[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Preauthentication failed

To: heimdal-discuss@sics.se
Subject: Re: Preauthentication failed
From: Michael B Allen <mba2000@ioplex.com>
Date: Fri, 18 May 2007 19:49:30 -0400
Cc: Florian Erfurth <floh-erfurth@arcor.de>
In-Reply-To: <f2l6so$ke1$1@sea.gmane.org>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Organization: IOPLEX Software
References: <f2c7lj$47d$1@sea.gmane.org><20070515121828.f8249759.mba2000@ioplex.com><f2l6so$ke1$1@sea.gmane.org>
Reply-To: heimdal-discuss@sics.se, Michael B Allen <mba2000@ioplex.com>

On Fri, 18 May 2007 23:41:16 +0200
Florian Erfurth <floh-erfurth@arcor.de> wrote:

> Michael B Allen wrote:
> 
> > On Tue, 15 May 2007 14:00:57 +0200
> > Florian Erfurth <floh-erfurth@arcor.de> wrote:
> > 
> >> Hi, I followed the steps described in http://www.grolmsnet.de/kerbtut/.
> >> Unfortunatelly I get a error if I enter following:
> >> >>>
> >> -bash-3.00# kinit -k -t /usr/local/etc/apache2/bsdflohkeytab
> >> HTTP/BSDfloh.domain.tld
> >> kinit: krb5_get_init_creds: Preauthentication failed
> >> <<<
> >>
> >> How can I find out, why the preauthentication is failed? Could anyone of
> >> you point a hint, what could be wrong?
> >> 
> >> I'm using FreeBSD 6.2 and Windows 2003 is installed as Domain Controller.
> >>
> > 
> > Preauthentication failed ~= bad password
> > 
> > The key, enctype or version number doesn't match what the Windows KDC
> > has. Re-run ktpass.exe and copy the keytab file over again.
> 
> See below.
> 
> >> PS2: How do I know more from my keytab-file (I need info about kvno,
> >> principal name and encryption type)?
> > 
> > $ ktutil -k keytab list
> 
> Thank you very much. Now I was able to check the keytab. I did following
> commands:
> 
> >>>
> -bash-3.00# kinit florian.erfurth@DOMAIN.TLD
> florian.erfurth@DOMAIN.TLD's Password:
> kinit: NOTICE: ticket renewable lifetime is 10 hours
> -bash-3.00# kgetcred HTTP/BSDfloh.domain.tld@DOMAIN.TLD
> -bash-3.00# klist -v
> Credentials cache: FILE:/tmp/krb5cc_0
>         Principal: florian.erfurth@DOMAIN.TLD
>     Cache version: 4
> 
> Server: krbtgt/DOMAIN.TLD@DOMAIN.TLD
> Ticket etype: arcfour-hmac-md5, kvno 2
> Auth time:  May 18 20:39:28 2007
> End time:   May 19 03:19:31 2007
> Renew till: May 19 06:39:28 2007
> Ticket flags: renewable, initial, pre-authenticated
> Addresses: IPv4:192.168.0.120
> 
> Server: HTTP/BSDfloh.domain.tld@DOMAIN.TLD
> Ticket etype: des-cbc-md5, kvno 3
> Auth time:  May 18 20:39:28 2007
> Start time: May 18 20:39:31 2007
> End time:   May 19 03:19:31 2007
> Ticket flags: pre-authenticated
> Addresses: IPv4:192.168.0.120
> 
> -bash-3.00# ktutil -k bsdflohkeytab list
> bsdflohkeytab:
> 
> Vno  Type         Principal
>   3  des-cbc-md5  HTTP/BSDfloh.domain.tld@DOMAIN.TLD
> -bash-3.00# kinit -k -t /usr/local/etc/apache2/bsdflohkeytab
> HTTP/BSDfloh.domain.tld
> kinit: krb5_get_init_creds: Preauthentication failed

Looks like the key is wrong. Re-run ktpass.exe and copy the keytab file
over again.

Mike

-- 
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/

Follow-Ups:
- Re: Preauthentication failed
  - From: Florian Erfurth <floh-erfurth@arcor.de>

References:
- Preauthentication failed
  - From: Florian Erfurth <floh-erfurth@arcor.de>
- Re: Preauthentication failed
  - From: Michael B Allen <mba2000@ioplex.com>
- Re: Preauthentication failed
  - From: Florian Erfurth <floh-erfurth@arcor.de>

Prev by Date: Re: Preauthentication failed
Next by Date: business proposal
Prev by thread: Re: Preauthentication failed
Next by thread: Re: Preauthentication failed
Index(es):
- Date
- Thread