We received a report from an office that three of their Windows 2003 servers running ExtremeZIP were not allowing SSO connections from AD bound Snow Leopard Macs.
After a good deep-dive into the problem, including packet traces and help from Group Logic, we resolved the problem. Here are the steps we took:
Make sure the Mac clients are using the FQDN to connect to the ExtremeZIP AFP volume on the server. Short names should not be used (in Lion you must use the FQDN or you get an error).
Check that the time on the server, clients and DC match. One of the servers' clock was out by six minutes (max Kerberos time skew is five minutes). When the time was set correctly Lion clients were able to log in.
Check that the Server Principle Name (SPN) of the servers is correct; if they are not then authentication can fail. Read more about SPNs here.
To check the SPN on a Windows 2003 server you must first download and install Windows Server Support Tools. You can get them here.
After you have installed the tools go to Programs/Windows Server Support Tools and launch the app- it will open a command line.
Both the long and the short SPN for the AFP protocol need to exists for your servers:
afpserver/servername.company.com
afpserver/servername
To display the SPNs from the Support Tools command line type "setspn servername"
You should see both the FQDN and the short name. If one is missing do the following:
- To add the long name: setspn -a afpserver/servername.company.com servername
- To add the short name: setspn -a afpserver/servername servername
We also found that although the Snow Leopard clients were authenticating users correctly, they were not generating a Kerberos ticket at login (you can verify this by going to the Ticket Viewer.app located in System/Library/Core Services). After manually generating a Kerberos ticket, SSO worked.
To force a Snow Leopard client to generate a Kerberos ticket at login follow the instructions in this Apple KB article.
After carrying out each of these steps, the Snow Leopard clients were able to get SSO to the ExtremeZIP enabled servers.
Although it wasn't necessary in this case, make sure you update ExtremeZIP to the latest version
Showing posts with label Windows Serer. Show all posts
Showing posts with label Windows Serer. Show all posts
Monday, February 6, 2012
Tuesday, March 29, 2011
Mac clients can not do LDAP (GAL) lookups
An office reported that Mac clients were unable to do LDAP (GAL) lookups from Entourage or Outlook 2011.
All the clients were using the local DC for LDAP; if this was changed to another DC the clients could do lookups just fine.
It was found that the local DC was not a global catalog server. When this was fixed, lookups worked.
Here is the TechNet article on determining whether or not a DC is a GC it:
http://technet.microsoft.com/en-us/library/cc786686%28WS.10%29.aspx
All the clients were using the local DC for LDAP; if this was changed to another DC the clients could do lookups just fine.
It was found that the local DC was not a global catalog server. When this was fixed, lookups worked.
Here is the TechNet article on determining whether or not a DC is a GC it:
http://technet.microsoft.com/en-us/library/cc786686%28WS.10%29.aspx
Subscribe to:
Posts (Atom)