Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. "NetBIOS domain name\username" format cannot be used with the Kerberos referral mechanism to log on to a computer in a cross-forest environment

"NetBIOS domain name\username" format cannot be used with the Kerberos referral mechanism to log on to a computer in a cross-forest environment

View products that this article applies to.

Symptoms

This article describes a hotfix for Kerberos authentication that must be installed on Windows Server 2008 R2-based and Windows Server 2008-based global catalogs.

Currently, Kerberos authentication enables a user to log on to a domain-joined computer by using user credentials in one of the following formats:
  • User principal name (UPN)
  • FQDN domain name\username
  • NetBIOS domain name\username
The Kerberos referral mechanism works correctly in all environments when you use the UPN or "FQDN domain name\username" formats. However, when you use the "NetBIOS domain name\username" format, the Kerberos referral mechanism works correctly only in a single forest environment. The "NetBIOS domain name\username" format cannot be used for user accounts in a child domain when the Kerberos referral mechanism is working in a cross-forest environment in which trusts are established among the forests.

For example, when you try to use the "NetBIOS domain name\username" format to log on as a user in a child domain in a trusted forest on a computer that is running Windows 8 Customer Preview, the authentication process fails. However, you can use the "NetBIOS domain name\username" format for user accounts in the forest root domain of the trusted forest.

This issue affects applications that use Kerberos service for user (S4U) extensions to create a context for a user in a trusted forest. For example, consider the following scenario:
  • A user has an application that uses a Kerberos S4U extension on a server in forest A.
  • The user is in the child domain of trusted forest B.
  • The Kerberos S4U extension is invoked to pass the NetBIOS name of the child domain in forest B.
In this situation, the Key Distribution Center (KDC) in forest A cannot generate a Kerberos referral path to trusted forest B, and you receive a "KDC_ERR_S_PRINCIPAL_UNKNOWN (7)" error.

↑ Back to the top

Cause

The global catalog recognizes the NetBIOS names of trusted forest root domains but does not recognize the NetBIOS names of child domains in trusted forests. Therefore, when the KDC in one forest tries to find the KDC of a child domain in another forest by using the "NetBIOS domain name\username" format, the global catalog cannot lookup the domain. This behavior causes the KDC to fail because the KDC cannot create a referral ticket.

↑ Back to the top

Resolution

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website:
http://support.microsoft.com/contactus/?ws=support
Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must be running Windows Server 2008 R2 Service Pack 1 (SP1) or Windows Server 2008 SP2. Additionally, the Active Directory Domain Services (AD DS) role must be installed on the computer.

For more information about how to obtain a Windows Server 2008 service pack, click the following article number to view the article in the Microsoft Knowledge Base:

968849 How to obtain the latest service pack for Windows Server 2008

For more information about how to obtain a Windows 7 or Windows Server 2008 R2 service pack, click the following article number to view the article in the Microsoft Knowledge Base:

976932 Information about Service Pack 1 for Windows 7 and for Windows Server 2008 R2

Registry information

To apply the hotfix in this package, you do not have to make any changes to the registry.

