[SOLVED] Are Domain Local Groups in the PAC?

Michael B Allen ioplex at gmail.com
Sat Dec 1 02:30:58 GMT 2007

On 11/27/07, Michael B Allen <ioplex at gmail.com> wrote:
> On 11/27/07, Michael B Allen <ioplex at gmail.com> wrote:
> > I think maybe AD is selectively leaving out Domain Local groups for
> > HTTP service tickets. Maybe because authentication occurs with every
> > single request they're tyring to speed things up.
> Running IIS on the DC does provoke tickets with Domain Local groups.
> At this point my guess is that the web server host must have a
> Computer account that is joined to the domain to consider the DLGs in
> scope for the service ticket. I was using a Computer account for a
> Linux web server not joined to the domain.

Not quite. The problem was DLGs are not supported in "mixed-mode"
(except with resources on domain controllers). Aside from some other
goofey issues and misunderstandings, ultimately that was the problem.
Raising the functional level of the domain results in TGS-REPs getting

Just thought I'd follow through.


Michael B Allen
PHP Active Directory SPNEGO SSO

More information about the samba-technical mailing list