failed to create kerberos key: 5
Lara Adianto
m1r4cle_26 at yahoo.com
Thu Jul 29 07:54:00 EDT 2004
Hi,
I have a strange problem with cross-realm authentication.
It's a windows 2000 machine authenticating to an MIT KDC, then it accesses a computer in a windows domain. This should be possible theoritically with ksetup, and all the necessary steps described in the step by step kerberos interoperability document.
However, this is what happen in my environment:
1. The user is able to login into windows 2000 machine with his credential in MT KDC. The windows 2000 is configured to be a member of workgroup. However, when I examine the setting setup using ksetup, this is what I got:
ksetup:
default realm = ADIANTO.COM (external)
ADIANTO.COM:
kdc = kerberos.adianto.com
Failed to create Kerberos key: 5 (0x5)
I'm not sure whether the last line is fatal.
2. When the user tried to access a computer in a windows domain (should be possible due to the cross realm setup), the following error occured:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 594
Date: 7/29/2004
Time: 7:37:30 PM
User: N/A
Computer: TEST
Description:
A Kerberos Error Message was received:
on logon session InitializeSecurityContext
Client Time:
Server Time:
Error Code: 11:36:30.0000 7/29/2004 (null) 0x29
Extended Error: KRB_AP_ERR_MODIFIED
Client Realm:
Client Name:
Server Realm: WINDOMAIN.COM
Server Name: krbtgt/WINDOMAIN.COM
Target Name: HOST/Win2kServer at WINDOMAIN.COM
Error Text:
File:
Line:
Error Data is in record data.
Win2kServer is the computer that Test tried to access, belonged to WINDOMAIN, which is a windows domain.
My guess is that the Failed to generate key caused the KRB_AP_ERR_MODIFIED...
but I can't confirm it...
I'm not sure what caused it to fail to generate the key...
I've followed the steps in the step by step kerberos interoperability document carefully...
Any clue ?
regards,
lara
------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de Maupassant -
------------------------------------------------------------------------------------
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com From m1r4cle_26 at yahoo.com Thu Jul 29 08:07:45 2004
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i6TC7jl1004616
for <kerberos at PCH.mit.edu>; Thu, 29 Jul 2004 08:07:45 -0400 (EDT)
Received: from web50204.mail.yahoo.com (web50204.mail.yahoo.com
[206.190.38.45])i6TC7hxu002044
for <kerberos at mit.edu>; Thu, 29 Jul 2004 08:07:43 -0400 (EDT)
Message-ID: <20040729120743.32805.qmail at web50204.mail.yahoo.com>
Received: from [202.172.55.246] by web50204.mail.yahoo.com via HTTP;
Thu, 29 Jul 2004 05:07:43 PDT
Date: Thu, 29 Jul 2004 05:07:43 -0700 (PDT)
From: Lara Adianto <m1r4cle_26 at yahoo.com>
To: kerberos at mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Content-Filtered-By: Mailman/MimeDel 2.1
Subject: Re: failed to create kerberos key: 5
X-BeenThere: kerberos at mit.edu
X-Mailman-Version: 2.1
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Help: <mailto:kerberos-request at mit.edu?subject=help>
List-Post: <mailto:kerberos at mit.edu>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request at mit.edu?subject=subscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request at mit.edu?subject=unsubscribe>
X-List-Received-Date: Thu, 29 Jul 2004 12:07:45 -0000
I think I need to provide more information about my setup:
- I used UMICH patch for cross realm auth, I can see from the log file that the cross-realm ticket is issued by MIT Realm
- The krbtgt/adianto.com at windomain.com and krbtgt/windomain.com at adianto.com key is des-cbc-crc32
- the TGT in win client:
Cached TGT:
ServiceName: krbtgt
TargetName: krbtgt
FullServiceName: lara
DomainName: ADIANTO.COM�
TargetDomainName: ADIANTO.COM�
AltTargetDomainName: ADIANTO.COM�
TicketFlags: 0x40c00000
KeyExpirationTime: 1/1/1601 8:00:00
StartTime: 7/29/2004 19:32:15
EndTime: 7/30/2004 19:32:15
RenewUntil: 7/29/2004 19:32:15
TimeSkew: 1/1/1601 8:00:00
- the tickets:
Cached Tickets: (2)
Server: krbtgt/ADIANTO.COM at ADIANTO.COM
KerbTicket Encryption Type: Kerberos DES-CBC-MD5
End Time: 7/30/2004 19:32:15
Renew Time: 7/29/2004 19:32:15
Server: host/test.adianto.com at ADIANTO.COM
KerbTicket Encryption Type: Kerberos DES-CBC-MD5
End Time: 7/30/2004 19:32:15
Renew Time: 7/29/2004 19:32:15
regards,
lara
Lara Adianto <m1r4cle_26 at yahoo.com> wrote:
Hi,
I have a strange problem with cross-realm authentication.
