1

The issue:

I have a Virtual Host - VHost.domian.com. When I try to connect from my laptop - Laptop.domain.com - it seems to be trying to use NTLM for authentication and not Kerberos. Note: My laptop is not the only client we tried. The issue is defiantly on the VHost side.

Troubleshooting:

Two Accounts

I have two AD Accounts I've tried to connect with. A privileged account and a regular account. Both accounts have permission to connect to VHost. Here are the results of trying different connections in MTSC.exe

Privileged account:

  • Using FQDN (VHost.domain.com) : Did not work
  • Using NetBios (Vhost) : Did not work
  • Using Direct IP (10.10.10.10) : Does not support Kerberos

Normal account:

  • Using FQDN (VHost.domain.com) : Did not work
  • Using NetBios (Vhost) : Did not work
  • Using Direct IP (10.10.10.10) : This worked

The Host in Physically right beside it

There is another host - VHost2 - physically next to the server. Same switch, same subnet, same DNS server, etc. and it has no issues.

Using MTSC.exe from VHost

I did try to remote onto a different PC that I have access to from VHost and I get same issue as trying to remote onto VHost.

Reinstalled Windows Server on VHost

The really interesting part about this is that I reimaged VHost. Complete reinstall of Windows Server. This did not fix the issue.

Question:

Does anyone have any clue as to why my server won't use Kerberos for authentication? It seemed to cause weird issues with VMM as well. My suspicion is that it has to do with DNS or something. The server has its IP Statically set. That IP matches the Host (A) record on the DNS server. VHost can ping the DNS Server as well. Again, VHost2 is setup the same exact way with no issue.

Thanks in advance to anyone who took a minute to read all this!

Improve this question
7
  • Is the client (i.e. the laptop) a domain member? If it is not a domain member, what format are you using for the username?
    – u1686_grawity
    Jun 13 at 10:39
  • All the devices are members of the domain.
    – Johnny Heisler
    Jun 13 at 17:36
  • Does it have reachability to the KDCs? Do you see any Kerberos requests in Wireshark? Are tickets being stored in klist? Even if the issue seems to be on the server side, that doesn't entirely rule out client problems. On the other hand, does your "vhost.domain.com" exactly match what's stored in AD? (Kerberos requires the name to match, much like TLS does.)
    – u1686_grawity
    Jun 13 at 17:49
  • Even though the Client can RDP onto a different server totally fine? Sorry, I don't fully understand Kerberos... Is the ticket per Client or per Server/Client Connection? And just verified that the vhost.domain.com matches AD
    – Johnny Heisler
    Jun 13 at 17:51
  • There's more than one ticket in Kerberos – there's one that lets you get more tickets (the krbtgt) and there are service-specific tickets (e.g. "TSCLIENT/vhost.domain.com"). The latter is what's issued to the client during RDP login. What would be useful is if you found out is whether the client attempts to get the service ticket at all.
    – u1686_grawity
    Jun 13 at 19:25

0

Reset to default

You must log in to answer this question.