[SOLVED] Are Domain Local Groups in the PAC?
Michael B Allen
ioplex at gmail.com
Sat Dec 1 02:30:58 GMT 2007
On 11/27/07, Michael B Allen <ioplex at gmail.com> wrote:
> On 11/27/07, Michael B Allen <ioplex at gmail.com> wrote:
> > I think maybe AD is selectively leaving out Domain Local groups for
> > HTTP service tickets. Maybe because authentication occurs with every
> > single request they're tyring to speed things up.
>
> Running IIS on the DC does provoke tickets with Domain Local groups.
> At this point my guess is that the web server host must have a
> Computer account that is joined to the domain to consider the DLGs in
> scope for the service ticket. I was using a Computer account for a
> Linux web server not joined to the domain.
Not quite. The problem was DLGs are not supported in "mixed-mode"
(except with resources on domain controllers). Aside from some other
goofey issues and misunderstandings, ultimately that was the problem.
Raising the functional level of the domain results in TGS-REPs getting
DLGs.
Just thought I'd follow through.
Thanks,
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
More information about the samba-technical
mailing list