able to connect to this SQL Server if using SQL Authentication ID since we opened port 1433 as designed. We used procmon tool to analyze
found out there are totally 13 send/receive packets need to be communicate allow a full transaction established successful. But when we using Windows Authentication, the first 7 packets has been communicated and was drop after about 10 seconds at the 7th send
packets. This look like due to time out. We got the error related to SSPI handshake failed.... Read more

Read other answers
RELEVANCY SCORE 43.2

Hello, I'm really lost .. well : My Professor has asked me to work on a project called KERBEROS, and as you know KERBEROS authentication protocol is a network based on a mechanism for secret keys (symmetric encryption ) and the use of tickets ... My problem is that she asked me to show her how it works on windows server 2003 with ActiveDirectory ! I think its hyper difficult to show it no? even using a sniffler it is difficult or not? Please how can I show her that there is an authentification and an exchange ticket .... I want to know the shortest path and simplest guide in order to have a very great mark thankie .
 

A:Kerberos I HATE YOUUUU ><

Read other 9 answers
RELEVANCY SCORE 43.2

I have a java application which uses Kerberos authentication for login. Through IE 10 Kerberos authentication is successful only if the user has local admin privilege and the IE 10 should be run as administrator. Anyone in forums can help me to resolve this issue as we cannot give a domain user local admin privilege.

Read other answers
RELEVANCY SCORE 43.2

Didn't know what forum to place this in. Having issues with Kerberos Errors and my SCCM server. I have another issue, but I think this is related. I get the following event in my PC.

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server aas-vm-sccm$. The target name used was HTTP/aas-vm-sccm.aas.global.amphenol-sensors.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (AAS.GLOBAL.AMPHENOL-SENSORS.COM) is different from the client domain (AAS.GLOBAL.AMPHENOL-SENSORS.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
Now when I run the setspn -Q http/tnwd07190.aas.global.amphenol-sensors.com I get
Checking domain DC=aas,DC=global,DC=amphenol-sensors,DC=com
CN=AAS-SvcAdmin,OU=Svc&Floor Accounts,OU=Users,OU=Taunto... Read more

Read other answers
RELEVANCY SCORE 43.2

We have a mixed environment using MAC OSX and NoMAD to connect to AD resources. The user is logged on local. Our file server is a Synology NAS using Windows integration. ATA does not detect the Kerberos Signin and also not detect the kerberos SMB connection
to the Synology. Do I miss something. Our setup is complete virtual. all DC's are lightweight. ATA center is a new install on server 2019.

Read other answers
RELEVANCY SCORE 43.2

Can i create an application based on kerberos within 10 days using .net technologies?
And it would be very fine if anyone can provide it to me or any kind of links.....
plz its urgent......
 

A:kerberos application requried

ramveer91 said:


Can i create an application based on kerberos within 10 days using .net technologies?Click to expand...

Depends on your experience and the scope of your project.
ramveer91 said:


And it would be very fine if anyone can provide it to me or any kind of links.....
plz its urgent......Click to expand...

Google google google. For instance, when I google "kerberos .net application" I get a ton of hits, i.e.

http://software.intel.com/sites/man...dDocuments/kerberosauthenticationusingnet.htm
 

Read other 1 answers
RELEVANCY SCORE 43.2

We have loaded the DOD AGM image on a laptop.  IT is joined to the domain and configured using the local administrator log in.
THEN we attempt to log in with the required DOD CAC and we get:
The Kerberos protocol encountered an error while validating the KDC certificate during logon through smart card

The event log shows Event ID 9

"The client has failed to validate the Domain Controller certificate for X.army.mil. 
The following error was returned from the certificate validation process: 
A certificate chain could not be built to a trusted root authority."

we do not control the Domain Controller..That is controlled by another DOD group. (just and FYI)

 
 
 
Event ID 9

A:Windows 7 CAC and Kerberos error

Hi,


The issue may be more related to the third party programs. Please understand that Microsoft has the limited resources about the third party programs. You may contact to their support team directly.Kim Zhou

TechNet Community Support

Read other 4 answers
RELEVANCY SCORE 43.2

Wow, have I been bashing my head on a brick wall with this problem. Been lurking here for a while, great site.

In a nutshell, my search field on the Win7 Start menu returns no results. If I click "see more results" it returns "Windows cannot find 'search:query=search string'. Note that this is not the 'Showing only category headers' problem. Search returns a big, white box with "No items match your search" and "See more results" no matter what you type.

Win+F simply does nothing (I've only just noticed this).

Constrained search in Explorer works fine (!).

I've tried:
The built in search troubleshooter - no problems detected. The MS downloaded troubleshooter - no problems detected. Deleting a bunch of registry keys and restarting the service (detailed here), service starts up fine, start search still non-functional. I've been mucking around, rebuilding indexes, trawling the web for anything, but alas, any offered solutions I have come across do not make any difference.

I'm not entirely sure how this happened - SP1 maybe? A reg cleaner? One of the two possibly.

I'm at a complete loss. I've just tried to do a reinstall following the guide that's around here somewhere. I've a 30gig SSD primary boot drive. Windows wants 15gig free to reinstall. Not going to happen considering the Windows directory is 10gig. I'd rather not clean reinstall for such a 'minor' problem, but I really miss that neat feature.

Any help provided greatly appreciated... Read more

A:No Start Search, no Win+F, but Constrained Search works?

hi and hello

Perform a SFC Scan (System File Check)

1. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator. If you are prompted for an administrator password or for a confirmation, type the password, or click Allow

2. Type the following command, sfc /scannow and then press ENTER:

(A message will appear stating that 'The system scan will begin'. Be patient because the scan may take some time)

3. If any files require a replace SFC will replace them. You may be asked to insert your Windows 7 DVD for this process to continue

4. If everything is okay you should, after the scan, see the following message "Windows resource protection did not find any integrity violations"

5. After the scan has completed, close the command prompt window, restart the computer. (TIP repeat scan 3 times)
How to use the System File Checker tool to troubleshoot missing or corrupted system files on Windows Vista or on Windows 7 >>> How to use the System File Checker tool to troubleshoot missing or corrupted system files on Windows Vista or on Windows 7

How to Check / Repair the Windows System Files from a Command Prompt at Boot >>> SFC /SCANNOW : Run in Command Prompt at Boot

Read other 9 answers
RELEVANCY SCORE 42.8

I've got a fairly new 2003 Active Directory and recently I have had two independent reports of users not being able to get into a file server that they were able to one week before. After a log off and log on they have been ok.

I believe this is due to the fact the users haven't logged off in a week and their Kerberos credentials expired. So I've checked domain policy and it seems that the policies are as follows:

Code:
Maximum lifetime for service ticket 600 minutes
Maximum lifetime for user ticket 10 hours
Maximum lifetime for user ticket renewal 7 days
The last one was of interest here so I just changed it to 60 days.

Code:
Maximum lifetime for user ticket renewal 60 days
I would like to ask what people's opinion's are on this, especially if there are any other veteran mcses out there, regarding the security implications of this change.
 

Read other answers
RELEVANCY SCORE 42.8

Hi,

I have a Windows 7 Home Premium x64 installation (i.e. one that does not attach to a domain) that needs to talk to a Samba share in a Kerberized (not AD) environment.

I have setup "Kerberos for Windows 4.0.1" and "Network Identity Manager 2.0.102.907" and they are successfully able to obtain a Kerberos ticket from the KDC used by the Samba share.

How do I now get Windows Explorer to use that ticket when accessing the share?

Regards,
Rob.

A:How do I integrate Kerberos with Windows Explorer?

After consulting with some network admin friends, the only way we see that working properly is to upgrade to win 7 pro and adding the system to the domain. LDAP/Kerberos is a tricky beast

Read other 2 answers
RELEVANCY SCORE 42.8

Hello,

I meet a strange problem with IE to access from the web a public URL with Kerberos SSO enabled for LAN acces (of course, SSO can't work for external access).
A single URL is wanted for internal (LAN) and external(web) access.

