krb5kdc_err_s_principal_unknown on Windows Kerberos Domain
Richard E. Silverman
res at qoxp.net
Sun Jul 9 01:47:06 EDT 2006
>
> "Richard E. Silverman" <res at qoxp.net> wrote in message
> news:m27j2ofpkf.fsf at darwin.oankali.net...
> > >>>>> "Will" == Will <DELETE_westes at earthbroadcast.com> writes:
> > Will> "Richard E. Silverman" <res at qoxp.net> wrote in message
> > Will> news:m2slldfia5.fsf at darwin.oankali.net... By example, member
> > Will> server A is contacting domain controller my-dc1 in Windows
> > Will> domain hq.corp.com. What I am seeing in the sniffer trace is
> > Will> that the member server A asks the my-dc1 domain controller in
> > Will> its role as a Kerberos ticket granter for a ticket to the domain
> > Will> (i.e., krbtgt/hq.corp.com).
> > >> Is the realm in the request also correct?
> >
> > Will> I'm not a Kerberos person, so I don't understand the question.
> > Will> Are you asking if the is the Windows domain name being spelled
> > Will> correctly? The answer to that would be yes.
> >
> > No; the full principal name should be (I guess)
> > krbtgt/hq.corp.com at HQ.CORP.COM; the final part is the Kerberos "realm."
> > It may not be represented this way in the network trace, but there should
> > be a "realm" part of the data structure nearby.
>
> In a sniffer trace, the REALM: parameter is filled in as HQ.CORP.COM, so
> apparently it is correct.
>
> I looked more carefully, and it looks like your original guess is still on
> the right track. The request for the following is succeeding:
>
> krbtgt/hq.corp.com
>
> The request for the following is failing:
>
> HOST/hq.corp.com
>
> And there is no userid named "Host" on the domain controller which is the
> ticket granting server.
There wouldn't be; there would be a user or computer account named
"hq.corp.com", corresponding to a host having that name.
--
Richard Silverman
res at qoxp.net
More information about the Kerberos
mailing list