[cvsnt] Re: Protocol :ext: not working
Tony Hoyle
tony.hoyle at march-hare.com
Mon Jul 11 16:38:58 BST 2005
Gill Ernst wrote:
> Tony, please could you look if there is something CVSNT could do in this
> case or
> CVSNT could give same meaningful information (like "did you do a login
> ...").
It's not really fixable. Testing with my network I can reproduce the
problem if the service is not running as LocalSystem but otherwise it
always seems to work OK (even with cross-domain logins).
A recent update (probably a security update) has change the behaviour of
the kerberos subsystem. Now when the above situation occurs instead of
negotiating NTLM it negotiates kerberos and fails it. Previously it
just logged you in with NTLM instead.
It also no longer reports the failure to the client - the authentication
drops out - so the client has no way of knowing what went wrong, only
that the server stopped talking. The server doesn't get any kind of
permission error, just 'login denied' and no other indication of what
went wrong.
All of this makes sense from an OS security point of view but is a
nightmare if you're trying to do any kind of automatic login.
You can force sspi to drop to ntlm, but this isn't ideal...
Certainly you have to be careful retrying these kinds of logins if you
have a lockout policy. I've locked myself out more times than I can
remember when testing things...
Tony
More information about the cvsnt
mailing list