Logon Attempts Fail When the MIT Key Distribution Center Is Multihomed (266095)



The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional

This article was previously published under Q266095

SYMPTOMS

After establishing an interoperable Kerberos trust with a Massachusetts Institute of Technology (MIT) realm, users that attempt to log on by using their account in the MIT realm fail, and receive the following error message:
The system could not log you on. Make sure your User name and domain are correct, then type your password again. Letters in passwords must be typed using the correct case. Make sure that Caps Lock is not accidentally on.
This problem occurs when the MIT Key Distribution Center (KDC) is multihomed.

CAUSE

A Windows 2000 client sends a DNS query for the KDC server name, and receives a response that indicates two IP addresses for the KDC server. Windows 2000 then sends a Kerberos request to one of the IP addresses, but the MIT KDC responds by using the other IP address. Windows 2000 ignores the response as expected.

A Netmon trace clearly illustrates this issue:

SourceDestinationProtocolSummary
10.10.10.2010.10.7.3KerberosKRB_AS_REQ
10.10.253.5610.10.10.20KerberosKRB_AS_REP

RESOLUTION

To resolve this issue, one solution is to use the IP address of the MIT KDC that is responding to the requests when you add the MIT realm entry to the Windows 2000 computer with Ksetup.

Another solution is to add a hosts file to all the Windows 2000 computers to define the IP address of the MIT KDC that is responding.

Neither one of these solutions is very scalable. If the IP address of the KDC changes, all the Windows 2000 computers have to be touched.

MIT reports that KDCs version 1.2.x and later no longer have this problem.

Modification Type:MinorLast Reviewed:1/20/2006
Keywords:kb3rdparty kbfix kbnetwork kbprb KB266095