Integrated Windows Login: No principal in keytab matches desired name
Markus Moeller
huaraz at moeller.plus.com
Wed Aug 18 15:36:22 EDT 2004
Timo,
the Apache server will never talk to ADS. The keytab contains all the
information to verify the tickets. Snoop the IE traffic as Jeffrey
suggested.
Regards
Markus
"Timo Fuchs" <fuechsle at cs.tu-berlin.de> wrote in message
news:cfvbl4$2a5$1 at news.cs.tu-berlin.de...
>
> Hi Markus,
>
> Markus Moeller <huaraz at moeller.plus.com> wrote:
> > you might need to change the password after setting the account to
DES-ONLY
> > ( a ktpass option) and extract the keytab again.Microsoft usually uses
> > RC4-hmac keys and the des key will be only created after changing once
the
> > password (I think).
>
> I have double-checked the password mode and it was already set to
DES-ONLY.
> However, I have changed the user's password, extracted the keytab again
> and retried, unsuccessfully.
>
> Using ethereal I have found out that the Apache server does not even ask
> the ADS server when receiving a request and reading the error message
> ("No principle in keytab matches desired name") again I conclude that
> the service principle name the Internet Explorer acquired differs from
> the one I have set up
(HTTP/grmpf.adstest.mydomain.de at ADSTEST.MYDOMAIN.DE).
>
> Ethereal also shows that the NTLMSSP data contains "Calling workstation
> domain: ADSTEST", which is in fact the NT4 domain name, but not the
> ADS domain name (adstest.mydomain.de).
>
> How can I find out which service principle name is acquired by the
> Internet Explorer?
>
> I assume that the above error message is thrown by the kerberos lib,
> is there any chance to get more information for that error message?
>
> Cheers,
> Timo
>
>
More information about the Kerberos
mailing list