Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How do I force Kerberos in AD 2003?

Status
Not open for further replies.
shadowfax1066

shadowfax1066

Technical User
May 10, 2004
103
GB
Hi, how can I make sure our network is using kerberos or ipsec for all PC's and servers communications? I think it is done via group policies...

can you help

AW
 
Sort by date Sort by votes
I am persuming that your client pc are using 2000 or xp where IPSEC will do the job for you, There are 2 settings that you can choose to configure your system.

You can use Secure Server - For all IP traffic, always require security using Kerberos trust. Do NOT allow unsecured communication with untrusted clients.

If however you have any older Clients you can use Server - For all IP traffic, always request security using Kerberos trust. Allow unsecured communication with clients that do not respond to request.

This will however only ensure that Kerberos is used if the client is able to do so.

The settings can be set through Group policy..

Hope this helps.



Tim
MCSE 2003
HP APS
 
Upvote 0 Downvote
I'm having an issue where i have an AD with many trusts... but have a guy that has a Win2k3 server as a workstation for development.

He doesn't log into the domain - but logs into his local server using an account identical to his domain account with identical password... on top of that - his win2k3 server is a member of the AD...

However.. every now and then he gets an error that his machine isn't trusted - and that he is not allowed on the domain... other machines on the domain cannot see his shares, however, we can ping his machine....

In the AD DC event log - there are errors reported for Kerberos authentication...

Somehow when he logs into his local account - the win2k3 machine is causing Machine Name conflict - and eventually his domain account locks out....

this is very curious - as i do not see the connection.. can anyone explain??

Alshrim
System Administrator
MCSE, MCP+Internet
 
Upvote 0 Downvote
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 10/14/2004
Time: 10:53:57 AM
User: NT AUTHORITY\SYSTEM
Computer: DC
Description:
Pre-authentication failed:
User Name: BROSS-DESKTOP$
User ID: domain\BROSS-DESKTOP$
Service Name: krbtgt/domain.NET
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 192.168.130.148


Here's the logs...

Alshrim
System Administrator
MCSE, MCP+Internet
 
Upvote 0 Downvote
Right click the domain controller and select default domain policy - edit - Computer policy - Windows settings - security settings - IP security policy - and select server - enabale and save setting.

This should ensure that all clients able of comunicating with Kerbaros will..



Tim
MCSE 2003
HP APS
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
307
suncit
suncit
ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
467
gbaughma
gbaughma
Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
259
Aquiles Vidal
Aquiles Vidal
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
137
DrB0b
DrB0b
nukeinfer
  • Locked
  • Question
Internet restrictions for isolated PCs in the Network
Replies
1
Views
205
mangentle
mangentle

Part and Inventory Search

Sponsor

Back
Top