It's a windows 2000 machine authenticating to an MIT KDC, then it accesses a computer in a windows domain. This should be possible theoritically with ksetup, and all the necessary steps described in the step by step kerberos interoperability document.
However, this is what happen in my environment:
1. The user is able to login into windows 2000 machine with his credential in MT KDC. The windows 2000 is configured to be a member of workgroup. However, when I examine the setting setup using ksetup, this is what I got:
ksetup:
default realm = ADIANTO.COM (external)
ADIANTO.COM:
kdc = kerberos.adianto.com
Failed to create Kerberos key: 5 (0x5)
I'm not sure whether the last line is fatal.
2. When the user tried to access a computer in a windows domain (should be possible due to the cross realm setup), the following error occured:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 594
Date: 7/29/2004
Time: 7:37:30 PM
User: N/A
Computer: TEST
Description:
A Kerberos Error Message was received:
on logon session InitializeSecurityContext
Client Time:
Server Time:
Error Code: 11:36:30.0000 7/29/2004 (null) 0x29
Extended Error: KRB_AP_ERR_MODIFIED
Client Realm:
Client Name:
Server Realm: WINDOMAIN.COM
Server Name: krbtgt/WINDOMAIN.COM
Target Name: HOST/Win2kServer at WINDOMAIN.COM
Error Text:
File:
Line:
Error Data is in record data.
Win2kServer is the computer that Test tried to access, belonged to WINDOMAIN, which is a windows domain.
My guess is that the Failed to generate key caused the KRB_AP_ERR_MODIFIED...
but I can't confirm it...
I'm not sure what caused it to fail to generate the key...
I've followed the steps in the step by step kerberos interoperability document carefully...
Any clue ?
regards,
lara
------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de Maupassant -
------------------------------------------------------------------------------------
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de Maupassant -
------------------------------------------------------------------------------------
---------------------------------
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!!From deengert at anl.gov Thu Jul 29 10:46:08 2004
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i6TEk8l1009739
for <kerberos at PCH.mit.edu>; Thu, 29 Jul 2004 10:46:08 -0400 (EDT)
Received: from hermes.ctd.anl.gov (hermes.ctd.anl.gov [130.202.113.27])
i6TEk1xu022412
for <kerberos at mit.edu>; Thu, 29 Jul 2004 10:46:02 -0400 (EDT)
Received: from hermes.ctd.anl.gov (localhost [127.0.0.1])
by hermes.ctd.anl.gov (8.9.1a/8.9.1) with ESMTP id JAA09864
for <kerberos at mit.edu>; Thu, 29 Jul 2004 09:46:01 -0500 (CDT)
Received: from anl.gov (atalanta.ctd.anl.gov [146.137.194.4])
by hermes.ctd.anl.gov (8.9.1a/8.9.1) with ESMTP id JAA09852;
Thu, 29 Jul 2004 09:46:00 -0500 (CDT)
Message-ID: <41090D69.CFD6E2BC at anl.gov>
Date: Thu, 29 Jul 2004 09:44:57 -0500
From: "Douglas E. Engert" <deengert at anl.gov>
X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Lara Adianto <m1r4cle_26 at yahoo.com>
References: <20040729115400.77896.qmail at web50210.mail.yahoo.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
cc: kerberos at mit.edu
Subject: Re: failed to create kerberos key: 5
X-BeenThere: kerberos at mit.edu
X-Mailman-Version: 2.1
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Help: <mailto:kerberos-request at mit.edu?subject=help>
List-Post: <mailto:kerberos at mit.edu>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request at mit.edu?subject=subscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos>
List-Unsubscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request at mit.edu?subject=unsubscribe>
X-List-Received-Date: Thu, 29 Jul 2004 14:46:08 -0000
Lara Adianto wrote:
>
> Hi,
>
> I have a strange problem with cross-realm authentication.
