Security

Reply

AD Integration - Dynamic DNS Problems
aavi
Member
Posts: 1

‎07-19-2013 01:05 AM

8644     0

Hi all,

i'm trying to integrate my AD environment with the infoblox DNS. I would like to let my AD clients to dynamically update the dns name on the nios appliance.

Right now the nios appliances are not managing the DHCP, so I want to do GSS-TSIG updates from Clients to Infoblox dns servers.

The nios version is: 6.7.1-204398 I already have my dns zone (authoritative) with AD integration (svc entries & co.) and all works just fine. I tried to follow the admin guide ( "Accepting GSS-TSIG-Authenticated Updates" page 642), the config seems ok but i'm not able to receive authenticated updates.

When i try to update the dns record from an XP machine, I obtain this error message:

err client 192.168.XX.XX#1103: view 1: update 'unitn.it/IN' denied
2013-07-19T09:50:01+02:00 daemon (none) named[26063]: err 192.168.XX.XX#1104: GSS-TSIG authentication failed for (DNS/xxx.unitn.it@UNITN.IT, kvno 2, des-cbc-md5): key not found
2013-07-19T09:50:01+02:00 daemon (none) named[26063]: err gss_accept_sec_context: continuation call to routine required
 
when i try to do dthe same from a win7 machine, i'm getting only the first error message ( update denied ).
 
Any hint on how to solve this ?
My domain is a 2003 R2 domain, so i also followed this kb:
15331 Using GSS-TSIG for a Windows 7 or Windows Server 2008 R2 in a Windows Server 2003 AD Server environment
 
thank you!
marco
 
Reply
0 Kudos

Re: AD Integration - Dynamic
BGriffin
Techie
Posts: 4

‎08-12-2013 10:37 AM

8645     0

Bump.  

i am going to try this but before i do i would like to know if this is an issue

Reply
0 Kudos

Re: AD Integration - Dynamic
BloxDSB
Guru
Posts: 60

‎08-19-2013 03:56 PM

8645     0

Hi Marco,

If you have not found a resolution to this problem, you should contact Infoblox support at https://support.infoblox.com/. 

Thanks,

 

Christine

Reply
0 Kudos

Re: AD Integration - Dynamic
DEvans
Expert
Posts: 181

‎08-23-2013 08:41 AM

8645     0

http://www.accumuli.com/infoblox-and-gss-tsig-i-3187.php

 

The info on that web page helped me greatly in geting GSS-TSIG working in my enviroment.  It was a much better explination, with real world examples than the admin guide.

Reply
0 Kudos

Re: AD Integration - Dynamic
SSieber
Adviser
Posts: 101

‎09-04-2013 06:45 AM

8645     0

When you create the keytab file on windows (as in Admin Guide page 648) try the following for crypto

- crypto: all

or

-crypto RC4-HMAC-NT

(both will work for W2k8 R2 Server & W7k PCs)

Please delete your current AD GSS-TSIG user and create a new one before you create the keytab.

//Stefan

Reply
0 Kudos

Re: AD Integration - Dynamic DNS Problems
aralvidra02
Adviser
Posts: 73

‎05-05-2020 07:17 AM

8645     0

Hi,

 

I've the same problem with you. This error typically issued on microsoft behaviour where the old kerberos key are not timing out when you create the new one.

 

to purge the kerberos ticket cache i follow this guide https://blogs.technet.microsoft.com/tspring/2014/06/23/viewing-and-purging-cached-kerberos-tickets/, and now the client are success to update to Infoblox on my environment.

 

Thanks

Reply
0 Kudos
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recommended for You

Latest Annoucements

Infoblox Experts Community

You have reached the maximum number of topics allowed as a visitor. Please Login or Join the community to continue to read.

Join for free

TOPICS REMAINING

Register for unlimited browsing. Registration is FREE.

Join Community