kinit des and Win2k

Andrew Innes andrewi at
Tue Jun 1 04:38:51 EDT 2004

On 25 May 2004 06:08:46 -0700, wyl_lyf at (melissa_benkyo) said:

[Use DES enabled for principal]

>>But what is in the krb5.conf? Have you set default_tkt_enctypes and 
>yup my default_xxx_enctypes are as follows
> default_tkt_enctypes = des-cbc-md5  des-cbc-crc
> default_tgs_enctypes = des-cbc-md5 des-cbc-crc
>>You mean the kinit fails with some pre authentication message?
>>What is the message?
>the message I'm getting is from windows AD because it requires
>authentication. But I think by setting the Use DES it should be able
>to pre-authenticate. I'm insisting on doing pre-authentication since
>this is actually an added security measure. :D
>My error message is as follows:
>Pre-authentication failed:
>      UserName: mango
>      UserID:   TESTING\mango
>      ServiceName: krbtgt/TESTING.COM
>      Pre-Authentication Type: 0x0
>      Failure Code           : 0x19 
>      Client Address         : <ip>

If you have just enabled DES for an AD user principal, you then need to
change their password so that a DES version gets stored.  Until then,
there is only an RC4 version of the password available.


More information about the Kerberos mailing list