Thursday, February 15, 2007


These two should not be mixed.

NO_AUTH_DATA_REQUIRED is a flag that can be added to the UserAccountControl attribute for an Active Directory user object. This flag will keep Privilege Attribute Certificate(PAC) data from being added to service tickets. This can be useful when setting up cross realm trusts between AD and a MIT Kerberos realm.

We're working on setting up single sign on for the Windows clients in our AD forest so that upon logging in users will get credentials for the AD domain, the MIT realm, AFS, and a Kerberos based Certificate Authority (KCA). Everything was good except for the tickets AD was returning to the MIT KDC - they were too large to build AFS tickets. So the developer suggested implementing NO_AUTH_DATA_REQUIRED on the service accounts used for KCA and KDC access. No problem there. But I misread his note and also set the krbtgt account with this option.

Nothing bad happened at first. But overnight some systems stopped processing GPOs. And a couple of DCs started throwing logon errors. Nothing made sense till I read a bit more on the use of the krbtgt account and realized what a mistake I had made. Backed out the change and rebooted the two DCs that were having problems. A couple of other servers needed attention as well.

Some things just shouldn't be mixed.

No comments: