Windows Xp authentication to MIT KDC

Quanah Gibson-Mount quanah at stanford.edu
Fri May 26 19:39:28 EDT 2006


Hi,

I'm trying to get my Windows XP system to allow me to auth to our MIT KDC. 
However, I'm running into some difficulty.

So far, I have:

C:\Documents and Settings\quanah>ksetup
default realm = stanford.edu (external)
stanford.edu:
        kdc = kerberos1.stanford.edu
        kdc = kerberos2.stanford.edu
        kdc = kerberos3.stanford.edu
        Realm Flags = 0x0 none
Mapping all users (*) to a local account by the same name (*).
Mapping quanah at stanford.edu to quanah.


I've set up a host principal between my windows box and the KDC, and that 
part seems to be working correctly, as the KDC issues me a ticket:

May 26 16:15:56 kerberos1 krb5kdc[1385]: AS_REQ (7 etypes {23 -133 -128 3 1 
24 -135}) 171.66.155.86: NEEDED_PREAUTH: quanah at stanford.edu for 
krbtgt/stanford.edu at stanford.edu, Additional pre-authentication required
May 26 16:15:56 kerberos1 krb5kdc[1385]: AS_REQ (2 etypes {3 1}) 
171.66.155.86: ISSUE: authtime 1148685356, etypes {rep=3 tkt=1 ses=1}, 
quanah at stanford.edu for krbtgt/stanford.edu at stanford.edu
May 26 16:15:56 kerberos1 krb5kdc[1385]: TGS_REQ (7 etypes {23 -133 -128 3 
1 24 -135}) 171.66.155.86: ISSUE: authtime 1148685356, etypes {rep=1 tkt=1 
ses=1}, quanah at stanford.edu for 
host/sw-90-717-287-3.stanford.edu at stanford.edu


However, my login fails with:

"Windows cannot connect to the domain, either because the domain controller 
is down or otherwise unavailable, or because your computer account was not 
found."


I think this is related to a lack of SRV records for our KDC, because when 
I go into the properties for "My Computer" and tell it to join the 
"stanford.edu" domain, I get:

The following error occurred when DNS was queried for the service location 
(SRV) resource record to locate a domain controller for domain stanford.edu:

The erro was: "DNS name does not exist."
(error cdoe 0x0000232B RCODE_NAME_ERROR)

The query was for the SRV record for _ldap._tcp.dc_msdcs.stanford.edu

Common causes of this error include the following:

- The DNS SRV record is not registered in DNS.

- One or more of the following zones do not include delegation to its child 
zone:

stanford.edu
edu
. (the root zone)



Trying to connect to the domain from the command line gives me:

C:\Documents and Settings\quanah>ksetup /domain stanford.edu
Connecting to specified domain stanford.edu...
CallAuthPackage failed, status 0x0, substatus 0x8009030e.
Ticket cache query failed.  Error 0x8009030e
Could not guess user's domain.
  Please specify domain on command line and try again.
/Domain failed: 0x8009030e.


Any thoughts on where I can go from here?  Are SRV records an absolute 
requirement with windows?


--Quanah


--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html



More information about the Kerberos mailing list