Windows 2000 SP4 Kerberos Problem

Douglas E. Engert deengert at anl.gov
Wed Jan 25 13:52:35 EST 2006


Can you run ethereal (www.ethereal.com) and trace the KRB5 packets to
see exactly why it says it can't find m4appservice/gcxermdevas301.grupocgd.com


Fernando wrote:

> Hello
> 
> I'm having problems using Kerberos to make SSO from any PC with Windows
> 2000 SP4 with a Win2003 server using a web page. I can't get the
> kerberos ticket.
> If I try to do the same operation from a WinXP SP2 or from a Windows
> 2003 I have no problems.
> 
> I've confirm all the options in IE and in all the environments I have
> checked the same options.
> 
> The error that I'm getting in the m4krb5log.txt file that kerberos
> generate is:
> [01/25/06 10:23:50][ERROR][While executing krb5_mk_req for
> m4appservice/gcxermdevas301.grupocgd.com] Server not found in Kerberos
> database.
> 
> I've searched all over the web for a solucion for my problem but with
> no success.
> All the solucions refers to Apache and Unix.
> 
> The KDC I'm accessing is in a Win2003, and I have generated my key file
> with the KTPASS for W2003 SP1.
> 
> This is the log that I've get generating the key file:
> C:\>ktpass -princ m4appservice/gcxermdevas301.grupocgd.com at GRUPOCGD.COM
> -mapuser YYSSI60 at grupocgd.com
> Targeting domain controller: gcxnclidcss302.GrupoCGD.com
> Successfully mapped m4appservice/gcxermdevas301.grupocgd.com to
> YYSSI60.
> 
> C:\>ktpass -princ m4appservice/gcxermdevas301.grupocgd.com at GRUPOCGD.COM
> -ptype KRB5_NT_SRV_HST -pass yyssi60 -mapuser YYSSI60 at grupocgd.com -out
> krbkt.key -mapOp set Targeting domain controller:
> gcxnclidcss302.GrupoCGD.com
> Successfully mapped m4appservice/gcxermdevas301.grupocgd.com to
> YYSSI60.
> WARNING: pType and account type do not match. This might cause
> problems.
> Key created.
> Output keytab to krbkt.key:
> Keytab version: 0x502
> keysize 88 m4appservice/gcxermdevas301.grupocgd.com at GRUPOCGD.COM ptype
> 3 (KRB5_NT_SRV_HST) vno 2 etype 0x17 (RC4-HMAC) keylength 16
> (0x4b18d01653d2921febb2cd9d11937aeb)
> 
> In all Win2000 stations I've create a Environment Variable called
> KRB5_CONFIG that is pointing to a file call krb5.ini containing:
> [domain_realm]
> grupocgd.com = GRUPOCGD.COM
> 
> [libdefaults]
> default_realm = GRUPOCGD.COM
> dns_lookup_kdc = false
> 
> [realms]
> GRUPOCGD.COM = {
>     admin_server = gcxnclidcss302.grupocgd.com
>     kdc = gcxnclidcss302.grupocgd.com
>     default_domain = GRUPOCGD.COM
> }
> 
> Can you help me with this problem ?
> Is something with my Active Directory, with my PC W2000 configuration,
> what can I confirm ?
> 
> Many Thanks to you all
> Fernando
> PS - Sorry for my english :-)
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list