Archive for December, 2007

Merry Christmas

Wishing each and every person a merry christmas on this special day.. that we unwrap our goodies forget to read the manual and wish we’d bought two bags full of batteries.

SpittingCAML


By SpittingCAML in Random  .::. (Add your comment)

Problems Experienced with Windows 2003 Server SP2

Having had a visit from the nice fella from K2 [blackpearl] we discovered that our present network set up had a few issues.

K2 requires that we have Kerberos enabled on our Active Directory, we spoke to the guys who head up our network infrastucture and they assured us that Kerberos was enabled, and a KDC was available. Brilliant… K2 should just work then… well…. no actually.

We think,….. and it’s a big *think* that because our Domain Controllers are running Windows 2003 Server SP1… whilst our servers run SP2 (… because MOSS 2007 requires this as a prerequisite)… there are some incompatability issues.

Itwould seem that services that run as “LOCAL SYSTEM” pre SP2, but now run as “LOCAL SERVICE” under SP2. This is screwing with our Windows Time Service…. the Kerberos tokens are then expiring and not being renewed. This results in K2 not functioning correctly as it needs Kerberos to work!

Please comment on any of this, as I may have got the wrong end of the stick!

It’s not an option right now to upgrade our entire server infrastucture to SP2…. there are of course… many implications, and we have many applications to support, not only MOSS and K2.

We’ll keep digging and hopefully get to the bottom of this

SpittingCAML


By SpittingCAML in Windows 2003 Server  .::. (Add your comment)

Enabling Kerberos Authentication

Following the training course, its been put to me that we should really be using Kerberos for our authentication model, especially as its going to solve lots of the multi-hop authentication issues.

I need to look into how Service Principle Names (SPNs) are used.

The command:

setspn.exe -A HTTP/servername ADDomain\usernameidentityforapppool

Will enable kerberos authentication, once we’ve configured a web application that will utilise kerberos.

According to sources, NTLM and Kerberos will work together, with NTLM taking precidence when the Key Distribution Center (KDC) is unavailable or if a client machine has an unsyncronised clock.

There is a KB article on this subject:
Microsoft KB Article

SpittingCAML


By SpittingCAML in Kerberos, Windows 2003 Server  .::. Read Comment (1)


You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.