Restart requirement

You must restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

File information

The global version of this hotfix installs files that have the attributes that are listed in the following tables. The dates and the times for these files are listed in Coordinated Universal Time (UTC). The dates and the times for these files on your local computer are displayed in your local time together with your current daylight saving time (DST) bias. Additionally, the dates and the times may change when you perform certain operations on the files.
Windows Server 2008 file information notes
Important Windows Vista hotfixes and Windows Server 2008 hotfixes are included in the same packages. However, only "Windows Vista" is listed on the Hotfix Request page. To request the hotfix package that applies to one or both operating systems, select the hotfix that is listed under "Windows Vista" on the page. Always refer to the "Applies To" section in articles to determine the actual operating system that each hotfix applies to.
  • The files that apply to a specific product, SR_Level (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table.
    VersionProductSR_LevelService branch
    6.0.600
    2.
    22xxx    		Windows Server 2008SP2LDR
  • The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information for Windows Server 2008" section. MUM files and MANIFEST files, and the associated security catalog (.cat) files, are extremely important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.
For all supported x86-based versions of Windows Server 2008
File nameFile versionFile sizeDateTimePlatform
Ksecdd.sys6.0.6002.22869440,70425-Jun-201210:59x86
Lsasrv.dll6.0.6002.229621,260,03231-Oct-201202:39x86
Lsasrv.mofNot Applicable13,78009-Sep-201111:41Not Applicable
Lsass.exe6.0.6002.229629,72831-Oct-201201:21x86
Secur32.dll6.0.6002.2296272,70431-Oct-201202:40x86
Wdigest.dll6.0.6002.22964175,10402-Nov-201209:05x86
Msv1_0.dll6.0.6002.22964218,62402-Nov-201209:03x86
Schannel.dll6.0.6002.22964279,55202-Nov-201209:04x86
For all supported x64-based versions of Windows Server 2008
File nameFile versionFile sizeDateTimePlatform
Ksecdd.sys6.0.6002.22869516,48025-Jun-201210:59x64
Lsasrv.dll6.0.6002.229621,690,62431-Oct-201203:48x64
Lsasrv.mofNot Applicable13,78015-Nov-201115:19Not Applicable
Lsass.exe6.0.6002.2296211,26431-Oct-201202:09x64
Secur32.dll6.0.6002.2296294,72031-Oct-201203:50x64
Wdigest.dll6.0.6002.22964205,31202-Nov-201209:43x64
Msv1_0.dll6.0.6002.22964269,31202-Nov-201209:41x64
Schannel.dll6.0.6002.22964348,16002-Nov-201209:42x64
Lsasrv.mofNot Applicable13,78009-Sep-201111:41Not Applicable
Secur32.dll6.0.6002.2296277,31231-Oct-201202:41x86
Wdigest.dll6.0.6002.22964175,10402-Nov-201209:05x86
Msv1_0.dll6.0.6002.22964218,62402-Nov-201209:03x86
Schannel.dll6.0.6002.22964279,55202-Nov-201209:04x86
For all supported IA-64-based versions of Windows Server 2008
File nameFile versionFile sizeDateTimePlatform
Ksecdd.sys6.0.6002.228691,029,50425-Jun-201212:17IA-64
Lsasrv.dll6.0.6002.229623,262,46431-Oct-201202:11IA-64
Lsasrv.mofNot Applicable13,78015-Mar-201105:54Not Applicable
Lsass.exe6.0.6002.2296217,92031-Oct-201201:07IA-64
Secur32.dll6.0.6002.22962202,75231-Oct-201202:13IA-64
Wdigest.dll6.0.6002.22964482,30402-Nov-201207:42IA-64
Msv1_0.dll6.0.6002.22964570,36802-Nov-201207:40IA-64
Schannel.dll6.0.6002.22964812,03202-Nov-201207:41IA-64
Lsasrv.mofNot Applicable13,78009-Sep-201111:41Not Applicable
Secur32.dll6.0.6002.2296277,31231-Oct-201202:41x86
Wdigest.dll6.0.6002.22964175,10402-Nov-201209:05x86
Msv1_0.dll6.0.6002.22964218,62402-Nov-201209:03x86
Schannel.dll6.0.6002.22964279,55202-Nov-201209:04x86
Windows Server 2008 R2 file information notes
  • The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
    VersionProductMilestoneService branch
    6.1.760
    1.21xxx    		Windows Server 2008 R2SP1LDR
  • The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately in the "Additional file information for Windows Server 2008 R2" section. MUM and MANIFEST files, and the associated security catalog (.cat) files, are extremely important to maintain the state of the updated components. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.
For all supported x64-based versions of Windows Server 2008 R2
File nameFile versionFile sizeDateTimePlatform
Cng.sys6.1.7601.21920459,23210-Feb-201206:27x64
Ksecdd.sys6.1.7601.2192095,60010-Feb-201206:30x64
Ksecpkg.sys6.1.7601.21920152,43210-Feb-201206:30x64
Lsasrv.dll6.1.7601.219201,446,91210-Feb-201206:24x64
Lsass.exe6.1.7601.2192031,23210-Feb-201206:21x64
Secur32.dll6.1.7601.2192028,16010-Feb-201206:27x64
Sspicli.dll6.1.7601.21920136,19210-Feb-201206:27x64
Sspisrv.dll6.1.7601.2192029,18410-Feb-201206:27x64
Schannel.dll6.1.7601.21920340,99210-Feb-201206:27x64
Secur32.dll6.1.7601.2192022,01610-Feb-201205:31x86
Sspicli.dll6.1.7601.2192096,76810-Feb-201205:24x86
Schannel.dll6.1.7601.21920224,76810-Feb-201205:31x86

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More Information

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

Additional file information

Additional file information for Windows Server 2008

Additional files for all supported x86-based versions of Windows Server 2008
File nameUpdate.mum
File versionNot Applicable
File size2,414
Date (UTC)05-Nov-2012
Time (UTC)06:49
PlatformNot Applicable
File nameX86_8ef47bef22efbe4758053c5df2df9ce0_31bf3856ad364e35_6.0.6002.22964_none_5cfc9bcdbc3579ac.manifest
File versionNot Applicable
File size703
Date (UTC)05-Nov-2012
Time (UTC)06:49
PlatformNot Applicable
File nameX86_b9505bb7fa7cde6dbc361a669fb9ea6d_31bf3856ad364e35_6.0.6002.22962_none_02c42b1416ef8ddc.manifest
File versionNot Applicable
File size1,385
Date (UTC)05-Nov-2012
Time (UTC)06:49
PlatformNot Applicable
File nameX86_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.22962_none_a87bcf63733de825.manifest
File versionNot Applicable
File size34,354
Date (UTC)31-Oct-2012
Time (UTC)02:52
PlatformNot Applicable
File nameX86_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6002.22964_none_3d00904c9325f666.manifest
File versionNot Applicable
File size9,924
Date (UTC)02-Nov-2012
Time (UTC)19:19
PlatformNot Applicable
File nameX86_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6002.22964_none_7ee6320878fba5b5.manifest
File versionNot Applicable
File size18,890
Date (UTC)02-Nov-2012
Time (UTC)19:18
PlatformNot Applicable
File nameX86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6002.22964_none_244990436bb3b95e.manifest
File versionNot Applicable
File size18,090
Date (UTC)02-Nov-2012
Time (UTC)19:18
PlatformNot Applicable
Additional files for all supported x64-based versions of Windows Vista and of Windows Server 2008
File nameAmd64_5f7a6f1cb380ad3f15f00c7717c25e62_31bf3856ad364e35_6.0.6002.22962_none_adba1bba9f346b10.manifest
File versionNot Applicable
File size2,428
Date (UTC)05-Nov-2012
Time (UTC)06:49
PlatformNot Applicable
File nameAmd64_7a0d0b625d1093b6d1c27220008526b4_31bf3856ad364e35_6.0.6002.22964_none_6289d7a875991eb4.manifest
File versionNot Applicable
File size1,056
Date (UTC)05-Nov-2012
Time (UTC)06:49
PlatformNot Applicable
File nameAmd64_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.22962_none_049a6ae72b9b595b.manifest
File versionNot Applicable
File size34,442
Date (UTC)31-Oct-2012
Time (UTC)04:04
PlatformNot Applicable
File nameAmd64_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6002.22964_none_991f2bd04b83679c.manifest
File versionNot Applicable
File size9,948
Date (UTC)02-Nov-2012
Time (UTC)21:36
PlatformNot Applicable
File nameAmd64_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6002.22964_none_db04cd8c315916eb.manifest
File versionNot Applicable
File size18,926
Date (UTC)02-Nov-2012
Time (UTC)21:35
PlatformNot Applicable
File nameAmd64_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6002.22964_none_80682bc724112a94.manifest
File versionNot Applicable
File size18,120
Date (UTC)02-Nov-2012
Time (UTC)21:35
PlatformNot Applicable
File nameUpdate.mum
File versionNot Applicable
File size2,432
Date (UTC)05-Nov-2012
Time (UTC)06:49
PlatformNot Applicable
File nameWow64_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.22962_none_0eef15395ffc1b56.manifest
File versionNot Applicable
File size21,959
Date (UTC)31-Oct-2012
Time (UTC)02:45
PlatformNot Applicable
File nameWow64_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6002.22964_none_a373d6227fe42997.manifest
File versionNot Applicable
File size10,140
Date (UTC)02-Nov-2012
Time (UTC)12:37
PlatformNot Applicable
File nameWow64_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6002.22964_none_e55977de65b9d8e6.manifest
File versionNot Applicable
File size17,843
Date (UTC)02-Nov-2012
Time (UTC)12:37
PlatformNot Applicable
File nameWow64_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6002.22964_none_8abcd6195871ec8f.manifest
File versionNot Applicable
File size17,557
Date (UTC)02-Nov-2012
Time (UTC)12:38
PlatformNot Applicable
Additional files for all supported IA-64-based versions of Windows Server 2008
File nameIa64_47c4448c792a4e9f19d1fb71c1e8d5bf_31bf3856ad364e35_6.0.6002.22962_none_4d0400afb888c8d7.manifest
File versionNot Applicable
File size2,424
Date (UTC)05-Nov-2012
Time (UTC)06:48
PlatformNot Applicable
File nameIa64_bfca6d3dad73255cc325fb52edb0f8ad_31bf3856ad364e35_6.0.6002.22964_none_19744a548efb0ef9.manifest
File versionNot Applicable
File size1,054
Date (UTC)05-Nov-2012
Time (UTC)06:48
PlatformNot Applicable
File nameIa64_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.22962_none_a87d7359733bf121.manifest
File versionNot Applicable
File size34,398
Date (UTC)31-Oct-2012
Time (UTC)02:20
PlatformNot Applicable
File nameIa64_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6002.22964_none_3d0234429323ff62.manifest
File versionNot Applicable
File size9,936
Date (UTC)02-Nov-2012
Time (UTC)13:46
PlatformNot Applicable
File nameIa64_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6002.22964_none_7ee7d5fe78f9aeb1.manifest
File versionNot Applicable
File size18,908
Date (UTC)02-Nov-2012
Time (UTC)13:44
PlatformNot Applicable
File nameIa64_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6002.22964_none_244b34396bb1c25a.manifest
File versionNot Applicable
File size18,105
Date (UTC)02-Nov-2012
Time (UTC)13:45
PlatformNot Applicable
File nameUpdate.mum
File versionNot Applicable
File size2,257
Date (UTC)05-Nov-2012
Time (UTC)06:48
PlatformNot Applicable
File nameWow64_microsoft-windows-lsa_31bf3856ad364e35_6.0.6002.22962_none_0eef15395ffc1b56.manifest
File versionNot Applicable
File size21,959
Date (UTC)31-Oct-2012
Time (UTC)02:45
PlatformNot Applicable
File nameWow64_microsoft-windows-security-digest_31bf3856ad364e35_6.0.6002.22964_none_a373d6227fe42997.manifest
File versionNot Applicable
File size10,140
Date (UTC)02-Nov-2012
Time (UTC)12:37
PlatformNot Applicable
File nameWow64_microsoft-windows-security-ntlm_31bf3856ad364e35_6.0.6002.22964_none_e55977de65b9d8e6.manifest
File versionNot Applicable
File size17,843
Date (UTC)02-Nov-2012
Time (UTC)12:37
PlatformNot Applicable
File nameWow64_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6002.22964_none_8abcd6195871ec8f.manifest
File versionNot Applicable
File size17,557
Date (UTC)02-Nov-2012
Time (UTC)12:38
PlatformNot Applicable

