An Avanade Blogging Community

Let's say you want to isolate a domain controller for a certain time, you would issue the command:

repadmin /options +DISABLE_INBOUND_REPL or/and +DISABLE_OUTBOUND_REPL

normally this command requires Domain Admin/Enterprise Admin privileges.
Why and how to change that below.. first the usual warnings:
Playing with ADSIEDIT could damage your domain, please test everything in a lab environment first blabla.

NOTE1:Although we can stop the replication for a single domain controller (or multiple) issuing repadmin /replicate will not look at the connection object and therefore replication will still occur, so disabling replication this way does not guarantee inbound/outbound replication is halted completely..

NOTE2:The instructions below are ONLY for those circumstances where it might be required.. in my case a domain controller had to be isolated for a short period of time where two scripts run to export and import pre-staged AD data. And while the export/import was running we did not want any changes going in or out of the DC. Only after verification of the exported/imported data, replication for this domain controller is resumed. In my case I delegate the rights to a service account (that I do not want to make Domain Admin). Delegating to persons is not advisable! Also make sure you have enough monitoring to see whether replication is halted/resumed.

WARNING: If replication is not re-enabled within the tombstone lifetime the DC will not automatically replicate anymore and will be treated as unsecure by other DC's to avoid lingering objects, please check http://technet.microsoft.com/en-us/library/cc757610.aspx

The replication of a domain controller is handled through a connection object, that object is created by the KDC (or manually when the KDC is disabled.. ). The connection object defines the from server, the interval of replication, etc etc.. through the options attribute of this object replication can be disabled or enabled. So the security of the object (or more specific the security on the options attribute of the object) defines who can enable/disable replication for a specific connection. In normal conditions only SYSTEM, Domain Administrators and Enterprise Administrators have the full control rights on these objects.

Now how to change it: Open Adsiedit and browse to the CN=<DC>,CN=Servers,CN=<SITE>,CN=SITES,CN=Configuration,DC=<DOMAIN>,DC=<EXT>

below the server entry you will see the connection object with it's GUID . Right click that and select properties, then select the security tab, click Advanced, click add and add the account you like, now do not click OK yet, click properties and select Read Options, Write Options and click OK, OK, OK.

NOTE3: The options attribute is not soley used for disable/enable replication, it is also used to make a DC a GC etc.. delegating the rights to this attribute also gives the delegated account these rights!

And a big thanks to: ActiveDir.org and Spat for the info!

Repadmin is the tool used to troubleshoot replication in an Active Directory forest.. commands like repadmin /replsum (to view replication summary) or repadmin /showutdvec (to view USN per domain controller).. are common commands.. it get's tougher when we want to create or modify links during troubleshooting.. then we use /add to add replication links between two servers..

But aren't replication links the what we see in Sites & Services?
Actually no.. the links are the actual replication agreements between the two servers, each partition of the AD has it's own replication link per server.. to view them we can use repadmin:

Repadmin: running command /showconn against full DC localhost
Base DN: CN=DATACENTER1,CN=Sites,CN=Configuration,DC=ROOTDOMAIN,DC=LOCAL
==== KCC CONNECTION OBJECTS ============================================
Connection --
    Connection name : 28e853b9-4c32-4288-87c7-d4b09beaab97
    Server DNS name : DC01.ROOTDOMAIN.LOCAL
    Server DN  name : CN=NTDS Settings,CN=DC01,CN=Servers,CN=DATACENTER1,CN=Sites,CN=Configuration,DC=ROOTDOMAIN,DC=LOCAL
        Source: DATACENTER2\DC02
                No Failures.
        TransportType: IP
        options:  isGenerated overrideNotifyDefault
        ReplicatesNC: CN=Configuration,DC=ROOTDOMAIN,DC=LOCAL
        Reason:  IntersiteTopology
                Replica link has been added.
        ReplicatesNC: DC=DomainDnsZones,DC=ROOTDOMAIN,DC=LOCAL
        Reason:  IntersiteTopology
                Replica link has been added.
        ReplicatesNC: DC=ForestDnsZones,DC=ROOTDOMAIN,DC=LOCAL
        Reason:  IntersiteTopology
                Replica link has been added.
        ReplicatesNC: DC=ROOTDOMAIN,DC=LOCAL
        Reason:  IntersiteTopology
                Replica link has been added.
Connection --
    Connection name : 3329e0ea-9caa-4fd8-92aa-12605fdf4773
    Server DNS name : DC01.ROOTDOMAIN.LOCAL
    Server DN  name : CN=NTDS Settings,CN=DC01,CN=Servers,CN=DATACENTER1,CN=Sites,CN=Configuration,DC=ROOTDOMAIN,DC=LOCAL

