Skip to Content
0
Jan 09, 2009 at 04:49 PM

Kerberos issues with BOXI 3.1 during Windows AD logon

194 Views

I am trying to configure BOXI 3.1 for Windows AD logon through .Net InfoView.

I have created a service user: BO_Service_User.

I have run setspn on one of my domain controllers: setspn -A BOBJCentralMS/TR.DOMAIN.COM BO_Service_User

It reported running successfully and I can see it if I run 'setspn -L BO_Service_User'. This command returns: BOBJCentralMS/TR.Domain.com (note: mixed case domain name).

I have entered the spn into the CMC as: BOBJCentralMS/BO_Service_UseratDOMAIN.COM

I have bcsLogin.conf and krb5.ini in c:\windows (my real Windows directory) and c:\winnt as follows:

[libdefaults]

default_realm = THOROGOOD.COM

dns_lookup_kdc = true

dns_lookup_realm = true

[realms]

THOROGOOD.COM = {

default_domain = DOMAIN.COM

kdc = ES-DC-01.DOMAIN.COM

}

I have tested Kerberos using: kinit.exe BO_Service_User, and this creates a ticket. (This failed until I manually created the path c:\winnt\ and put bcsLogin.conf and krb5.ini into it.)

My problem is that in the .Net InfoView I get the following message when trying to login:

"Account Information Not Recognized: Kerberos target name BOBJCentralMS/BO_Service_UseratDOMAIN.COM is unknown"

For the service account, do I need to select "Use DES encryption types for this account"?

Do I need to run setspn on each of the domain controllers in a single domain?

Is the fact that the case is different when I run setspn -L important? I have tried deleting the spn and creating it again but it returns in the same case.

Any suggestions on how I fix this would be appreciated?

Thanks

Al.

Edited by: Julius Bussche on Jan 12, 2009 6:27 PM