Integrated Windows Login: No principal in keytab matches desired name
Markus Moeller
huaraz at moeller.plus.com
Tue Aug 17 17:28:40 EDT 2004
Timo,
you might need to change the password after setting the account to DES-ONLY
( a ktpass option) and extract the keytab again.Microsoft usually uses
RC4-hmac keys and the des key will be only created after changing once the
password (I think).
Regards
Markus
"Timo Fuchs" <fuechsle at cs.tu-berlin.de> wrote in message
news:cfse88$f61$1 at news.cs.tu-berlin.de...
> Hi,
>
> I am trying to set up an integrated windows login scenario using apache
> and mod_auth_gss_krb5 (http://modgssapache.sourceforge.net) according
> to http://www.onlamp.com/pub/a/onlamp/2003/09/11/kerberos.html?page=1.
>
> However, Apache cannot authenticate:
> -- snip ---
> gss_acquire_cred() failed: No principal in keytab matches desired name:
> --- snap ---
>
> - I have created a User and a Computer for the remote machine where
> Apache is running (in the Active Directory)
> - I have created a service principle for HTTP/apachehost at MYDOMAIN using
> setspn.exe
> - I have created the keytab using ktpass.exe and mapped the service
> principle to the above user.
> - I have added a forward and a reverse entry in the DNS running on the
> ADS Server with the same name as used in the service principle.
> The Apache host also uses this DNS.
> - I have checked that both the w2k Server and the Apache server resolve
> the host names correctly, forwards and backwards.
>
> What else could be wrong? What more could I check?
>
> Cheers,
> Timo
More information about the Kerberos
mailing list