Kerberos enforced in W2k/NT4 environment

Archived from groups: microsoft.public.win2000.security (More info?)

I have a large environment with multiple domains. Users in all NT4 domains
are unable to access a shared dir on a few servers in the W2K domain.
Permissions are set to everyone / full control. Users will get error "There
are currently no logon servers available" when trying to access share outside
the W2K domain. Is it possible that the default domain policy to enforce
Kerberos auth is causing this problem? It seems more like a WINS issue to me
but WINS db's seem to up to date and replication is working correctly. Any
help is appreciated!

Thanks!
1 answer Last reply
More about kerberos enforced environment
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    There is no direct way to force kerberos authentication in a domain. Matter
    of fact if you refer to a domain resource by it's IP address instead of name
    then kerberos will NOT be used so try to access a share as in
    \\xxx.xxx.xxx.xxx\share using the actual IP address of the server. There
    could be an incompatibility in security options however such as for
    digitally sign communications, lan manager authentication level, or
    anonymous access. You can check Local Security Policy on those servers and
    check the effective settings for those options. Relatively safe but
    compatible settings would be to disable digitally sign communications
    "always" for server, set lan manager authentication level to be send ntlmv2
    responses only, and for additional restrictions for anonymous connections to
    be do not allow enumeration of same and shares. The link below explains in
    much more detail and look for "example of compatibility problems" for the
    various security settings.

    http://support.microsoft.com/default.aspx?scid=kb;en-us;823659

    Since NT4.0 does rely on netbios over tcp/ip wins could be an issue. Make
    sure that those servers and domain controllers in the W2K domains are also
    wins clients and that you see their records in the wins database for domain
    controller and such in the wins servers in the domain you are trying to gain
    access from. From your NT4.0 domain controllers you should be able to ping
    the W2K domain controllers and resource servers by name and IP address.The
    link below may help. --- Steve

    http://support.microsoft.com/default.aspx?scid=kb;en-us;139410


    "Jacknov75" <Jacknov75@discussions.microsoft.com> wrote in message
    news:3AA406E7-0EBA-4447-BE84-465B1891747F@microsoft.com...
    >I have a large environment with multiple domains. Users in all NT4 domains
    > are unable to access a shared dir on a few servers in the W2K domain.
    > Permissions are set to everyone / full control. Users will get error
    > "There
    > are currently no logon servers available" when trying to access share
    > outside
    > the W2K domain. Is it possible that the default domain policy to enforce
    > Kerberos auth is causing this problem? It seems more like a WINS issue to
    > me
    > but WINS db's seem to up to date and replication is working correctly.
    > Any
    > help is appreciated!
    >
    > Thanks!
Ask a new question

Read More

Domain Microsoft Servers Windows