So in the above text we have DC1 that has a replication object to DC2`   .. within that replication object multiple links exist. As you can see, it replicates ForestDnsZones,DomainDnsZones,Configuration and Domain.. and i can hear you asking What about the schema partition? That actually uses the configuration link to replicate and is therefore not shown.

So you can see the Connection Object (what you see in sites and services) as the container that holds multiple links..

Now  ay we have a large forest with a lot of troubles.. DC1 and DC2 do not replicate and the KCC is going nuts about .. well are there is.. then we can do the following: We can disable the KCC, delete the connection objects and create the connections ourselves.. initiate replication and enable the KCC again to figure it out on its own again..There is one advantage to this above the KCC.. the KCC uses as you see in the above output: not the actual servername, but the DN field of the NTDS object of the target server.. using the repadmin /add command you can specify the server based on FQDN or Hostname. Basically disconnecting the referral process within AD for replication and using normal name lookup mechanisms. If you DNS is okay, your servers should be able to find each other and replicate normally.

Now the expert command has two options for adding replication links.. the Repadmin /add command and the Repadmin /addRepsTo Command..
the question raised is.. what's the difference.. can't I just use one and reverse the inbound outbound DC?

The answer is no.. the two different attributes we are referring to in this blog is are Reps-From and Reps-To in the connection objects.
The Reps-From is always used (remember AD is pull mechanism, not push). The Reps-To attribute is only used when a change notification is enabled on the link.. a connection object with a Reps-To in his connection object will tell the source DC to notify the To Partner.. and that partner will use the Reps-From attribute to find his DC to GET the data from..

Basically .. when you have disable replication notification for a connection object in a normal situation connection object does not have a Reps-To attribute. Now note that the RepFrom and RepTo attribute are the actual links below a connection object..

When the KCC is switched on again all values will be overwritten and Reps-From and Reps-To are overwritten..since a new connection object is created.. this new connection object created by the KCC uses the fromServer:CN=NTDS,SERVER... attribute for the connection object.. Notification is switched on or off through the options of the connection object. (in BITS format.. ) not on the connection link..

The Repadmin /add and /AddrepsTo is usually used during crisis situations or when trying to remove lingering objects..

More experthelp can be found using repadmin /experthelp

More info: ? http://technet.microsoft.com/en-us/library/cc811549.aspx

<<more information will follow shortly>>

!PASSED!

As one of the first (now 26 worldwide), I can now call myself an MCM:Windows 2008-Directory!.. Congrats to all others!

The Microsoft Certified Master: Windows Server 2008, Active Directory program provides the most in-depth and comprehensive training that is available today for the latest version of Windows Server 2008 with a focus on Active Directory. This three-week training program is delivered by recognized experts from Microsoft and Microsoft Partner organizations.

 

 

 

 

Lets have a look at the debug log in unconstraint delegation:

388.500> Kerb-Trace: KerbCreateTokenFromTicket for ROOTDOMAIN\Administrator, (null)
388.500> Kerb-Trace: SpAcceptLsaModeContext called KerbMapContext ContextAttributes 0x5, 0
388.468> Kerb-Bnd: KerbInsertBinding binding cache disabled
388.468> Kerb-Bnd: Calling kdc 192.168.10.1 for realm ROOTDOMAIN.LOCAL
388.468> KSupp-Trace: Calling KDC: 192.168.10.1
388.468> Kerb-SPN: KerbInsertSpnCacheEntry spn cache disabled
388.468> Kerb-Bnd: KerbInsertBinding binding cache disabled
388.468> Kerb-Bnd: Calling kdc 192.168.10.1 for realm ROOTDOMAIN.LOCAL
388.468> KSupp-Trace: Calling KDC: 192.168.10.1

and the constraint one:

384.472> Kerb-Trace: KerbCreateTokenFromTicket for ROOTDOMAIN\Administrator, (null)
384.472> Kerb-LSess: KerbCreateLogonSessionFromTicket creating logon session for 0:0x29766, accepting 0:0x3e4, client Administrator@ROOTDOMAIN.LOCAL
384.472> Kerb-Trace: SpAcceptLsaModeContext called KerbMapContext ContextAttributes 0x5, 0
384.600> Kerb-Bnd: KerbInsertBinding binding cache disabled
384.600> Kerb-Bnd: Calling kdc 192.168.10.1 for realm ROOTDOMAIN.LOCAL
384.600> KSupp-Trace: Calling KDC: 192.168.10.1
384.480> Kerb-Cred: Acquiring cred, S4U required
384.600> Kerb-Warn: KerbGetTgsTicket failed to unpack KDC reply: 0x3c
384.600> KSupp-Warning: KerbUnpackData failed to unpack typed data, trying error method data
384.600> KSupp-Error: KerbUnpackErrorData received failure from kdc 0xd KLIN(0) NTSTATUS(0xc0000272)
384.484> Kerb-SPN: Found in SPN Cache 00111770 384.484> Kerb-S4u: Trying S4UProxy for ls 0009E9F8
384.600> Kerb-S4u: No match on S4UTarget
384.600> Kerb-Warn: Failed S4Uproxy request c0000272(8)
384.484> Kerb-Bnd: KerbInsertBinding binding cache disabled
384.484> Kerb-Bnd: Calling kdc 192.168.10.1 for realm ROOTDOMAIN.LOCAL
384.484> KSupp-Trace: Calling KDC: 192.168.10.1

Now it is hard to find any link forthe error thrown.. but according to http://technet.microsoft.com/en-us/library/cc738673.aspx it is

0x3

KDC_ERR_BAD_PVNO

Requested protocol version number not supported.

Both machines are Windows 2003 SP2, but the domain controller is not SP2.. let's upgrade..

no luck there, but the error has changed!

472> Kerb-Trace: KerbCreateTokenFromTicket for ROOTDOMAIN\Administrator, (null)
388.472> Kerb-LSess: KerbCreateLogonSessionFromTicket creating logon session for 0:0x11a81a, accepting 0:0x3e4, client Administrator@ROOTDOMAIN.LOCAL
388.472> Kerb-Trace: SpAcceptLsaModeContext called KerbMapContext ContextAttributes 0x5, 0
388.572> Kerb-Warn: KerbGetTgtForService getting new TGT for account
388.572> Kerb-LSess: KerbFindCommonPaEtype using current password of sp01$@ROOTDOMAIN.LOCAL
...

388.572> Kerb-Warn: KerbGetTgsTicket failed to unpack KDC reply: 0x3c
388.572> KSupp-Warning: KerbUnpackData failed to unpack typed data, trying error method data
388.572> KSupp-Error: KerbUnpackErrorData received failure from kdc 0xd KLIN(0) NTSTATUS(0xc0000272)
388.572> Kerb-S4u: No match on S4UTarget
388.572> Kerb-Warn: Failed S4Uproxy request c0000272(8)
388.508> Kerb-Cred: Acquiring cred, S4U required
388.476> Kerb-S4u: Trying S4UProxy for ls 0009E9F8
388.476> Kerb-Bnd: KerbInsertBinding binding cache disabled
388.476> Kerb-Bnd: Calling kdc 192.168.10.1 for realm ROOTDOMAIN.LOCAL
388.476> KSupp-Trace: Calling KDC: 192.168.10.1
388.476> Kerb-SPN: KerbInsertSpnCacheEntry spn cache disabled
388.476> Kerb-Warn: Trying to delegate but no forwardable TGT
388.476> Kerb-Warn: KerbBuildGssChecksum failed to get delegation TGT: 0x8009030e

