Hello,

We are experiencing an intermittent issue regarding Kerberos
Authentication with some of our 400 or so Vista SP1 clients.

Our domain environment consists of a Windows 2003 domain with abour 400
standardized Vista SP1 32bit client pcs all running the same OS image
and identical hardware.

We have random reports form about 1% of our users on a daily basis
about not being able to authenticate against our proxy server which only
accepts Kerberos auth (does not fall back to NTLM).

So of course what happens to these users is that they cannot
authenticate against the proxy. The issue is not specific to the same
users, same pc's, same vlans, same subnets etc. - it's completely random
- also it is not dependant on the time of the day either - i.e. not load
related.

We have used klist and kerbtray to show the kerberos tickets available
when this issue happens and there are none! Not even a krbtgt one. In
fact it has reverted back to using NTLM and for whatever reason it does
not request a tgt when a kerberos authenticated service such as our
proxy is being contacted. Once the user logs off and logs back in, the
problem goes away of course. Any thoughts on this would be very much
appreciated.

What I'm looking for is perhaps a way to force Vista to re-request for
a TGT as it doesn't seem to be doing so - we don't see any requests from
these clients on the KDC.

Alternatively if there was a way to prevent Vista from failing back to
NTLM and force it to only user Kerberos, perhaps that would solve our
issues as well.

Thanks,

Ben


--
hoodwinkle

hi ben,

did you have a look at the local security policy. also do u try loging
on in domain\username format sometimes the vista clients might try to
authiticate using the localcomputername\username. if they are not
Connected to the domain. Also try this and check the securty policy.

hope this helps

CHeers

hoodwinkle;979478 Wrote:
Hello,

We are experiencing an intermittent issue regarding Kerberos
Authentication with some of our 400 or so Vista SP1 clients.

Our domain environment consists of a Windows 2003 domain with abour 400
standardized Vista SP1 32bit client pcs all running the same OS image
and identical hardware.

We have random reports form about 1% of our users on a daily basis
about not being able to authenticate against our proxy server which only
accepts Kerberos auth (does not fall back to NTLM).

So of course what happens to these users is that they cannot
authenticate against the proxy. The issue is not specific to the same
users, same pc's, same vlans, same subnets etc. - it's completely random
- also it is not dependant on the time of the day either - i.e. not load
related.

We have used klist and kerbtray to show the kerberos tickets available
when this issue happens and there are none! Not even a krbtgt one. In
fact it has reverted back to using NTLM and for whatever reason it does
not request a tgt when a kerberos authenticated service such as our
proxy is being contacted. Once the user logs off and logs back in, the
problem goes away of course. Any thoughts on this would be very much
appreciated.

What I'm looking for is perhaps a way to force Vista to re-request for
a TGT as it doesn't seem to be doing so - we don't see any requests from
these clients on the KDC.

Alternatively if there was a way to prevent Vista from failing back to
NTLM and force it to only user Kerberos, perhaps that would solve our
issues as well.

Thanks,

Ben


--
john_cena

-Shihan Sylvester Pietersz-
-(MCP,MCSA,MCSE+Security,MCSE+Messeging-
-MCTS,MCITP)-
-Systems -::-Engineer / Consultant Trainer- ::