Integrated Windows Login: No principal in keytab matches desired name

[Timo Fuchs]

Hi Markus,

Markus Moeller <huaraz at moeller.plus.com> wrote:
> you might need to change the password after setting the account to DES-ONLY
> ( a ktpass option) and extract the keytab again.Microsoft usually uses
> RC4-hmac keys and the des key will be only created after changing once the
> password (I think).

I have double-checked the password mode and it was already set to DES-ONLY.
However, I have changed the user's password, extracted the keytab again
and retried, unsuccessfully.

Using ethereal I have found out that the Apache server does not even ask
the ADS server when receiving a request and reading the error message
("No principle in keytab matches desired name") again I conclude that
the service principle name the Internet Explorer acquired differs from
the one I have set up (HTTP/grmpf.adstest.mydomain.de at ADSTEST.MYDOMAIN.DE).

Ethereal also shows that the NTLMSSP data contains "Calling workstation
domain: ADSTEST", which is in fact the NT4 domain name, but not the
ADS domain name (adstest.mydomain.de).

How can I find out which service principle name is acquired by the
Internet Explorer?

I assume that the above error message is thrown by the kerberos lib,
is there any chance to get more information for that error message?

Cheers,
Timo