[cvsnt] Re: Protocol :ext: not working

Tony Hoyle tony.hoyle at march-hare.com
Mon Jul 11 16:38:58 BST 2005


Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.


Gill Ernst wrote:
> Tony, please could you look if there is something CVSNT could do in this
> case or
> CVSNT could give same meaningful information (like "did you do a login
> ...").

It's not really fixable.  Testing with my network I can reproduce the 
problem if the service is not running as LocalSystem but otherwise it 
always seems to work OK (even with cross-domain logins).

A recent update (probably a security update) has change the behaviour of 
the kerberos subsystem.  Now when the above situation occurs instead of 
negotiating NTLM it negotiates kerberos and fails it.  Previously it 
just logged you in with NTLM instead.

It also no longer reports the failure to the client - the authentication 
drops out - so the client has no way of knowing what went wrong, only 
that the server stopped talking.  The server doesn't get any kind of 
permission error, just 'login denied' and no other indication of what 
went wrong.

All of this makes sense from an OS security point of view but is a 
nightmare if you're trying to do any kind of automatic login.

You can force sspi to drop to ntlm, but this isn't ideal...

Certainly you have to be careful retrying these kinds of logins if you 
have a lockout policy.  I've locked myself out more times than I can 
remember when testing things...

Tony



More information about the cvsnt mailing list
Download the latest CVSNT, TortosieCVS, WinCVS etc. for Windows 8 etc.
@CVSNT on Twitter   CVSNT on Facebook