> It's a windows 2000 machine authenticating to an MIT KDC, then it accesses a computer in a windows domain. This should be possible theoritically with ksetup, and all the necessary steps described in the step by step kerberos interoperability document.
>
> However, this is what happen in my environment:
> 1. The user is able to login into windows 2000 machine with his credential in MT KDC. The windows 2000 is configured to be a member of workgroup. However, when I examine the setting setup using ksetup, this is what I got:
> ksetup:
> default realm = ADIANTO.COM (external)
> ADIANTO.COM:
> kdc = kerberos.adianto.com
> Failed to create Kerberos key: 5 (0x5)
I don't see the Failed message on my machine which is setup similiarly, but I do
have some Mappings of principals to local accounts.
>
> I'm not sure whether the last line is fatal.
Since you where able to login, and you next note show you got
a host/test.adianto.com at ADIANTO.COM ticket during login,
the kerberos on the w2000 box looks good.
>
> 2. When the user tried to access a computer in a windows domain (should be possible due to the cross realm setup), the following error occured:
What do you mean "tried to access a computer in a windows domain"?
What applicaiton are you using?
> Event Type: Error
> Event Source: Kerberos
> Event Category: None
> Event ID: 594
> Date: 7/29/2004
> Time: 7:37:30 PM
> User: N/A
> Computer: TEST
> Description:
> A Kerberos Error Message was received:
> on logon session InitializeSecurityContext
> Client Time:
> Server Time:
> Error Code: 11:36:30.0000 7/29/2004 (null) 0x29
> Extended Error: KRB_AP_ERR_MODIFIED
> Client Realm:
> Client Name:
> Server Realm: WINDOMAIN.COM
> Server Name: krbtgt/WINDOMAIN.COM
> Target Name: HOST/Win2kServer at WINDOMAIN.COM
> Error Text:
> File:
> Line:
> Error Data is in record data.
Doing a google search for KRB_AP_ERR_MODIFIED shows this in one of the messages:
The kerberos client received a KRB_AP_ERR_MODIFIED error from the server
COMPANY$. This indicates that the password used to encrypt the kerberos
service ticket is different than that on the target server. Commonly,
this is due to identically named machine accounts in the target realm
(COMPANY.NET), and the client realm. Please contact your system
administrator.
This might also mean the cross realm keys don't match, i.e. the user's realm
issued a tgt for the service realm, but the service realm can not decrypt it.
Did you ever get any cross realm to work with the user in the MIT realm, and the
service in the AD?
Did the UMich modification make any changes in this area?
>
> Win2kServer is the computer that Test tried to access, belonged to WINDOMAIN, which is a windows domain.
>
> My guess is that the Failed to generate key caused the KRB_AP_ERR_MODIFIED...
> but I can't confirm it...
> I'm not sure what caused it to fail to generate the key...
>
> I've followed the steps in the step by step kerberos interoperability document carefully...
>
> Any clue ?
>
> regards,
> lara
>
> ------------------------------------------------------------------------------------
> La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
> - Guy de Maupassant -
> ------------------------------------------------------------------------------------
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list