Windows Xp authentication to MIT KDC

Richard E. Silverman res at qoxp.net
Fri May 26 21:39:26 EDT 2006 

> Hi,
> I'm trying to get my Windows XP system to allow me to auth to our MIT KDC. 
> However, I'm running into some difficulty.
> 
> So far, I have:
> 
> C:\Documents and Settings\quanah>ksetup
> default realm = stanford.edu (external)
> stanford.edu:
>         kdc = kerberos1.stanford.edu
>         kdc = kerberos2.stanford.edu
>         kdc = kerberos3.stanford.edu
>         Realm Flags = 0x0 none
> Mapping all users (*) to a local account by the same name (*).
> Mapping quanah at stanford.edu to quanah.
> 
> 
> I've set up a host principal between my windows box and the KDC, and that 
> part seems to be working correctly, as the KDC issues me a ticket:
> 
> May 26 16:15:56 kerberos1 krb5kdc[1385]: AS_REQ (7 etypes {23 -133 -128 3 1 
> 24 -135}) 171.66.155.86: NEEDED_PREAUTH: quanah at stanford.edu for 
> krbtgt/stanford.edu at stanford.edu, Additional pre-authentication required
> May 26 16:15:56 kerberos1 krb5kdc[1385]: AS_REQ (2 etypes {3 1}) 
> 171.66.155.86: ISSUE: authtime 1148685356, etypes {rep=3 tkt=1 ses=1}, 
> quanah at stanford.edu for krbtgt/stanford.edu at stanford.edu
> May 26 16:15:56 kerberos1 krb5kdc[1385]: TGS_REQ (7 etypes {23 -133 -128 3 
> 1 24 -135}) 171.66.155.86: ISSUE: authtime 1148685356, etypes {rep=1 tkt=1 
> ses=1}, quanah at stanford.edu for 
> host/sw-90-717-287-3.stanford.edu at stanford.edu

All your realm names are lower case.  Is that really correct?  It's very
unusual.

> However, my login fails with:
> 
> "Windows cannot connect to the domain, either because the domain controller 
> is down or otherwise unavailable, or because your computer account was not 
> found."
> 
> 
> I think this is related to a lack of SRV records for our KDC, because when 
> I go into the properties for "My Computer" and tell it to join the 
> "stanford.edu" domain, I get:
> 
> The following error occurred when DNS was queried for the service location 
> (SRV) resource record to locate a domain controller for domain stanford.edu:
> 
> The erro was: "DNS name does not exist."
> (error cdoe 0x0000232B RCODE_NAME_ERROR)
> 
> The query was for the SRV record for _ldap._tcp.dc_msdcs.stanford.edu

This means that on some level, the client still thinks this realm is a
Windows domain, as opposed to an external realm.  It's trying to find a
domain controller.

> Any thoughts on where I can go from here?  Are SRV records an absolute 
> requirement with windows?

They actually would not matter in your case (the right ones), since you
gave it static configuration for the KDCs.


-- 
  Richard Silverman
  res at qoxp.net

More information about the Kerberos mailing list