MOSS Forum

Ask Question   UnAnswered
Home » Forum » MOSS       RSS Feeds

Kerberos Questions (It works, but...)

  Asked By: Uma    Date: Aug 30    Category: MOSS    Views: 1046

I've been able to get Kerberos working in the production environment for
our primary site. However, folks at our secondary site seem to be
unable to get to the MOSS 2007 main page (or any other) when Kerberos is

I've noticed that it seems to take a long time attempting to use
Kerberos, and then a "page can not be displayed" error eventually shows
up. What's also odd is that they are not falling back to NTLM... or at
least, if they were, they should eventually be able to see the welcome

Some background:

I've got port 88 configured to go from site 2 to the primary, which
means that Kerberos should work.

Each site has two AD Domain Controllers, which means that two KDCs are
available per site.

I've turned on Kerberos for both the main site (port 80) and the MySite
web app (port 15500). Everyone from site 2 can get to the MySite
provider, but not the primary welcome page. (Oddly, a scan of our
network traffic to the MOSS server shows that while Kerberos is enabled
for MySite, it appears to be using NTLM.)

I remember hearing about a "double hop" issue, but I'm not sure if this
would fall into that scenario?



7 Answers Found

Answer #1    Answered By: Brinda Bca     Answered On: Aug 30

Mark Arend did a post on the steps required to make Kerberos work at

Answer #2    Answered By: Sheryl Velez     Answered On: Aug 30

I HAVE it working.

The issue is that it doesn't work at a REMOTE location.

So far as I can tell, it should work without an issue, as I'm not seeing
any obvious errors.

Do I only need port 88 open between the sites?

Answer #3    Answered By: Alexandra Lewis     Answered On: Aug 30

I'll verify the clock issue, but I'm fairly certain that's not the

With respect to the KDC: Is it not true that all Active Directory DCs
are KDCs? So it shouldn't matter which DC the user hits?

Answer #4    Answered By: Himanta Barthakur     Answered On: Aug 30

would you mind explaining "clock drift" in some more detail for
me? Please?

Answer #5    Answered By: Mansi Revenkar     Answered On: Aug 30

Kerberos depends on timestamps for much of its processes. If the
time-zone adjusted system time on the 2 machines differs by more than 5
minutes it will cause problems. Computer BIOS clocks are all that
accurate, so unless they are being synched to a "master" time source
it's not unusual for the times to be off by that much or more.

Answer #6    Answered By: Lizette Mcconnell     Answered On: Aug 30

...and there are now layer 7 firewalls/proxies that allow Kerberos
authentication when the client cannot see the KDC. Very useful for
extranet type stuff. Microsoft's IAG is a product that can do this.

Didn't find what you were looking for? Find more on Kerberos Questions (It works, but...) Or get search suggestion and latest updates.