[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Preauthentication failed

Hi Markus,

On Tue, 22 May 2007 22:36:02 +0100
"Markus Moeller" <huaraz@moeller.plus.com> wrote:

> From my experience Computer accounts are fine and we prefer them as user 
> accounts have (in our environment) a password expiry which otherwise would 
> mean exception for users with a service principal or the keytab will get 
> invalid.

Ahh, interesting. I didn't think Computer accounts differed in this
respect. In fact it was my guess that Computer account password policy
was maybe hardcoded to expire reasoning that computers routinely change their
account password. But perhaps a Computer account for services would
be better.

> Look for Dan Perry's msktutil a tool you can use on your Unix box to create 
> a computer account in AD and write the principal  into a keytab. BTW there 
> are other tools doing the same.

Actually we have code for doing exact this sort of thing:

  http://www.ioplex.com/api/plexcel_gen_service_keytab.html

It's used by our setup script to allow the operator to create
an HTTP service account without touching the Windows side.

Mike

> ----- Original Message ----- 
> From: "Michael B Allen" <mba2000@ioplex.com>
> To: "Florian Erfurth" <floh-erfurth@arcor.de>
> Cc: <heimdal-discuss@sics.se>; "Markus Moeller" <huaraz@moeller.plus.com>
> Sent: Tuesday, May 22, 2007 10:05 PM
> Subject: Re: Preauthentication failed
> 
> 
> > On Tue, 22 May 2007 21:03:35 +0100
> > "Markus Moeller" <huaraz@moeller.plus.com> wrote:
> >
> >> Florian,
> >>
> >> you may have hit a bug in ktpass on 2003. If  I understand your command
> >> right you are using a computer account BSDflohKerberos$ and not a user
> >> account. If I remember right the salt is not build out of the service 
> >> HTTP
> >> but uses host instead. This happen only for computer accounts. Can you 
> >> try
> >> to map to a user account.
> >
> > Florian,
> >
> > Marcus is right. DES with computer accounts has problems last I checked. I
> > strongly recommend using a regular User account and RC4.
> >
> > Mike
> >
> >> ----- Original Message ----- 
> >> From: "Florian Erfurth" <floh-erfurth@arcor.de>
> >> To: <heimdal-discuss@sics.se>
> >> Sent: Tuesday, May 22, 2007 5:13 PM
> >> Subject: Re: Preauthentication failed
> >>
> >>
> >> > Hi Michael,
> >> > thank you for your quick response!
> >> >
> >> > Michael B Allen wrote:
> >> >
> >> >>> > [SNIP]
> >> >> Looks like the key is wrong. Re-run ktpass.exe and copy the keytab 
> >> >> file
> >> >> over again.
> >> >
> >> > I did that, what you did suggest. I get still the same error. :( Did I
> >> > entered the right:
> >> > C:\>ktpass -princ HTTP/BSDfloh.domain.tld@DOMAIN.TLD -mapuser
> >> > domain\BSDflohKerberos$ -crypto DES-CBC-MD5 -pass longlongpassword -out 
> >> > c
> >> > \temp\BSDflohkeytab
> >> >
> >> > Question: Which password should I use for '-pass'? Do I create a new
> >> > password with this command or should I use *which* password?
> >> >
> >> >> Mike
> >> > Floh
> >> >
> >>
> >>
> >
> >
> > -- 
> > Michael B Allen
> > PHP Active Directory Kerberos SSO
> > http://www.ioplex.com/
> > 
> 
> 


-- 
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/