# Client:
O/S: Windows 7
Browsers: IE11 + Firefox 44

# Server
O/S: Windows Server 2012 R2
Web server: Tomcat 7

# Authentication
Windows AD : 2012
Kerberos + SSO

# URL to access web portal with HTTPS/TLSv1.2: 2 existing FQDN
Public FQDN: xyz.corp.fr (reachable from web)
Internal FQDN: a-b-xyz.corp.fr and a-b-xyz.corp.local (reachable from LAN)

Aim

Notebooks have to access web portal from LAN or web (roaming users).
For both LAN and web access, only one public URL is wanted to access web portal: https://xyz.corp.fr .

Symptoms

From LAN, to get SSO with IE11, I just have to add https://xyz.corp.fr in "Local intranet" securitiy zone.
But if the notebook is connected from the web, the URL https://xyz.corp.fr does not work ("This page can't be displayed") !

To solve this problem, I have to move https://xyz.corp.fr to "Trusted sites" security zone of IE or at least delete the URL from "Local Intranet" zone.
Then, if the notebook have to connect from LAN, SSO does not work anymore since https://xyz.corp.fr is no more in "Local Intranet" security zone.

NB: - no problem with Firefox 44 that does not use "security zones" concept
- problem got on 4 different PC under W7
- no problem... Read more

Read other answers
RELEVANCY SCORE 42.8

Hi, I am testing Windows 7 OS in our domain and found that Kerberos authentication to UNIX domain from Windows 7 is not working. It is prompting for a password everytime I connect to a unix host and not going throuh pass-through authentication. This works perfectly fine on Windows XP OS in our environment.

Is there any setting that needs to be done to make this working from Windows 7 client?

Thanks

A:Kerberos Authentication to UNIX from Windows 7 OS

Hi there could you try disabling User Account Control in Windows 7?
Control Panel\User Accounts and Family Safety\User Accounts\Change User Account Control Settings. Bring it all the way to the bottom.

Read other 2 answers
RELEVANCY SCORE 42.8

We have a situation where users are getting locked out after 2 logon attempts with bad passwords. Our policy is three bad passwords produces a lockout, but we've confirmed that it locks after only 2. In troubleshooting this, we found that every time a
user send logon credentials, two kerberos tickets are generated. To AD, after the second attempt, four "bad" tickets have been sent. How in the world do we begin tracing this down?

A:Kerberos Ticket Generated at Logon Sent Twice

I am reviving an old thread strictly for the sake of posting our fix. This happened again on a single machine in our environment and I remembered that I posted something here. I failed to return to relate the solution.
Turns out that a year or two before I started at my current job, a Group Policy Preference was created to force a particular encryption type (RC4-HMAC) to allow machines to connect to our Windows 2003 Server DCs. The GPP maintained a setting in the registry:
HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters.  The value is called
DefaultEncryptionType and was set to 17 (hex). Removing the value corrected the issue for us.

Read other 5 answers
RELEVANCY SCORE 42.4

We have recently changed our SharePoint on-premise authentication method from NTLM only to Kerberos/NTLM. Since then when we try to login from Internet (no kerberos) IE causes trouble getting a 401 (Unauthorized) due to the fact that it does not fall back
to NTLM, but wants to use Kerberos instead. This behaviour only applies to IE and Edge, other browsers like Chrome or Firefox due proper NTLM. The Response Header I see in IE is correct (WWW-Authenticate: Negotiate, NTLM), though. Just that both IE or Edge
always only try kerberos which fails fro outside our corporate network or VPN. It doesn't look to me like it owuld be a Firewall or IIS Server issues, since other browsers (non-Microsoft) do properly work with NTLM within the same scenario. BTW, there is a
similar situation with Dynamics CRM on-premise, I am not an expert here, but with this when trying to browse the internal URL from WAN (which might not be the right approach, but firewall-wise it is allowed), we get the same issue with IE/Edge. Using internet-faced
deployment URL for CRM via ADFS, this works with IE/Edge too from outside corporate network. This seems to be the same cause, these browsers to not fall back to NTLM if Kerberos isn't available.
After I got my Kerberos Ticket once, until it expires or I purge it, I can work with these browser from outside LAN too.
IE security Settings is set to Enable Integrated Windows Authenticaton and servers in charge are members of Local Intranet Security zone
... Read more

