Friday, March 9, 2012

Kerberos in Cross-Forest trust - Fails back to NTLM or Cannot

I established a Windows 2003 level cross-forest trust between
domain.local and domain.com .
I cannot get domain.com to allow kerberos authenication using a
domain.local user.
I am using SQL Server 2005 w/SQL Server Management Studio as the
application.
I can test which authentication scheme (NTLM or Kerberos) is used by
issuing this query:
select auth_scheme from sys.dm_exec_connections where
session_id=@.@.spid
I've tested a few different scenarios with user, workstation and
server:
USER WORKSTATION SERVER Result
domain.local domain.local domain.local KERBEROS
domain.local domain.local domain.com Cannot generate SSPI Context
domain.local domain.com domain.com NTLM
domain.com domain.com domain.com KERBEROS
So basically, using the domain.local user, I can connect between two
domain.local servers using KERBEROS, between two domain.com servers
using NTLM, but can't connect from domain.local to domain.com with the
error "Cannot Generate SSPI Contect".
I've gone through tons of online blogs, whitepapers, etc. I have
checked the SPNs, ensured the accounts and computers are trusted for
delegation, checked the firewall for blocked traffic...
Any ideas?None?
On Nov 28, 5:01 pm, Neufusion <mikeymil...@.gmail.com> wrote:
> I established a Windows 2003 level cross-forest trust between
> domain.local and domain.com .
> I cannot get domain.com to allow kerberos authenication using a
> domain.local user.
> I am using SQL Server 2005 w/SQL Server Management Studio as the
> application.
> I can test which authentication scheme (NTLM or Kerberos) is used by
> issuing this query:
> select auth_scheme from sys.dm_exec_connections where
> session_id=@.@.spid
> I've tested a few different scenarios with user, workstation and
> server:
> USER WORKSTATION SERVER Re
sult
> domain.local domain.local domain.local KERBEROS
> domain.local domain.local domain.com Cannot generate SS
PI Context
> domain.local domain.com domain.com NTLM
> domain.com domain.com domain.com KE
RBEROS
> So basically, using the domain.local user, I can connect between two
> domain.local servers using KERBEROS, between two domain.com servers
> using NTLM, but can't connect from domain.local to domain.com with the
> error "Cannot Generate SSPI Contect".
> I've gone through tons of online blogs, whitepapers, etc. I have
> checked the SPNs, ensured the accounts and computers are trusted for
> delegation, checked the firewall for blocked traffic...
> Any ideas?
Posted by depredationnmqp at 8:07 AM
Labels: , , , , , , , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)