You cannot reach a Kerberized service without a proper DNS settings

Subject: You cannot reach a Kerberized service without a proper DNS settings
Author: authen
Posted on: 06/01/2009 10:15:54 PM

While accessing a Kerberized service, e.g. LDAP operation, the client needs to communicate with KDC to get the Kerberos ticket for that service (TGS). If the FQDN used in the service principal name (SPN) is not properly set in the DNS server, that service will not be visible from outside and the TGS will failed.

For some clients, like LDP.exe, a failover protocol (NTLM) will be used instead.

For example, for the given service:

SPN:
     ldap/myServer.myDomain.com@MYDOMAIN.COM

The FQDN "myServer.myDomain.com" must be registered in NDS server as:

DNS: 
    (forward) myServer     --> 10.11.12.13
    (reverse) 10.11.12.13  --> myServer.myDomain.com

References:

Next Post: How to get sub-error code when authenication gets failed with DIGESt-MD5 nirmaldasb 07/14/2009 05:37:12 AM
Previous Post: String Search Filter Definition SteveHB 05/27/2009 01:17:51 PM
Next Topic: How to get sub-error code when authenication gets failed with DIGESt-MD5 nirmaldasb 07/14/2009 05:37:12 AM
Previous Topic: Bitwise Filter -- extensibleMatch Filter String Representation Defined in RFC 2254 SteveHB 05/27/2009 01:14:07 PM
Index: by Date
Index: by Topic