Kerberos Authentication in an Unbound Namespace

Question

Kerberos Authentication in an Unbound Namespace

I have a problem with Kerberos on my network.

My Active Directory domain name is configured as "acme.com" . However, DNS suffix is "wifi.acme.com" . On computer (endpoint1), I tried to execute an SMB request to endpoint2

 dir \\\\endpoint2.wifi.acme.com\admin$

which fails with the following error:

"Request not supported."

I have a security policy that restricts NTLM outbound connections (Network Security: Restrict NTLM : NTLM outbound traffic to remote servers).

In Wireshark I see that the Kerberos TGS request returned with an error:

"err-s-main-unknown kerberos".

I tried the following solutions without success:

Update the msDS-AllowedDNSSuffixes with the correct DNS suffix .
Define the Kerberos realm mappings hostname (as in Kerberos-SSO-Handling-Disjointed-Active-Directory-and-UNIX-DNS )

Is there a solution to this problem without changing DNS suffix and Active Directory domain for the same name?

Thanks.

+7

dns active-directory kerberos

Palak paneer Oct 08 '17 at 16:49

source share

No one has answered this question yet.

See related questions:

26

"Defect Detected Error" (NTLM not Kerberos) with Kerberos / Spring Security / IE / Active Directory

sixteen

How to check Kerberos server ticket in Java?

8

"GSSException defective token detected" - when trying to authenticate Tomcat running on Windows using Kerberos

3

Detecting Kerberos and / or NTLM Authentication Errors in Custom Application Packages Written Using the WISE Packaging Installer

one

anonymous login to kerberos

one

Kerberos Authentication over the Internet

0

Browser sends NTLM ticket instead of Kerberos ticket

0

Spring + Kerberos + Trusted Domains

0

How to bind SASL to Active Directory using the Kerberos engine

0

Kerberos connects to System.DirectoryServices.Protocol (C #)

Kerberos Authentication in an Unbound Namespace

More articles: