Registrations are now open. Join us today!
There is still a lot of work to do on the wiki yet! More information about editing can be found here.
Already have an account?

Microsoft KB Archive/322979

From BetaArchive Wiki
Knowledge Base


Kerberos is not used when you connect to SMB shares by using IP address

Article ID: 322979

Article Last Modified on 3/2/2007



APPLIES TO

  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Professional Edition



This article was previously published under Q322979

SYMPTOMS

When you connect to remote Server Message Block (SMB) services shares by using \\192.x.y.z\share name, Kerberos is not used, and the Internet Protocol (IP) SMB file share access does not use Kerberos. A network trace shows the following Kerberos error in the KRB_ERROR:

Server not found in Kerberos database

CAUSE

By default, Microsoft Windows Server 2003 and Microsoft Windows 2000 try to use Kerberos as the security provider. When a client uses Kerberos to authenticate itself to a server, the client requests a session ticket for the Service Principal Name (SPN). IP addresses are not names, so Kerberos is not used. After this occurs, the server goes through the list of the other supported security providers.

STATUS

This behavior is by design.

MORE INFORMATION

IP addresses typically change, and it is not workable to add these addresses as SPNs. An SPN can be one of the following:

  • The DNS name for the domain.
  • The DNS name of a host.
  • The distinguished name of a service connection point object.


Keywords: kbenv kbnetwork kbprb KB322979