[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Preauthentication failed

To: <heimdal-discuss@sics.se>, "Michael B Allen" <mba2000@ioplex.com>
Subject: Re: Preauthentication failed
From: "Markus Moeller" <huaraz@moeller.plus.com>
Date: Tue, 22 May 2007 22:36:02 +0100
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <f2c7lj$47d$1@sea.gmane.org><20070515121828.f8249759.mba2000@ioplex.com><f2l6so$ke1$1@sea.gmane.org><20070518194930.bc3a2876.mba2000@ioplex.com><f2v59p$apf$1@sea.gmane.org><151901c79cac$485e3530$0801a8c0@home> <20070522170553.b827fece.mba2000@ioplex.com>
Reply-To: heimdal-discuss@sics.se, "Markus Moeller" <huaraz@moeller.plus.com>

accounts have (in our environment) a password expiry which otherwise would 
mean exception for users with a service principal or the keytab will get 
invalid.

Look for Dan Perry's msktutil a tool you can use on your Unix box to create 
a computer account in AD and write the principal  into a keytab. BTW there 
are other tools doing the same.

Regards
Markus

----- Original Message ----- 
From: "Michael B Allen" <mba2000@ioplex.com>
To: "Florian Erfurth" <floh-erfurth@arcor.de>
Cc: <heimdal-discuss@sics.se>; "Markus Moeller" <huaraz@moeller.plus.com>
Sent: Tuesday, May 22, 2007 10:05 PM
Subject: Re: Preauthentication failed


> On Tue, 22 May 2007 21:03:35 +0100
> "Markus Moeller" <huaraz@moeller.plus.com> wrote:
>
>> Florian,
>>
>> you may have hit a bug in ktpass on 2003. If  I understand your command
>> right you are using a computer account BSDflohKerberos$ and not a user
>> account. If I remember right the salt is not build out of the service 
>> HTTP
>> but uses host instead. This happen only for computer accounts. Can you 
>> try
>> to map to a user account.
>
> Florian,
>
> Marcus is right. DES with computer accounts has problems last I checked. I
> strongly recommend using a regular User account and RC4.
>
> Mike
>
>> ----- Original Message ----- 
>> From: "Florian Erfurth" <floh-erfurth@arcor.de>
>> To: <heimdal-discuss@sics.se>
>> Sent: Tuesday, May 22, 2007 5:13 PM
>> Subject: Re: Preauthentication failed
>>
>>
>> > Hi Michael,
>> > thank you for your quick response!
>> >
>> > Michael B Allen wrote:
>> >
>> >>> > [SNIP]
>> >> Looks like the key is wrong. Re-run ktpass.exe and copy the keytab 
>> >> file
>> >> over again.
>> >
>> > I did that, what you did suggest. I get still the same error. :( Did I
>> > entered the right:
>> > C:\>ktpass -princ HTTP/BSDfloh.domain.tld@DOMAIN.TLD -mapuser
>> > domain\BSDflohKerberos$ -crypto DES-CBC-MD5 -pass longlongpassword -out 
>> > c
>> > \temp\BSDflohkeytab
>> >
>> > Question: Which password should I use for '-pass'? Do I create a new
>> > password with this command or should I use *which* password?
>> >
>> >> Mike
>> > Floh
>> >
>>
>>
>
>
> -- 
> Michael B Allen
> PHP Active Directory Kerberos SSO
> http://www.ioplex.com/
>

Follow-Ups:
- Re: Preauthentication failed
  - From: Michael B Allen <mba2000@ioplex.com>

References:
- Preauthentication failed
  - From: Florian Erfurth <floh-erfurth@arcor.de>
- Re: Preauthentication failed
  - From: Michael B Allen <mba2000@ioplex.com>
- Re: Preauthentication failed
  - From: Florian Erfurth <floh-erfurth@arcor.de>
- Re: Preauthentication failed
  - From: Michael B Allen <mba2000@ioplex.com>
- Re: Preauthentication failed
  - From: Florian Erfurth <floh-erfurth@arcor.de>
- Re: Preauthentication failed
  - From: "Markus Moeller" <huaraz@moeller.plus.com>
- Re: Preauthentication failed
  - From: Michael B Allen <mba2000@ioplex.com>

Prev by Date: Re: Preauthentication failed
Next by Date: Re: Preauthentication failed
Prev by thread: Re: Preauthentication failed
Next by thread: Re: Preauthentication failed
Index(es):
- Date
- Thread