Integrated Windows Login: No principal in keytab matches desired

[Jeffrey Altman]

On the IE machine the service ticket which was obtained
should be sitting in the LSA credential cache.  You can
use KLIST or KERBTRAY to view the contents.

If you cannot see the ticket (perhaps because it is
running under an alternate account or session) you can
network trace the IE machine when it requests the service
ticket.  The requested service name will be unencrypted
in the request.

Jeffrey Altman



Timo Fuchs wrote:
> Hi Markus,
> 
> Markus Moeller <huaraz at moeller.plus.com> wrote:
> 
>>you might need to change the password after setting the account to DES-ONLY
>>( a ktpass option) and extract the keytab again.Microsoft usually uses
>>RC4-hmac keys and the des key will be only created after changing once the
>>password (I think).
> 
> 
> I have double-checked the password mode and it was already set to DES-ONLY.
> However, I have changed the user's password, extracted the keytab again
> and retried, unsuccessfully.
> 
> Using ethereal I have found out that the Apache server does not even ask
> the ADS server when receiving a request and reading the error message
> ("No principle in keytab matches desired name") again I conclude that
> the service principle name the Internet Explorer acquired differs from
> the one I have set up (HTTP/grmpf.adstest.mydomain.de at ADSTEST.MYDOMAIN.DE).
> 
> Ethereal also shows that the NTLMSSP data contains "Calling workstation
> domain: ADSTEST", which is in fact the NT4 domain name, but not the
> ADS domain name (adstest.mydomain.de).
> 
> How can I find out which service principle name is acquired by the
> Internet Explorer?
> 
> I assume that the above error message is thrown by the kerberos lib,
> is there any chance to get more information for that error message?
> 
> Cheers,
> Timo
> 
> 

-- 
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu