|
Actions:
|
2017-05-19 16:57 AEST by Arthur Barrett - There are limitations with using Kerberos and SSPI on windows - regardless of whether it is 'explicit' with
Force=Kerberos, or whether it is automatically selected:
- PC must be on a domain (see Glen's EUROPA tests)
- server must be a hostname, not an IP address
- server hostname must not be localhost
See also bug 5621 and bug 6990
We could supply some better error messages. So rather than the EUROPA test saying this:
SSPI Login failed - [80090303] The specified target is unknown or unreachable
Instead it could check if 'Kerberos' is the authentication:
2:21:38: -> SSPI:ClientAuthenticate(Kerberos,*NONE*,*NONE*) !Schannel - AcquireCredentialsHandle
And if so when it gets the error 80090303/SEC_E_TARGET_UNKNOWN, add 'this is usually caused by':
12:21:38: -> SSPI:ClientAuthenticate() (rcISC<0) [80090303] The specified target is unknown or
unreachable
There are more 'sensible' errors on the server side, but it's difficult to communicate server errors to the client
at that point, and the client errors are probably clear enough to make the case.
There is also CVSDIAG code for finding the AD server - so we could 'check' that before issuing the actual
error message.
A final variation, would be to dynamically change the hostname to what it should be, e.g.: changing localhost
to the local machine name (again CVSDIAG has code for finding the actual machine name). Or doing a
NSLOOKUP on the IP address. |