** Appareantly the server is not able to get a forwardable TGT.. MS sais:

The Kerberos protocol includes a mechanism called delegation of authentication. When this mechanism is used, the client (the requesting service) delegates authentication to a second service by informing the KDC that the second service is authorized to act on behalf of a specified Kerberos security principal, such as a user that has an Active Directory directory service account. The second service can then delegate authentication to a third service.

This is accomplished using a proxy TGT or a forwarded TGT. When a proxy TGT is used, the requesting service obtains a TGT for the third service in the security context of a specific user and then passes the TGT to the second service, which uses it to request service tickets. In this case, the requesting service must know the name of the third service. When a forwarded TGT is used, the requesting service obtains a TGT that is marked forwardable for the second service in the security context of the user. The second service can use this TGT to request tickets for other services as needed.

Only forwardable TGTs can be used for constrained delegation. A TGT can be marked forwardable only if the account under which the requesting service is running has the ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION control flag set. For Forefront TMG, this is the Active Directory computer account of the Forefront TMG computer. This flag is automatically set when the account under which the requesting service is running is configured as trusted for Kerberos constrained delegation in Active Directory.

In adsiedit the current controlflag is set to 4096 -

WORKSTATION_TRUST_ACCOUNT

0x1000

4096

 

 

 

You all remember the maximum 2 hops for Kerberos right.. well in Microsoft land it works a little different and it is possible to create a multiple tier Kerberos delegation structure.

 

Basically we want the following to happen:

 

Client->IIS1->IIS2->IIS3->IIS4 where all hops require Kerberos authentication

 

In this case, IIS1, IIS2 and IIS3 need to be trusted for delegation. In my test lab I’ve used (http://support.microsoft.com/kb/314404) for the setup..

 

Reach To IIS server on IIS1

User Id = ROOTDOMAIN\AdministratorThe Negotiate method was used!

The user was logged on using Kerberos.

 

Attempt to connect to http://IIS2.rootdomain.local/default.asp by using ServerXMLHTTP

Receiver Status Text: OK (200)

 

Reach To IIS server on IIS2

User Id = ROOTDOMAIN\AdministratorThe Negotiate method was used!

The user was logged on using Kerberos.

 

Attempt to connect to http://IIS3.rootdomain.local/default.asp by using ServerXMLHTTP

Receiver Status Text: OK (200)

 

Reach To IIS server on IIS3

User Id = ROOTDOMAIN\AdministratorThe Negotiate method was used!

The user was logged on using Kerberos.

 

Attempt to connect to http://IIS4.rootdomain.local/default.asp by using ServerXMLHTTP

Receiver Status Text: OK (200)

 

Reach To IIS server on IIS4

User Id = ROOTDOMAIN\AdministratorThe Negotiate method was used!

The user was logged on using Kerberos.

 

So the log file shows you it all works!.. please keep the above information in  mind when designing security for your applications!

 

 

(explanation: In Microsoft land, each trusted for delegation object requests tickets on behalf of the user instead of using the forwarded ticket from the user). If a trusted object requests a ticket for the next service which is also trusted for delegation the forwardable flag is not cleared, therefore the next hop can re-request tickets on behalf of the user for the next hop. )

 

 

So if we look at the traffic on IIS2 (called SQL01 here and IIS3 is called IS02).. you see IIS2 server requesting a ticket on behalf of the Administrator (user account) for the IIS3 service (IS02.rootdomain.local)

 

 

*****************************************************************

Constraint Delegation

So you want to set it up for constraint delegation.. users who's computers are not on the domain must be able to login to the same application.. that's where things go wrong!..

Reach To IIS server on SP01
User Id = ROOTDOMAIN\AdministratorThe Negotiate method was used!
The user was logged on using Kerberos.
Please do not refresh this page.
  
