I setup an env as below:
A w2k3 server sps.xxx.edu is running IIS(SharePoint Server
installed), it's in domain xxx.edu, not controller.
A unix kdc for realm: REALM.xxx.edu, necessary princs
created using enctype:des-cbc-crc.
A domain controller ad.xxx.edu, w2k3, 2-way trust with
unix realm kdc, trust delegate to sps.xxx.edu, user abc is
mapped to a princ on unix kdc, setspn setup as told in
technet articles.
A client pc, TESTER, running winxp sp2.

all windows machines above have run ksetup /addkdc ...

Now my problem is:
when TESTER, the winxp client, is in domain xxx.edu, it
can access SPS using Kerberos very well.
but when I remove TESTER from any domain and specify some
workgroup, the kerberos auth failed.

btw, i visited the iis/sps server via FQDN, which has been
added with setspn.

So how can i use Kerb auth on a non-domain client to a
domain-member IIS?

[ Post a follow-up to this message ]

Did you ever have any luck resolving this issue?  I'm running into the same
issue with our w2k3/kerberos deployment.

Thanks,
Matt

"FreX" wrote:

> I setup an env as below:
> A w2k3 server sps.xxx.edu is running IIS(SharePoint Server
> installed), it's in domain xxx.edu, not controller.
> A unix kdc for realm: REALM.xxx.edu, necessary princs
> created using enctype:des-cbc-crc.
> A domain controller ad.xxx.edu, w2k3, 2-way trust with
> unix realm kdc, trust delegate to sps.xxx.edu, user abc is
> mapped to a princ on unix kdc, setspn setup as told in
> technet articles.
> A client pc, TESTER, running winxp sp2.
>
> all windows machines above have run ksetup /addkdc ...
>
> Now my problem is:
> when TESTER, the winxp client, is in domain xxx.edu, it
> can access SPS using Kerberos very well.
> but when I remove TESTER from any domain and specify some
> workgroup, the kerberos auth failed.
>
> btw, i visited the iis/sps server via FQDN, which has been
> added with setspn.
>
> So how can i use Kerb auth on a non-domain client to a
> domain-member IIS?
>
>

[ Post a follow-up to this message ]