Read other answers
RELEVANCY SCORE 42.4

Team,
We had an alert on Win SERVER for Kerberos golden ticket activity, which says ticket usage was over a period of 13 hours which exceeded allowed maximum of 10 hours.
Need help to evaluate this alert.

Checked with AD team they confirmed no change in Group Policy has been made.
Now next where else we need to check for investigation for this alert.

Read other answers
RELEVANCY SCORE 42.4

Hello everyone, after looking for ages to fix this trouble I finally end up seeking for help on this forum!

First of all, excuse my poor english!

So, I just bought a brand new Acer Aspire 6920G notebook...pretty happy with it so far, a very good machine...The thing is : I'm having a pretty anoying problem, and this as been occuring since the very first day...Once in a while, my firefox freezes and I can't even shut it down or just reboot the laptop, I have to do it manualy which is very annoying and not quite good for the hardware I guess...

I checked on the event viewer and end up knowing that the only single error occuring is this one :

HttpEvent ID 15016 "unable
to initialize the security package kerberos for server side authentication.
the error continues in Event viewer.

That's the only error showing up there (beside the manual reboot) SO ... I have been trying to fix this and can't find a solution,, I would be grateful to anyone who could help me...thanks in advance!

Here's my HijackThis log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:42:42, on 2008-09-28
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Empowering Technology\ePower\ePower_DMC... Read more

A:Trouble with error 15016 (Kerberos) Win Vista!!

Error just happen again with Google Chrome, so firefox isn't the problem...help me please!
 

Read other 2 answers
RELEVANCY SCORE 42.4

Has anyone used or is it technically possible to use ATA to look at Kerberos interactions with domain controllers ahead of a forest functional upgrade from 2003?
Our AD has been in-place since around ~2004, although the DC are now running Windows 2008 R2 the FFL for Forest and Domain is 2003. We want to upgrade but are aware that upgrade from 2003 resets the krbtgt password and shifts from HMAC-RC4 to AES-256.
Whilst Windows clients should deal with this, non-Windows servers and apps will need to be tested and a plan put together. The first issue is identifying non-Windows clients that are using Kerberos, aggregating and reporting. Whilst trawling for Kerberos activity
it makes sense to also look at who is still using NTLM as well as LDAP.
I'm aware that this isn't really the purpose of ATA but based on the information it captures is the requirement outlined above something that ATA could be used to fulfil?
Paul Bendall

Read other answers
RELEVANCY SCORE 42

Hi, each user workstation--about a half dozen Win 7 SP1 64-bit and Win 10 64-bit LTSB 2016 PCs--I check logs an error to the System Event Log every 1-2 hours. The event / error reads:



The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server MY-SERVER'S-NAME$. The target name used was HTTP/MY-SERVER'S-NAME.MY-DOMAIN-NAME.com. This indicates that the target server failed to decrypt the ticket provided by the client. This
can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can
also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated
to use the current password. If the server name is not fully qualified, and the target domain (MY-DOMAIN-NAME.COM) is different from the client domain (MY-DOMAIN-NAME.COM), check if there are identically named server accounts in these two domains, or use the
fully-qualified name to identify the server.



I've gone through the steps at this link:
https://technet.microsoft.com/en-us/library/cc733987(WS.10).aspx (Check for duplicate or unused computer accounts [also queried LDAP from a DC to make sur... Read more

Read other answers
RELEVANCY SCORE 41.6

Hey, I have a laptop that I want to upgrade to 64 bit Windows 7
it is currently 32 bit xp and I am sure that my hardware is capable.