Attempt to connect to http://SQL01.rootdomain.local/default.asp by using ServerXMLHTTP
Receiver Status Text: OK (200)

Reach To IIS server on SQL01
User Id = ROOTDOMAIN\AdministratorThe Negotiate method was used!
The user was logged on using Kerberos.
Please do not refresh this page.
   
Attempt to connect to http://IS02.rootdomain.local/default.asp by using ServerXMLHTTP
Receiver Status Text: Unauthorized (401)
You are not authorized to view this page
 

looks like we can only have two hops.. lets have a look .....

We set the First IIS server to use Constraint Delegation (all services) towards the 2nd IIS server. Again, we take a look at the network..

In the network layer we see the challenge from the IIS webserver (highlighted).. and then NO Kerberos request for a new ticket on behalf of the user.. the servers reconnects to the IIS server and (192.168.10.3) cannot provide it credentials for Kerberos. The webserver switches over to NLTM (Challenge). The server can only answer to the NTLM challenge with the server's key (or Service Account) and therefore breaking the delegation model. (access denied message)

So the question lies in what the first IIS webserver does when requesting a ticket on behalf of the user in Constraint and unConstraint delegation. Again we switch over to the network capture..

In a non constraint delegation model, the 1st webserver requests a ticket with options: 4081000 (forwardable, Renewable, Canonicalize) for the 2nd webserver (url sql01.rootdomain.local).

Now as we enable constraint delegation (allowing users to logon with another authentication protocol) we see the difference:

 

The ticket itself has the Contrained Delegation flag set! and that should probably be why this ticket cannot be used to get another ticket on behalf of the user on the 2nd webserver.

* The quest continues..

I did another packetsniff let's take a look at what happens in order:

The client connects to the webserver and retrieves an unauthorized:
   17 -7172.250000 192.168.10.2 192.168.10.14 HTTP HTTP/1.1 401 Unauthorized  (text/html)
The client requests is Ticket Granting Ticket
   19 -7172.203125 192.168.10.14 192.168.10.1 KRB5 AS-REQ
         KDCOptions: 40810010 (Forwardable, Renewable, Canonicalize, Renewable OK)
         Client Name (Principal): Administrator
         Realm: ROOTDOMAIN.LOCAL
The client receives it's AS
   20 -7172.171875 192.168.10.1 192.168.10.14 KRB5 AS-REP

Then the client wants it's TGS (service ticket)
   21 -7172.156250 192.168.10.14 192.168.10.1 KRB5 TGS-REQ
         KDCOptions: 40800000 (Forwardable, Renewable)
         Server Name (Service and Instance): HTTP/sp01.rootdomain.local
         Name: HTTP
         Name: sp01.rootdomain.local
The client receives the ticket
   22 -7172.140625 192.168.10.1 192.168.10.14 KRB5 TGS-REP
And re-connect to the webserver with authorization
   24 -7172.109375 192.168.10.14 192.168.10.2 HTTP GET / HTTP/1.1 
      [truncated] Authorization: Negotiate IFCQYGKwYBBQUCoIIE/TCCBPmgJDAiBgkqhkiC

Let's take it from there and switch to the SP01.rootdomain.local server
The first thing we see is our LDP_DEEPSPACE check (see other posting)
19 -7193.078125 192.168.10.2 192.168.10.1 TCP ltp-deepspace > kerberos [SYN] Seq=0 Win=65535 Len=0 MSS=1460

Although we gave the kerberos ticket for the user already, the next thing we see is another request:
   23 -7193.062500 192.168.10.2 192.168.10.1 KRB5 TGS-REQ
      KDCOptions: 40830000 (Forwardable, Renewable, Constrained Delegation, Canonicalize)
      Server Name (Service and Host): host/sp01.rootdomain.local
         Name-type: Service and Host (3)
         Name: host
         Name: sp01.rootdomain.local      

Note that 192.168.10.2 IS the host itself and that the host is requesting a ticket for it'self!, lets compare that to the unconstraint request in another packet sniff: The first packet we see there is the request for the next hop, so the client itself is NOT requesting a host ticket when unconstraint delegation is used:>

