[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Preauthentication failed

Hi, sorry for taking long to answer.

Michael B Allen wrote:

> On Thu, 24 May 2007 15:52:40 +0200
> Florian Erfurth <floh-erfurth@arcor.de> wrote:
>> Markus Moeller wrote:
>> > As I said in a previous mail DES might have a problem with salt values
>> > which don't exist when using RC4. Also RC4 is a stringer encryption and
>> > should be
>> > prefered over DES.  The new ktpass have a -crypto : RC4-HMAC-NT option
>> > which is the default.
>> Ah, thank you. Unfortunatelly there is no -crypto : RC4-HMAC-NT. It seems
>> that we don't have the newest version of ktpass. Now I have to find out
>> how to upgrade ktpass without upgrading to Win2k3 SP2 R2.
> The latest ktpass.exe is in the 'Windows Server Support Tools'
> package. You can download it from MS' website.
After installing the latest ktpass.exe the webserver successfully got the
kerberos-ticket (with -crypto DES-CBC-MD5 and computeraccount). :)

> Also, regarding your other question, create a Computer account and use
> RC4. You can also use a User account provided that your policy allows
> you to set the 'Password does not expire' flag.
Now I did try with -crypto RC4-HMAC-NT and then try with kinit... I get
following error:
kinit: krb4_get_init_creds: Additional pre-authentication required

Why? Can I keep DES-CBC-MD5, or should I better switch to RC4-HMAC-NT
because some of you told the second ones is more secure.

> Mike
Thank you very much! :)

cu Floh