failed to create kerberos key: 5
Douglas E. Engert
deengert at anl.gov
Fri Jul 30 10:09:42 EDT 2004
Lara Adianto wrote:
>
> --- "Douglas E. Engert" <deengert at anl.gov> wrote:
>
> >
> >
> > Lara Adianto wrote:
> > >
> > > Hi,
> > >
> > > I have a strange problem with cross-realm
> > authentication.
> > > It's a windows 2000 machine authenticating to an
> > MIT KDC, then it accesses a computer in a windows
> > domain. This should be possible theoritically with
> > ksetup, and all the necessary steps described in the
> > step by step kerberos interoperability document.
> > >
> > > However, this is what happen in my environment:
> > > 1. The user is able to login into windows 2000
> > machine with his credential in MT KDC. The windows
> > 2000 is configured to be a member of workgroup.
> > However, when I examine the setting setup using
> > ksetup, this is what I got:
> > > ksetup:
> > > default realm = ADIANTO.COM (external)
> > > ADIANTO.COM:
> > > kdc = kerberos.adianto.com
> > > Failed to create Kerberos key: 5 (0x5)
> >
> > I don't see the Failed message on my machine which
> > is setup similiarly, but I do
> > have some Mappings of principals to local accounts.
> >
>
> I should have made it clearer.
> I did a name mappings with ksetup as well
> ksetup:
> default realm = ADIANTO.COM (external)
> ADIANTO.COM:
> kdc = kerberos.adianto.com
> Mapping lara at ADIANTO.COM to lara
>
> Besides the above info, I also added RealmFlags set to
> 8, LogLevel set to 1 in the registry.
>
> But, when I logged in as lara, and checked ksetup.
Login is a lara at ADIANTO.COM which says use Kerberos
if you just say lara it will use the local machine.
> It shows this:
> default realm = ADIANTO.COM (external)
> ADIANTO.COM:
> kdc = kerberos.adianto.com
> Failed to create Kerberos key: 5 (0x5)
>
> > > I'm not sure whether the last line is fatal.
> >
> > Since you where able to login, and you next note
> > show you got
> > a host/test.adianto.com at ADIANTO.COM ticket during
> > login,
> > the kerberos on the w2000 box looks good.
> >
> > >
> > > 2. When the user tried to access a computer in a
> > windows domain (should be possible due to the cross
> > realm setup), the following error occured:
> >
> > What do you mean "tried to access a computer in a
> > windows domain"?
> >
> > What applicaiton are you using?
>
> What I mean is opening the network neighborhood,
> opening a windows domain to access one of its
> computer.
> It should be a single sign-on right ?
NO! standard Kerberos does authentication. AD uses Kerberos
for authentication, then adds in its authorization data,
the "PAC", into the ticket.
But there is a way to tell AD that it should add a PAC.
You wold have to setup the user account in AD and tell it
that it can accept external Kerberos authentication for
the user. We don't use this, so you wil have to look around
for the instrustions.
In our enviroment we do just to opposite. The users are
in a AD domain, so if ther get tickets they have the PAC.
But they can get tickets for cross realm to a standard kerberos
realm that uas a number of unix servers. In this case the PAC
is just ignored.
> But instead, it
> prompts me with user logon and password !
> This is because the cross-realm auth failed with
> KRB_AP_ERR_MODIFIED (I checked it through ethereal)
>
> > > Event Type: Error
> > > Event Source: Kerberos
> > > Event Category: None
> > > Event ID: 594
> > > Date: 7/29/2004
> > > Time: 7:37:30 PM
> > > User: N/A
> > > Computer: TEST
> > > Description:
> > > A Kerberos Error Message was received:
> > > on logon session
> > InitializeSecurityContext
> > > Client Time:
> > > Server Time:
> > > Error Code: 11:36:30.0000 7/29/2004 (null) 0x29
> > > Extended Error: KRB_AP_ERR_MODIFIED
> > > Client Realm:
> > > Client Name:
> > > Server Realm: WINDOMAIN.COM
> > > Server Name: krbtgt/WINDOMAIN.COM
> > > Target Name: HOST/Win2kServer at WINDOMAIN.COM
> > > Error Text:
> > > File:
> > > Line:
> > > Error Data is in record data.
> >
> >
> > Doing a google search for KRB_AP_ERR_MODIFIED shows
> > this in one of the messages:
> >
> > The kerberos client received a KRB_AP_ERR_MODIFIED
> > error from the server
> > COMPANY$. This indicates that the password used
> > to encrypt the kerberos
> > service ticket is different than that on the
> > target server. Commonly,
> > this is due to identically named machine accounts
> > in the target realm
> > (COMPANY.NET), and the client realm. Please
> > contact your system
> > administrator.
>
> I know what the error code means :-)
> I did a search in google as well. But I dont' have
> identically named machine account...
>
> > This might also mean the cross realm keys don't
> > match, i.e. the user's realm
> > issued a tgt for the service realm, but the service
> > realm can not decrypt it.
> > Did you ever get any cross realm to work with the
> > user in the MIT realm, and the
> > service in the AD?
> > Did the UMich modification make any changes in this
> > area?
>
> This is more possible for me. I noticed (with
> ethereal) that the checksum is wrong. Not sure why
> though...
> No, I don't try Windows KDC and MIT client...
> In fact, I got my setup working before. User can login
> to windows machine using MIT credentials, then access
> resources in win domain and even does a password
> change ! But yesterday, it suddenly failed...:-(
> Not sure why...maybe bec I just reinstalled my the
> win2k server that serves as win KDC...
> maybe bec I modified the ksetup in win client...
> sigh...
>
> >
> > >
> > > Win2kServer is the computer that Test tried to
> > access, belonged to WINDOMAIN, which is a windows
> > domain.
> > >
> > > My guess is that the Failed to generate key caused
> > the KRB_AP_ERR_MODIFIED...
> > > but I can't confirm it...
> > > I'm not sure what caused it to fail to generate
> > the key...
> > >
> > > I've followed the steps in the step by step
> > kerberos interoperability document carefully...
> > >
> > > Any clue ?
> > >
> > > regards,
> > > lara
> > >
> > >
> >
> ------------------------------------------------------------------------------------
> > > La vie, voyez-vous, ca n'est jamais si bon ni si
> > mauvais qu'on croit
> > >
> > - Guy de Maupassant -
> > >
> >
> ------------------------------------------------------------------------------------
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Tired of spam? Yahoo! Mail has the best spam
> > protection around
> > > http://mail.yahoo.com
> > > ________________________________________________
> > > Kerberos mailing list Kerberos at mit.edu
> > > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> > --
> >
> > Douglas E. Engert <DEEngert at anl.gov>
> > Argonne National Laboratory
> > 9700 South Cass Avenue
> > Argonne, Illinois 60439
> > (630) 252-5444
> >
>
> =====
> ------------------------------------------------------------------------------------
> La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
> - Guy de Maupassant -
> ------------------------------------------------------------------------------------
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail - 50x more storage than other providers!
> http://promotions.yahoo.com/new_mail
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list