   28 -7198.734375 192.168.10.2 192.168.10.1 KRB5 TGS-REQ
      KDCOptions: 40810000 (Forwardable, Renewable, Canonicalize)
      Server Name (Service and Instance): HTTP/sql01.rootdomain.local
         Name-type: Service and Instance (2)
         Name: HTTP
         Name: sql01.rootdomain.local

Followed by another request immediately:
   30 -7198.734375 192.168.10.2 192.168.10.1 KRB5 TGS-REQ
      KDCOptions: 60810010 (Forwardable, Forwarded, Renewable, Canonicalize, Renewable OK)
       Server Name (Service and Instance): krbtgt/ROOTDOMAIN.LOCAL 
         Name-type: Service and Instance (2)
         Name: krbtgt
         Name: ROOTDOMAIN.LOCAL

Back to the original constraint delegation packet.. after requesting a ticket for the host, an error is thrown back: 
   25 -7193.031250 192.168.10.1 192.168.10.2 KRB5 KRB Error: KRB5KDC_ERR_BADOPTION NT Status: STATUS_NO_MATCH
      error_code: KRB5KDC_ERR_BADOPTION (13)
      Server Name (Service and Host): host/sp01.rootdomain.local
         Name-type: Service and Host (3)
         Name: host
         Name: sp01.rootdomain.local
      e-data PA-PW-SALT
            Value: 720200C00000000003000000
            NT Status: STATUS_NO_MATCH (0xc0000272)

Appearantly we are not receiving the kerberos ticket, and there is no retry.. the next packet is the next hop request:
   34 -7192.640625 192.168.10.2 192.168.10.3 HTTP GET /default.asp HTTP/1.1
   37 -7192.062500 192.168.10.3 192.168.10.2 HTTP HTTP/1.1 401 Unauthorized  (text/html)

And the request for the next hop ticket:
   43 -7192.046875 192.168.10.2 192.168.10.1 KRB5 TGS-REQ
      KDCOptions: 40830000 (Forwardable, Renewable, Constrained Delegation, Canonicalize)
      Server Name (Service and Instance): HTTP/sql01.rootdomain.local
         Name-type: Service and Instance (2)
         Name: HTTP
         Name: sql01.rootdomain.local

The SQL01 hop tries the same request for the host ticket but receives the same error:
   34 -7186.406250 192.168.10.1 192.168.10.3 KRB5 KRB Error: KRB5KDC_ERR_BADOPTION NT Status: STATUS_NO_MATCH

Now lets investigate the ERRor..

I've enabled kerberos error logging (debug level) and found:

(

How to turn on debug output

There are a number of ways to view the debug output from Kerberos. The easiest way is by logging the debug output to a file and then opening this file in Notepad.

1.	Click Start, click Run, type regedit.exe, and then press ENTER.   Caution Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.
2.	Open the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters\
3.	Create the following entry: Value: KerbDebugLevel Type: DWORD Data: c0000043 (this value will print the most standard set of debug messages. Try it first. If you still want to see more output, set it to ffffffff).
4.	Create the following entry in the same registry location: Value: LogToFile Type: DWORD Data: 1
5.	Reproduce the error
6.	Open the file lsass.log, located in the System32 directory of your Windows folder. You can find the debug output inside this file.

)

