Understanding Kerberos Double Hop

Hi, Steve here. Kerberos Double Hop is a term used to describe our method of maintaining the client’s Kerberos authentication credentials over two or more connections. In this fashion we can retain the user’s credentials and act on behalf of the user in further connections to other servers. Please make sure you read the previous… Read more

Kerberos Authentication problems – Service Principal Name (SPN) issues – Part 3

Rob here. Now we have seen what it looks like when there is no Service Principal Name defined, and when the Service Principal Name is not unique in the forest. We will now cover what things look like when the Service Principal Name is NOT added to the correct account. We are still using the… Read more

Kerberos Authentication problems – Service Principal Name (SPN) issues – Part 2

Rob here. So, we saw in Part 1 what kind of error you could expect when there is no Service Principal Name defined for the Kerberos ticket the application is requesting. The next part I would like to show you is what might be the error message you would get if there were multiple accounts… Read more

Kerberos Authentication problems – Service Principal Name (SPN) issues – Part 1

Hi Rob here again. I hope that you found the first blog on troubleshooting Kerberos Authentication problems caused by name resolution informative and learned something about how to review network captures as well as how the SMB protocol works at a high level when reviewing a network trace. This time we are going to focus… Read more

Troubleshooting Kerberos Authentication problems – Name resolution issues

Hi Rob here. I thought I would show you how we in Microsoft Commercial Technical Support typically troubleshoot Kerberos authentication issues. This discussion should do much to get you more comfortable viewing network traces for Kerberos authentication problems. There are other ways to troubleshoot Kerberos; one could use the Kerberos event logging outlined in KB… Read more

Kerberos for the Busy Admin

Hi Rob here, I am a Support Escalation Engineer in Directory Services out of Charlotte, NC, USA. We work a lot of Kerberos authentication failure issues. Since Kerberos is typically the first authentication method attempted, it ends up having authentication failures more often. One of the great things about Windows is that the product seems… Read more

Understanding “Read Only Domain Controller” authentication

Hello there. Bob Drake here to discuss how Windows Server 2008 “Read Only Domain Controllers” (RODC’s) authenticate users differently from the way Windows Server 2003 and Windows Server 2008 standard domain controllers do. The “Read Only Domain Controller” is new to Windows Server 2008 and allows for the installation of a domain controller to accommodate… Read more

What’s in a Token

Hi, Randy here. This is my first blog post to help explain authentication and authorization. This post will be helpful in understanding “Access is Denied” messages and how to troubleshoot when these happen. I’d like to start with an explanation of the security token. When you log on to a system, you provide credentials in… Read more