Win2k3 SP1 ktpass problem.

Srinivas Cheruku srinivas.cheruku at gmail.com
Wed Sep 21 07:37:49 EDT 2005 

Hi Karl,

Thanks for the information you shared with me.

I have created two user accounts.
Then i have run the ktpass command as show below with appropriate params 
for the two new user accounts created
ktpass -mapuser user at xxx.com -princ sp1acc/host.xxx.com at XXX.COM +DesOnly
 -pass helloworld  -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out
 "c:\krb5.keytab"

Now, i have two keys in the /etc/krb5.keytab
  1. sp1acc/host.xxx.com at XXX.COM - Keytab extracted with Win2k3 SP1 ktpass
  2. nosp1acc/host.xxx.com at XXX.COM - Keytab extracted with Win2k3 ktpass
 
Please find below the results from kinit

 bash-2.03$ ./kinit -k -t /etc/krb5.keytab sp1acc/host.xxx.com at XXX.COM
 kinit(v5): Preauthentication failed while getting initial credentials
 bash-2.03$
 
 
 bash-2.03$ ./kinit -k -t /etc/krb5.keytab nosp1acc/host.xxx.com at XXX.COM
 bash-2.03$ ./klist
 Ticket cache: FILE:/tmp/krb5cc_4001
 Default principal: nosp1acc/host.xxx.com at XXX.COM

 Valid starting     Expires            Service principal
 09/21/05 10:16:55  09/22/05 06:19:16  krbtgt/XXX.COM at XXX.COM
         renew until 09/22/05 10:16:55


 Kerberos 4 ticket cache: /tmp/tkt4001
 klist: You have no tickets cached
 bash-2.03$
 
 
As shown above, I am getting error Preauthentication failed when i try 
to kinit for sp1acc/host.xxx.com at XXX.COM, which was extracted using 
Win2K3 SP1 ktpass.
 
Then, i have created an user account and changed password, before 
running Win2k3 SP1 ktpass on that account. Now when i do a kinit on this 
service principal, i am issued a TGT without Preauthentication failed 
error.

Can anyone confirm that while using Win2k3 SP1 ktpass, the user account 
password should be changed before running ktpass?
Also, i would appreciate if someone can confirm that this is the bug 
with Win2k3 SP1 ktpass which needs changing password before running ktpass.

Thanks,
Srini

Pitrich, Karl wrote:

>Hi,
>
>here's my (random) notes and how i do windows/MIT key exchange
>successfully:
>
>
>with recent versions of MIT Kerberos it is not neccessary to specify any
>special enc-type as it supports MD4 (which is windows default now)
>i'm also not specifying the ptype flag to ktpass.
>
>the principal you specify at the ktpass commandline will be added and/or
>overwritten in AD.
>
>as username to ktpass, use the login name only from AD.
>
>match the case of username and realm exactly.
>
>with adsi-edit you can then verify the servicePrincipalName or
>userPrincipalName that will be added after invoking ktpass.
>
>using ktpass, the AD User will be automagically flagged as DES Only.
>
>
>import the keys on linux and verify using:
>  kinit –k –t /path/to/winkrb5.keytab <name>/<fqdn>@<REALM>
>this should issue a ticket without entering a password.
>
>
>i have encountered some troubles with the ticket serial number, to avoid
>them, always change the password of the AD User prior exporting with
>ktpass, this ensures a current ticket.
>
>furthermore, ensure that the ktpass utility comes from a resource kit
>from the same version as the windows OS itself AND also the same
>locale.
>
>
>
>HTH,
>
> / karl
>
>
>On Fri, 2005-09-09 at 06:59, Srini wrote:
>  
>
>>Hi,
>>
>>I have used the below command to extract the keytab. You can see that i
>>have specified the enctype correctly. Please let me know whether i need
>>to specify any other option to ktpass.
>>
>>ktpass -mapuser user at xxx.com -princ test/host.xxx.com at XXX.COM +DesOnly
>>-pass helloworld  -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -out
>>"c:\krb5.keytab"
>>
>>I am using the user account and not the computer account.
>>
>>Thanks,
>>Srini
>>
>>Jeffrey Altman wrote:
>>    
>>
>>>Are you specifying the correct kvno and are you extracting
>>>the correct enctype?   2K3 SP1 supports the export of RC4-HMAC
>>>keys and that might be the new default.
>>>
>>>Jeffrey Altman
>>>
>>>
>>>Srinivas Cheruku wrote:
>>>      
>>>
>>>>Hi,
>>>>
>>>>I am using Win2k3 as my KDC.
>>>>
>>>>I was using the keytab extracted from Win2k3 ktpass
>>>>and it was working fine with my GSS applications. I
>>>>have upgraded to Win2k3 SP1 and now when i use ktpass
>>>>of Win2k3 SP1 to extract the keytab and use it with my
>>>>GSS application, i am getting error on the GSS server
>>>>while accepting the context as "Decrypt integrity
>>>>check failed".
>>>>
>>>>Can anyone encountered this problem with the keytab
>>>>created with win2k3 sp1 ktpass?
>>>>Can anyone help me to fix this issue?
>>>>
>>>>Thanks and Regards,
>>>>Srini
>>>>
>>>>
>>>>
>>>>
>>>>______________________________________________________
>>>>Click here to donate to the Hurricane Katrina relief effort.
>>>>http://store.yahoo.com/redcross-donate3/
>>>>________________________________________________
>>>>Kerberos mailing list           Kerberos at mit.edu
>>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>
>>>>        
>>>>
>>>--
>>>-----------------
>>>This e-mail account is not read on a regular basis.
>>>Please send private responses to jaltman at mit dot edu
>>>      
>>>
>>________________________________________________
>>Kerberos mailing list           Kerberos at mit.edu
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>    
>>
>>------------------------------------------------------------------------
>>
>>________________________________________________
>>Kerberos mailing list           Kerberos at mit.edu
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>    
>>

More information about the Kerberos mailing list