failed to create kerberos key: 5
Lara Adianto
m1r4cle_26 at yahoo.com
Thu Jul 29 21:54:07 EDT 2004
--- "Douglas E. Engert" <deengert at anl.gov> wrote:
>
>
> Lara Adianto wrote:
> >
> > Hi,
> >
> > I have a strange problem with cross-realm
> authentication.
> > It's a windows 2000 machine authenticating to an
> MIT KDC, then it accesses a computer in a windows
> domain. This should be possible theoritically with
> ksetup, and all the necessary steps described in the
> step by step kerberos interoperability document.
> >
> > However, this is what happen in my environment:
> > 1. The user is able to login into windows 2000
> machine with his credential in MT KDC. The windows
> 2000 is configured to be a member of workgroup.
> However, when I examine the setting setup using
> ksetup, this is what I got:
> > ksetup:
> > default realm = ADIANTO.COM (external)
> > ADIANTO.COM:
> > kdc = kerberos.adianto.com
> > Failed to create Kerberos key: 5 (0x5)
>
> I don't see the Failed message on my machine which
> is setup similiarly, but I do
> have some Mappings of principals to local accounts.
>
I should have made it clearer.
I did a name mappings with ksetup as well
ksetup:
default realm = ADIANTO.COM (external)
ADIANTO.COM:
kdc = kerberos.adianto.com
Mapping lara at ADIANTO.COM to lara
Besides the above info, I also added RealmFlags set to
8, LogLevel set to 1 in the registry.
But, when I logged in as lara, and checked ksetup.
It shows this:
default realm = ADIANTO.COM (external)
ADIANTO.COM:
kdc = kerberos.adianto.com
Failed to create Kerberos key: 5 (0x5)
> > I'm not sure whether the last line is fatal.
>
> Since you where able to login, and you next note
> show you got
> a host/test.adianto.com at ADIANTO.COM ticket during
> login,
> the kerberos on the w2000 box looks good.
>
> >
> > 2. When the user tried to access a computer in a
> windows domain (should be possible due to the cross
> realm setup), the following error occured:
>
> What do you mean "tried to access a computer in a
> windows domain"?
>
> What applicaiton are you using?
What I mean is opening the network neighborhood,
opening a windows domain to access one of its
computer.
It should be a single sign-on right ? But instead, it
prompts me with user logon and password !
This is because the cross-realm auth failed with
KRB_AP_ERR_MODIFIED (I checked it through ethereal)
> > Event Type: Error
> > Event Source: Kerberos
> > Event Category: None
> > Event ID: 594
> > Date: 7/29/2004
> > Time: 7:37:30 PM
> > User: N/A
> > Computer: TEST
> > Description:
> > A Kerberos Error Message was received:
> > on logon session
> InitializeSecurityContext
> > Client Time:
> > Server Time:
> > Error Code: 11:36:30.0000 7/29/2004 (null) 0x29
> > Extended Error: KRB_AP_ERR_MODIFIED
> > Client Realm:
> > Client Name:
> > Server Realm: WINDOMAIN.COM
> > Server Name: krbtgt/WINDOMAIN.COM
> > Target Name: HOST/Win2kServer at WINDOMAIN.COM
> > Error Text:
> > File:
> > Line:
> > Error Data is in record data.
>
>
> Doing a google search for KRB_AP_ERR_MODIFIED shows
> this in one of the messages:
>
> The kerberos client received a KRB_AP_ERR_MODIFIED
> error from the server
> COMPANY$. This indicates that the password used
> to encrypt the kerberos
> service ticket is different than that on the
> target server. Commonly,
> this is due to identically named machine accounts
> in the target realm
> (COMPANY.NET), and the client realm. Please
> contact your system
> administrator.
I know what the error code means :-)
I did a search in google as well. But I dont' have
identically named machine account...
> This might also mean the cross realm keys don't
> match, i.e. the user's realm
> issued a tgt for the service realm, but the service
> realm can not decrypt it.
> Did you ever get any cross realm to work with the
> user in the MIT realm, and the
> service in the AD?
> Did the UMich modification make any changes in this
> area?
This is more possible for me. I noticed (with
ethereal) that the checksum is wrong. Not sure why
though...
No, I don't try Windows KDC and MIT client...
In fact, I got my setup working before. User can login
to windows machine using MIT credentials, then access
resources in win domain and even does a password
change ! But yesterday, it suddenly failed...:-(
Not sure why...maybe bec I just reinstalled my the
win2k server that serves as win KDC...
maybe bec I modified the ksetup in win client...
sigh...
>
> >
> > Win2kServer is the computer that Test tried to
> access, belonged to WINDOMAIN, which is a windows
> domain.
> >
> > My guess is that the Failed to generate key caused
> the KRB_AP_ERR_MODIFIED...
> > but I can't confirm it...
> > I'm not sure what caused it to fail to generate
> the key...
> >
> > I've followed the steps in the step by step
> kerberos interoperability document carefully...
> >
> > Any clue ?
> >
> > regards,
> > lara
> >
> >
>
------------------------------------------------------------------------------------
> > La vie, voyez-vous, ca n'est jamais si bon ni si
> mauvais qu'on croit
> >
> - Guy de Maupassant -
> >
>
------------------------------------------------------------------------------------
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
>
> --
>
> Douglas E. Engert <DEEngert at anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
>
=====
------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de Maupassant -
------------------------------------------------------------------------------------
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail
More information about the Kerberos
mailing list