Sign in with
Sign up | Sign in
Your question

Kerberos enforced in W2k/NT4 environment

Last response: in Windows 2000/NT
Share
Anonymous
March 31, 2005 6:07:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I have a large environment with multiple domains. Users in all NT4 domains
are unable to access a shared dir on a few servers in the W2K domain.
Permissions are set to everyone / full control. Users will get error "There
are currently no logon servers available" when trying to access share outside
the W2K domain. Is it possible that the default domain policy to enforce
Kerberos auth is causing this problem? It seems more like a WINS issue to me
but WINS db's seem to up to date and replication is working correctly. Any
help is appreciated!

Thanks!
Anonymous
April 1, 2005 4:05:31 AM

Archived from groups: microsoft.public.win2000.security (More info?)

There is no direct way to force kerberos authentication in a domain. Matter
of fact if you refer to a domain resource by it's IP address instead of name
then kerberos will NOT be used so try to access a share as in
\\xxx.xxx.xxx.xxx\share using the actual IP address of the server. There
could be an incompatibility in security options however such as for
digitally sign communications, lan manager authentication level, or
anonymous access. You can check Local Security Policy on those servers and
check the effective settings for those options. Relatively safe but
compatible settings would be to disable digitally sign communications
"always" for server, set lan manager authentication level to be send ntlmv2
responses only, and for additional restrictions for anonymous connections to
be do not allow enumeration of same and shares. The link below explains in
much more detail and look for "example of compatibility problems" for the
various security settings.

http://support.microsoft.com/default.aspx?scid=kb;en-us;823659

Since NT4.0 does rely on netbios over tcp/ip wins could be an issue. Make
sure that those servers and domain controllers in the W2K domains are also
wins clients and that you see their records in the wins database for domain
controller and such in the wins servers in the domain you are trying to gain
access from. From your NT4.0 domain controllers you should be able to ping
the W2K domain controllers and resource servers by name and IP address.The
link below may help. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;139410


"Jacknov75" <Jacknov75@discussions.microsoft.com> wrote in message
news:3AA406E7-0EBA-4447-BE84-465B1891747F@microsoft.com...
>I have a large environment with multiple domains. Users in all NT4 domains
> are unable to access a shared dir on a few servers in the W2K domain.
> Permissions are set to everyone / full control. Users will get error
> "There
> are currently no logon servers available" when trying to access share
> outside
> the W2K domain. Is it possible that the default domain policy to enforce
> Kerberos auth is causing this problem? It seems more like a WINS issue to
> me
> but WINS db's seem to up to date and replication is working correctly.
> Any
> help is appreciated!
>
> Thanks!
!