Clients cannot Authenticate using Kerberos Active Directory Authentication

  1. Home
  2. Knowledge Base
  3. Softalk
  4. Softalk Share Server
  5. Clients cannot Authenticate using Kerberos Active Directory Authentication

Symptoms

Kerberos authentication does not function. However, if credentials are manually specified at the client in the form of the user’s UPN and Active Directory password, then the client will successfully connect.

Cause

Version 1.3 of Softalk Share Server and its successors attempt to resolve any potential problems with multiple SPNs in the following ways:

  • Setup adds the SPN for either the currently-logged-on user if installed as an exe or the user under which the service runs if installed as a service
  • Setup deletes the relevant redundant SPNs if it is changing from an exe to a service and vice versa
  • Setup deletes the relevant redundant SPNs if the user under which the server is run is changed
  • Server uninstall deletes the SPN for the currently-logged-on user or the user under which the service runs

However, if the server application of Softalk Share Server is installed on more than one computer in the forest then SPNs can be generated under more that one user causing Kerberos authentication not to function.

More Info

Warning: This FAQ describes the editing of values of attributes in the Active Directory and should be carried out carefully.

Note:

References to Server Computer mentioned herein refer to the computer on which the Softalk Share Server server application is installed, this may or may not be a computer with a Server Operating System installed.

References to Softalk Share Server mentioned herein refer not to the physical computer, but to the application responsible for the server side of Softalk Share Server. This may or may not run as a Windows Service

References to Client mentioned herein refer to a computer on which the Softalk Share Server client application is installed.

References to Softalk Share Server user mentioned herein refer to the user under which the Softalk Share Server service is running. When this document refers to the Softalk Share Server user, then this user shall be deemed one of the following:

If Softalk Share Server is running as a service, then this user can be identified by opening services.msc, selecting properties of the Softalk Share Server service, selecting the Log On tab and recording the user entered in the textbox next to the this account label. The service may not log on as the Local System account in this instance as this account does not have any permissions over the Active Directory.

If Softalk Share Server is running as an executable, then Softalk Share Server will be added to the startup folder of All Users. Therefore the Softalk Share Server user shall be deemed the currently logged on user. It is recommended that Softalk Share Server be reinstalled as a service before commencing.

Summary

Active Directory authentication will fail if the relevant property under the SPN attribute exists in Active Directory for any user other than the user account under which the Softalk Share service runs.

Also, the client computers will need to be rebooted before they reflect the modifications to the SPN record in the Active Directory.

Detail

To establish what servicePrincipalName attributes exist in the Active Directory, then please run the following command on the domain controller from the command line:

ldifde -f c:\check_SPN2.txt -t 3268 -d "" -l servicePrincipalName -r "(servicePrincipalName=Softalk Business Server/*)" -p subtree

This will create a file called check_spn2.txt in the root of c: (the path may be changed if so desired). This file should be opened in a text editor.

The file will list all AD entries that have an SPN attribute of Softalk Business Server/* (The asterisk functions as a wildcard)

All of the values of the attribute servicePrincipalName should be deleted except for those values that exist under the servicePrincipalName attributes of the property for the Softalk Share Server user. The values should be deleted using ADSI Edit.

The procedure for downloading and using ADSI Edit is described hereunder.

On the Softalk Share Server computer, download and install Windows 2003 Support Tools from Microsoft’s website

Once the utilities have been downloaded, navigate to %ProgramFiles%\Support Tools\ and run ADSI Edit

Inside ADSI Edit Expand the following:

ADSI Edit >> Domain [computername.domain.local] > DC = domain, DC=local

(computername.domain.local will reflect the computer name and domain of the computer in question)

Note: the values should not be deleted for the Softalk Share Server user

Expand the CN(s) or OU(s) under which the first user wished to be examined resides.

Right-click on the user in question and then select properties.

Select the serverPrincipalName attribute (focus may be given to the listbox and typing of serverP started to select this value quickly) and then click on the edit button. Delete all of the values starting with Softalk Business Server; other such values should not be deleted as these are for, and will affect, other application.

This action should be performed for all users returned in check_SPN2.txt except for the Softalk Share Server user.

After all the required values have been removed, re-run the ldifde command mentioned in the beginning of this procedure to confirm that the only returned entries are for the Softalk Share Server user.

Once satisfied that the Softalk Share Server user is the only user with the Softalk Business Server serverPrincipalName then the Domain Control, the server computer and all involved clients should be rebooted for changes to be effected.

Was this article helpful?

Related Articles