384.488> Kerb-Trace: KerbCreateTokenFromTicket for ROOTDOMAIN\Administrator, (null)
384.488> Kerb-Trace: SpAcceptLsaModeContext called KerbMapContext ContextAttributes 0x5, 0
384.500> Kerb-SPN: Found in SPN Cache 00111770 384.500> Kerb-Bnd: KerbInsertBinding binding cache disabled
384.500> Kerb-Bnd: Calling kdc 192.168.10.1 for realm ROOTDOMAIN.LOCAL
384.500> KSupp-Trace: Calling KDC: 192.168.10.1
384.472> Kerb-Trace: KerbCreateTokenFromTicket for ROOTDOMAIN\Administrator, (null)
384.472> Kerb-LSess: KerbCreateLogonSessionFromTicket creating logon session for 0:0x29766, accepting 0:0x3e4, client Administrator@ROOTDOMAIN.LOCAL
384.472> Kerb-Trace: SpAcceptLsaModeContext called KerbMapContext ContextAttributes 0x5, 0
384.600> Kerb-Bnd: KerbInsertBinding binding cache disabled
384.600> Kerb-Bnd: Calling kdc 192.168.10.1 for realm ROOTDOMAIN.LOCAL
384.600> KSupp-Trace: Calling KDC: 192.168.10.1
384.480> Kerb-Cred: Acquiring cred, S4U required
384.600> Kerb-Warn: KerbGetTgsTicket failed to unpack KDC reply: 0x3c
384.600> KSupp-Warning: KerbUnpackData failed to unpack typed data, trying error method data
384.600> KSupp-Error: KerbUnpackErrorData received failure from kdc 0xd KLIN(0) NTSTATUS(0xc0000272)
384.484> Kerb-SPN: Found in SPN Cache 00111770 384.484> Kerb-S4u: Trying S4UProxy for ls 0009E9F8
384.600> Kerb-S4u: No match on S4UTarget
384.600> Kerb-Warn: Failed S4Uproxy request c0000272(8)
384.484> Kerb-Bnd: KerbInsertBinding binding cache disabled
384.484> Kerb-Bnd: Calling kdc 192.168.10.1 for realm ROOTDOMAIN.LOCAL
384.484> KSupp-Trace: Calling KDC: 192.168.10.1

So the request for a ticket on behalf of the client fails, therefore the next hop SQL01 can still be reached by the client's initial ticket, however that ticket is limited to only 2 hops. This is also seen on the client (XP) side when requesting the active tickets:

Cached Tickets: (2)

   Server: krbtgt/ROOTDOMAIN.LOCAL@ROOTDOMAIN.LOCAL
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 8/15/2008 21:07:02
      Renew Time: 8/22/2008 11:07:02

   Server: HTTP/sp01.rootdomain.local@ROOTDOMAIN.LOCAL
      KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
      End Time: 8/15/2008 21:07:02
      Renew Time: 8/22/2008 11:07:02

So after the 2nd hop (SQL) the initial ticket is not valid anymore and cannot be forwarded to the next hop. Access Denied is the result..

Hi

The time has come, I get to go to Redmond! I will be attending the new Windows 2008 Master program. ..

No holiday trip though, the course runs everyday of the week (including weekends) starting at 8AM with just one day off (probably to catch some required sleep and do homework).

So probably no sleep, lots of new things and hopefully the right to carry the new Master logo.

The Microsoft Certified Master: Windows Server 2008, Active Directory program provides the most in-depth and comprehensive training that is available today for the latest version of Windows Server 2008 with a focus on Active Directory. This three-week training program is delivered by recognized experts from Microsoft and Microsoft Partner organizations.

 

 

 

More information and offcourse if I made it to the top will follow!

a nice article in tweakers.net/Parool this morning..

appareantly the cops are hacking into computer systems these days (well did it offcourse for a long long LOOOONG time.. but they admitted it now :) ) .. to place the listning software they use backdoors of unpatched systems, "forgotten USB sticks" and e-mail attachements.. in hope the bad guys are actually dumber than they are..

Offcourse the cops are very enthousiastic about these "new" technologies since they can use your webcam to make pictures, use the mic to hear you talk etc.. and since Skype has a very good encryption this is the easiest way to intercept phone calls. and now for the actual news of this post.. the law does not permit, nor prohibit this method.. it's just not mentioned in the dutch law!.. so the cops say it is legal because of the lack of the law.. opposites claim it is illegal since it is not (yet) approved..

waiting for trial cases.. in the meantime of you are a bad guy.. PATCH your system.. do NOT plug in found USB drives and DO NOT open attachements send by persons you do not know/trust  aaah wait.. wasn't that the advice already since like 5 years for everyone!!