Windows 2000 SP4 Kerberos Problem

Fernando fernandojdsc at meta4.com
Wed Jan 25 12:39:39 EST 2006 

Hello

I'm having problems using Kerberos to make SSO from any PC with Windows
2000 SP4 with a Win2003 server using a web page. I can't get the
kerberos ticket.
If I try to do the same operation from a WinXP SP2 or from a Windows
2003 I have no problems.

I've confirm all the options in IE and in all the environments I have
checked the same options.

The error that I'm getting in the m4krb5log.txt file that kerberos
generate is:
[01/25/06 10:23:50][ERROR][While executing krb5_mk_req for
m4appservice/gcxermdevas301.grupocgd.com] Server not found in Kerberos
database.

I've searched all over the web for a solucion for my problem but with
no success.
All the solucions refers to Apache and Unix.

The KDC I'm accessing is in a Win2003, and I have generated my key file
with the KTPASS for W2003 SP1.

This is the log that I've get generating the key file:
C:\>ktpass -princ m4appservice/gcxermdevas301.grupocgd.com at GRUPOCGD.COM
-mapuser YYSSI60 at grupocgd.com
Targeting domain controller: gcxnclidcss302.GrupoCGD.com
Successfully mapped m4appservice/gcxermdevas301.grupocgd.com to
YYSSI60.

C:\>ktpass -princ m4appservice/gcxermdevas301.grupocgd.com at GRUPOCGD.COM
-ptype KRB5_NT_SRV_HST -pass yyssi60 -mapuser YYSSI60 at grupocgd.com -out
krbkt.key -mapOp set Targeting domain controller:
gcxnclidcss302.GrupoCGD.com
Successfully mapped m4appservice/gcxermdevas301.grupocgd.com to
YYSSI60.
WARNING: pType and account type do not match. This might cause
problems.
Key created.
Output keytab to krbkt.key:
Keytab version: 0x502
keysize 88 m4appservice/gcxermdevas301.grupocgd.com at GRUPOCGD.COM ptype
3 (KRB5_NT_SRV_HST) vno 2 etype 0x17 (RC4-HMAC) keylength 16
(0x4b18d01653d2921febb2cd9d11937aeb)

In all Win2000 stations I've create a Environment Variable called
KRB5_CONFIG that is pointing to a file call krb5.ini containing:
[domain_realm]
grupocgd.com = GRUPOCGD.COM

[libdefaults]
default_realm = GRUPOCGD.COM
dns_lookup_kdc = false

[realms]
GRUPOCGD.COM = {
    admin_server = gcxnclidcss302.grupocgd.com
    kdc = gcxnclidcss302.grupocgd.com
    default_domain = GRUPOCGD.COM
}

Can you help me with this problem ?
Is something with my Active Directory, with my PC W2000 configuration,
what can I confirm ?

Many Thanks to you all
Fernando
PS - Sorry for my english :-)

More information about the Kerberos mailing list