Kerberos logon to Terminal Server prevents folder redirection.

Kerberos logon to Terminal Server prevents folder redirection.
Secure Home | Search | About
Login Password
Register Now! Lost Password?

Microsoft Applications Security - Microsoft's general security discussions and announcements 

Bookmark this page:  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Kerberos logon to Terminal Server prevents folder redirection. McDavid 05-22-2009
Posted by =?Utf-8?B?TWNEYXZpZA==?= on May 22, 2009, 11:02 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Environment:
- Windows 2008 x64 Server Standard
- Kerberos Token Size set to maximum

Issue:
When our users logon to our Terminal Servers using kerberos, they receive a
temporary profile and none of the Folder Redirection policies are applied.
The event log reports both processing failing with "Logon failure: unknown
user name or bad password.". However the user is successfully logged onto
the server using kerberos. The server hosting the profiles also reports
"unknown user name or bad password" in the security log and the
authentication package as NTLM. The users can navigate to the network
locations of their roaming profiles and redirected folders just fine without
any errors.

If the users logon to our Terminal Servers using NTLM, their roaming profile
is loaded and folder redirection policies applied successfully.

Kerberos is the required authentication method for logging into our Terminal
Servers. We are using Citrix Web Interface and single signon leverages
kerberos.

Posted by =?Utf-8?B?TWNEYXZpZA==?= on May 22, 2009, 11:54 am
If you were  Registered and logged in, you could reply and use other advanced thread options
I turned on Kerberos logging on the Terminal Server. When the user logs into
the Terminal Server using kerberos, the logon process attempts to load their
profile and redirect their profiles using kerberos. This is failing because
we don't have SPNs registered for these resources. I'm guessing the logon
process then attempts NTLM and that is failing because they didn't login with
NTLM.

Is there any way to get the fallback to NTLM to function? If not, how does
one go about registering SPNs for file-shares that are cluster resources
(virtual IPs and computer names that aren't regisered in Active Directory).
In addition, how does one go about registering SPNs for DFS roots?

Any/all help is appreciated.

Thanks.

"McDavid" wrote:

> Environment:
> - Windows 2008 x64 Server Standard
> - Kerberos Token Size set to maximum
>
> Issue:
> When our users logon to our Terminal Servers using kerberos, they receive a
> temporary profile and none of the Folder Redirection policies are applied.
> The event log reports both processing failing with "Logon failure: unknown
> user name or bad password.". However the user is successfully logged onto
> the server using kerberos. The server hosting the profiles also reports
> "unknown user name or bad password" in the security log and the
> authentication package as NTLM. The users can navigate to the network
> locations of their roaming profiles and redirected folders just fine without
> any errors.
>
> If the users logon to our Terminal Servers using NTLM, their roaming profile
> is loaded and folder redirection policies applied successfully.
>
> Kerberos is the required authentication method for logging into our Terminal
> Servers. We are using Citrix Web Interface and single signon leverages
> kerberos.

Posted by Peter Foldes on May 22, 2009, 4:59 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
McDavid

You will be better off by posting this to a Server related Security newsgroup

On the web:
http://www.microsoft.com/communities/newsgroups/list/en-us/default.aspx?dg=microsoft.public.windows.server.security


--
Peter

Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.

>I turned on Kerberos logging on the Terminal Server. When the user logs into
> the Terminal Server using kerberos, the logon process attempts to load their
> profile and redirect their profiles using kerberos. This is failing because
> we don't have SPNs registered for these resources. I'm guessing the logon
> process then attempts NTLM and that is failing because they didn't login with
> NTLM.
>
> Is there any way to get the fallback to NTLM to function? If not, how does
> one go about registering SPNs for file-shares that are cluster resources
> (virtual IPs and computer names that aren't regisered in Active Directory).
> In addition, how does one go about registering SPNs for DFS roots?
>
> Any/all help is appreciated.
>
> Thanks.
>
> "McDavid" wrote:
>
>> Environment:
>> - Windows 2008 x64 Server Standard
>> - Kerberos Token Size set to maximum
>>
>> Issue:
>> When our users logon to our Terminal Servers using kerberos, they receive a
>> temporary profile and none of the Folder Redirection policies are applied.
>> The event log reports both processing failing with "Logon failure: unknown
>> user name or bad password.". However the user is successfully logged onto
>> the server using kerberos. The server hosting the profiles also reports
>> "unknown user name or bad password" in the security log and the
>> authentication package as NTLM. The users can navigate to the network
>> locations of their roaming profiles and redirected folders just fine without
>> any errors.
>>
>> If the users logon to our Terminal Servers using NTLM, their roaming profile
>> is loaded and folder redirection policies applied successfully.
>>
>> Kerberos is the required authentication method for logging into our Terminal
>> Servers. We are using Citrix Web Interface and single signon leverages
>> kerberos.


Similar ThreadsPosted
Security settings on the Terminal Server prevent automatic logon September 12, 2005, 3:18 am
Folder Redirection and Permissions December 24, 2007, 5:23 pm
Kerberos token in windows logon December 23, 2008, 5:45 pm
Terminal Server on the DMZ December 26, 2005, 12:59 am
Terminal server log March 24, 2008, 10:48 am
Terminal Server Security December 6, 2006, 5:10 pm
Group Policy with Terminal Server July 23, 2005, 5:24 am
Terminal Server specific certificate: July 9, 2009, 10:08 pm
secure lockdown of terminal server liscencing? July 5, 2007, 6:58 pm
Terminal server security issue with screen cache? December 19, 2005, 12:20 pm

The site map in XML format XML site map

Contact Us | Privacy Policy