The only thing that's stopping me now is the fact that I don't want to lose 80 GB of programs which would take 10+ hours to reinstall from CD's and waiting on downloads etc.

Is there a way to keep programs on my PC so that I don't have to re-install?

I thought about saving the "program files" folder and pasting it back onto my PC after a clean installation but I wouldn't be able to update my registry which I heard will make programs run like rubbish.

So is there any way to keep my programs through a 32 bit OS to 64 bit OS conversion?

Sorry if this has been posted before or is in the wrong section.

A:32 bit to 64 bit transition

Not to my knowledge.
You would not be able to copy the Programs folder. All your program will have to be executed.
It would also be worthwhile to check that your programs work under 64 bit OS.
I would also make sure your PC is really capable of running 64 bit.

Read other 3 answers
RELEVANCY SCORE 41.6

I'm changing operating systems to take advantage of the 8g of ram resident on my new machine. Currently it's running XP in 32 bit mode. What kind of problems can and will I encounter by doing this and what is the best approach to be successful here. Any insight, experience, and suggestions will be appreciated.

i7 2600K
nv 560Ti
Corsair Vengence 4x 2gb

regards
k
 

A:transition from XP 32 to Win 7 64

The only hitches you may encounter is with existing software not being compatible with Win 7 64bit. Apart from that, with a new machine you should have a smooth transition.
 

Read other 3 answers
RELEVANCY SCORE 41.6

Hello,so i recently heard that having x64-bit OS will give me some advantages,I am currently using x32 Windows 7 Ultimate.
I've reinstalled My Laptop 3 times;
-The Factory Fresh Was Windows 7 Ultimate x86
-First Reinstall Was Windows 7 Home x64 ( I did something wrong and got a BSOD but i'm new to Computers so i ask someone to reinstall it for me )
-Second Reinstallment Was Windows 7 Professional x32 ( i need to reinstall it because of a serious problem,and i asked someone to reinstall it for me )
-Latest Reinstallment Was Windows 7 Ultimate x32 ( I Realize The earlier Windows was not genuine since i cannot activate it )
So I want The advantage of having x64-bit OS,How could I switch it back to x86?,So can i switch to x86 again by reinstalling Windows with x86? Or if you know how do i get x86 version of this Windows without buying it again that'd be great,An answer would
be a pleasure to me,Have a good Day!

Read other answers
RELEVANCY SCORE 41.6

Every time I visit a website that offers mp3 sound samples, I get an error when I try to hear them.

For example, visiting a wind chimes website that offers samples of how their products sound. When I click on the "hear a sample" icon, it takes me to another page, with .mp3 at the end of the address, but I get a little exclamation point inside a yellow triangle in the bottom bar and nothing shows up on the page and I don't get to hear the sound.

When I click on the triangle to find out what the problem is, it tells me, "Error: object expected".

I don't remember having this problem before IE updated itself and changed it's format a few weeks ago. I have no problem hearing music embedded in websites, it's just the sound samples with a .mp3 address.

Any idea what the problem is?
 

A:Why can't I listen to MP3 samples?

What player did you use before? Now?
What version of IE are you using now?
Have you also tried Firefox or another browser?

To play/hear any .mp3 or such sound, a player, such as winamp, realplayer, etc. must be installed, and it must have permission to play such files.

May have to reinstall IE, or at the least check all of the settings.
 

Read other 1 answers
RELEVANCY SCORE 41.6

Hello,

I am a student studying for my Honours project on the Analysis and Detection of Ransomware. Part of this project is to look at different types of Ransomware samples and record their characteristics and behaviour, as well as come up with preventative techniques to stop/halt the attacks. To be able to do this I have been asked to acquire different live samples. As I am new to the forums, and therefore not a verified member I am unable to access the malware repository. I would very much appreciate if somebody could point in the right direction to get some assistance in this area.
 

Read other answers