[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Preauthentication failed

To: heimdal-discuss@sics.se
Subject: Re: Preauthentication failed
From: Michael B Allen <mba2000@ioplex.com>
Date: Mon, 11 Jun 2007 11:48:18 -0400
In-Reply-To: <f4jf0o$51b$1@sea.gmane.org>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Organization: IOPLEX Software
References: <f2c7lj$47d$1@sea.gmane.org><20070515121828.f8249759.mba2000@ioplex.com><f2l6so$ke1$1@sea.gmane.org><f2ldci$6rb$1@sea.gmane.org><f2v5cs$apf$2@sea.gmane.org><f2vj92$3cf$1@sea.gmane.org><f345rq$hp3$1@sea.gmane.org><20070524110805.d9f8afc5.mba2000@ioplex.com><f4jf0o$51b$1@sea.gmane.org>
Reply-To: heimdal-discuss@sics.se, Michael B Allen <mba2000@ioplex.com>

On Mon, 11 Jun 2007 14:23:26 +0200
Florian Erfurth <floh-erfurth@arcor.de> wrote:

> Hi, sorry for taking long to answer.
> 
> Michael B Allen wrote:
> 
> > On Thu, 24 May 2007 15:52:40 +0200
> > Florian Erfurth <floh-erfurth@arcor.de> wrote:
> > 
> >> Markus Moeller wrote:
> >> 
> >> > As I said in a previous mail DES might have a problem with salt values
> >> > which don't exist when using RC4. Also RC4 is a stringer encryption and
> >> > should be
> >> > prefered over DES.  The new ktpass have a -crypto : RC4-HMAC-NT option
> >> > which is the default.
> >> Ah, thank you. Unfortunatelly there is no -crypto : RC4-HMAC-NT. It seems
> >> that we don't have the newest version of ktpass. Now I have to find out
> >> how to upgrade ktpass without upgrading to Win2k3 SP2 R2.
> > 
> > The latest ktpass.exe is in the 'Windows Server Support Tools'
> > package. You can download it from MS' website.
> After installing the latest ktpass.exe the webserver successfully got the
> kerberos-ticket (with -crypto DES-CBC-MD5 and computeraccount). :)
> 
> > Also, regarding your other question, create a Computer account and use
> > RC4. You can also use a User account provided that your policy allows
> > you to set the 'Password does not expire' flag.
> Now I did try with -crypto RC4-HMAC-NT and then try with kinit... I get
> following error:
> kinit: krb4_get_init_creds: Additional pre-authentication required

Wierd. Not sure why it's trying krb4 as opposed to krb5. That must be an
MIT thing. Have you tryied the kinit from Heimdal? And 'pre-authentication
required' basically means the key was wrong. Provided you ran ktpass
successfully and then kinit with the generated keytab it should work.

Mike

-- 
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/

Follow-Ups:
- Re: Preauthentication failed
  - From: Florian Erfurth <floh-erfurth@arcor.de>

References:
- Re: Preauthentication failed
  - From: Florian Erfurth <floh-erfurth@arcor.de>

Prev by Date: Re: failed to find HTTP/bsdfloh.domain.tld@DOMAIN.TLD(kvno 9) inkeytab /usr/local/etc/apache2/bsdflohkeytab
Next by Date: Re: Preauthentication failed
Prev by thread: Re: Preauthentication failed
Next by thread: Re: Preauthentication failed
Index(es):
- Date
- Thread