Thursday, June 25, 2009

Windows 7 Kerberos updates and foreign realms


I bit the bullet, bought a new 500Gb Seagate drive for my laptop, VM’d my Vista install, swapped the drive and changed my main laptop to Windows 7 over the weekend, and apart from Sony PC Suite, which just sits in the system tray looking dead, everything is running better than ever… 4Gb of ram certainly helps things along but this is faster than XP Sp3 in my FITA (Finger In The Air) opinion and light years ahead of Vista aka Windows Me 2007 …


So I added the laptop to my AD domain e.g. lingpopo.net and then while at a client site mapped a drive to a server in their AD domain e.g. bank.corp.com, saved the credentials and all worked as expected… but later while I was debugging a kerberos issue with some users on XP I forgot I was on 7 and ran klist (now an OS standard tool at least in 7 RC1) and noticed something strange but very pleasing. Rather than just seeing a TGT from my domain e.g. me @ lingpopo.net I now saw TGTs for the me @ bank.corp.com and cifs TGS tickets for the server in bank.corp.com! Sweetness! I’m getting TGTs and tickets for resource from an untrusted realm / forest / domain, no more failover to NTLM outside the forest / trust boundary, brilliant! but how? I need to know…This did not happen in XP or Vista, so what have Microsoft done? I’ve only noticed this behaviour today and have started digging out details on Kerberos improvements in Windows 7 but thus far i’ve found zip, nada, nowt… once I do I’ll be sure to post…

Anyway random stuff and quite interesting, at least to me…

Got a response from Microsoft Response from MS which says the functionality was always there but imho it wasn't... but going to dig out an xp and vista vpc and retest just to be sure...

Update 7/1/09 :- I recompiled and used this old tool of mine http://www.brianhehir.com/ktickets.exe to try and validate the tickets under Windows 7 and Windows XP. Running this tool under Windows 7 gives totally different results to running KLIST.EXE under Windows 7 but the results from kticket.exe are consistent between Windows 7 and Windows XP. So is it just Klist.exe that is different between Windows 7 and Windows XP or is there some underlying fundamental difference with Kerberos in Windows 7... Only way to be sure is going to take a network trace and compare....

6 comments:

  1. Received a response from Microsoft here http://social.microsoft.com/Forums/en-US/partnerwinclient7rc/thread/1d73bc86-37b2-4201-8dfd-e2366495c6b8 basically saying yes Kerberos is updated in Windows 7 but the functionality is not new! i'm going to verify that as I've not seen it in XP or Vista

    ReplyDelete
  2. Great precise info, I've been searching on this topic for a while. Bookmarked and recommended!
    Rosetta Stone

    ReplyDelete
  3. Aw, this was a really quality post. In theory I'd like to write like this too – taking time and real effort to make a good article… but what can I say… I procrastinate alot and never seem to get something done.
    windows product key

    ReplyDelete
  4. Wow that was odd. I just wrote an very long comment but after I clicked submit my comment didn’t appear. Grrrr… well I’m not writing all that over again. Anyways, just wanted to say wonderful blog!
    Web hosting

    ReplyDelete

  5. I like the valuable info you provide in your articles. I’ll bookmark your weblog and check again here frequently. I am quite certain I’ll learn a lot of new stuff right here! Best of luck for the next.
    webhosting

    ReplyDelete
  6. I'm happy while taking a gander at your blog with revived information! You shake and need that you will post more site that are related to this site.
    electric staple gun
    hardwood flooring staples

    ReplyDelete

Search Brian Hehir's sites

Loading