Additional file information for Windows Server 2008 R2

Additional files for all supported x64-based versions of Windows Server 2008 R2
File nameAmd64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.21920_none_04eb619a8c94104b.manifest
File versionNot Applicable
File size99,810
Date (UTC)10-Feb-2012
Time (UTC)06:54
PlatformNot Applicable
File nameAmd64_microsoft-windows-security-schannel_31bf3856ad364e35_6.1.7601.21920_none_80b721e6850baed6.manifest
File versionNot Applicable
File size12,921
Date (UTC)10-Feb-2012
Time (UTC)06:59
PlatformNot Applicable
File nameWow64_microsoft-windows-lsa_31bf3856ad364e35_6.1.7601.21920_none_0f400becc0f4d246.manifest
File versionNot Applicable
File size86,382
Date (UTC)10-Feb-2012
Time (UTC)05:51
PlatformNot Applicable
File nameWow64_microsoft-windows-security-schannel_31bf3856ad364e35_6.1.7601.21920_none_8b0bcc38b96c70d1.manifest
File versionNot Applicable
File size6,945
Date (UTC)10-Feb-2012
Time (UTC)05:50
PlatformNot Applicable

↑ Back to the top

Keywords: kb, kbautohotfix, kbqfe, kbhotfixserver, kbfix, kbsurveynew, kbexpertiseinter

↑ Back to the top

Article Info
Article ID : 2675498
Revision : 1
Created on : 3/21/2017
Published on : 12/13/2012
Exists online : False
Views : 326