Helpful Tools

Previous page
Table of content
Next page
[Previous] [Next]

The Microsoft Windows 2000 Server Resource Kit includes tools to help you troubleshoot and configure Kerberos authentication. The most important ones are Kerberos Tray (KerbTray), Kerberos List (Klist), and SetSPN.

KerbTray and Klist

KerbTray is a graphical tool that displays ticket information for a computer running the Kerberos protocol. The KerbTray icon is located in the status area of your desktop and can be used to view tickets. Positioning your mouse cursor over the KerbTray icon will display the time left on your initial TGT before it expires.

Klist is a command line tool that enables you to view and delete Kerberos tickets granted to the current logon session. It is similar to KerbTray but more flexible. An updated version of Klist is included on this book's companion CD.

Both of these tools are handy for verifying the tickets you have.

SetSPN

SetSPN allows you to manage the SPN directory property for an Active Directory directory service account. SPNs are used to locate a target principal name for running a service. SetSPN allows you to view the current SPNs, reset the "host" SPNs, and add or delete supplemental SPNs.

It's usually not necessary to modify SPNs. SPNs are set up by a computer when it joins a domain and when services are installed on the computer. In some cases, however, this information becomes stale. For instance, if the computer name is changed, the SPNs for installed services would need to be changed to match the new computer name.

What Is the krbtgt Account?

If you look in the Active Directory Users And Computers tool, you might see an account named krbtgt, the name used by all KDCs. For example, the KDC for the explorationair.com account is named krbtgt/explorationair.com. In addition, a derivative of the password for this special account is used to encrypt TGTs issued by the KDC. The krbtgt account cannot be deleted or renamed.

Note that if a service runs as an account other than LocalSystem, you might need to register an SPN for the service. A good example is SQL Server 2000: It can run as LocalSystem or as a specific user account. If it runs as LocalSystem, you will not have to run SetSPN. But if the process runs as a specific user account, you'll have to run the following from the command line:

 setspn -A MSSQLSvc/dbserver.explorationair.com:1433 DBUser

In this example, SQL Server is running on a server named DBServer and we're registering the DNS server name. The process runs as EXAIR\DBUser. This is configurable during SQL Server setup or in the SQL Server properties dialog box in the SQL Server Enterprise Manager.


Previous page
Table of content
Next page
Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
ISBN: N/A
EAN: N/A
Year: 1999
Pages: 138
BUY ON AMAZON
Image Processing with LabVIEW and IMAQ Vision
An Introduction to Design Patterns in C++ with Qt 4
Logistics and Retail Management: Emerging Issues and New Challenges in the Retail Supply Chain
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
HTI+ Home Technology Integrator & CEDIA Installer I All-In-One Exam Guide
Special Edition Using FileMaker 8
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy