Heimdal 0.2 and Windows 2000 - preauthentication

["Petr Holub" <hopet@chemi.muni.cz>]

Hi all!

We've a problem with Windows2000 when turning on the preauthentication
on Heimdal 0.2 KDC. According to KDC log it seems KDC challenges Win2k
to preauthenticate but Win2k do nothing. According to MS whitepapers
preauthentication should work in Win2k (at least between
Win2k Prof (station) and Win2k Server using Active Directory
- it should be even the default way so you have to turn
it off for respective user when you want to get rid of it
on Win2k Server). Do you know some way how to make
preauthentication work with Heimdal KDC?

And question No. 2: I've built Heimdal 0.2m on Win2k using
Cygnus 20.1 beta. I'm able to authenticate in (unix) realm which
doesn't use preauthentication but I'm not able authenticate into a domain
which uses (requires) preauthentication. KDC complains a clock skew
is too great and kauth says:
kauth.exe: krb5_get_init_creds: Preauthentication failed
I suspect Win there might be some problem with telling the
time. Similar thing occurs when using forwardable creditals
in telnet:
[ Kerberos V5 refuses forwarded credentials because Read forwarded creds failed:
Clock skew too great ]
Has anybody an idea how to correct it?

Many thanks beforehand,
Petr Holub


=============================================================
                         Petr Holub
                         SCB UVT MU
              Botanicka 68a, Brno, CZ - 60200
                 Phone: +420-5-41512278
               E-mail: hopet@ics.muni.cz