Issue with Ktpass usage + windows 2003 KDC + non windows client
Jeffrey Altman
jaltman2 at nyc.rr.com
Sat Sep 23 02:31:41 EDT 2006
sandypossible at gmail.com wrote:
> Hi all,
>
> I am working on implementating Kerberos for IPsec for an embedded
> device. I am not able to test it with Windows 2003 server as KDC. But
> with 2000 server as KDC, it is working fine. When the device is acting
> as application server, the error is in accept_sec_context().
>
> The routine accept_sec_context() says Keytable version number doesn't
> match. Validation error. But I am ble to get TGT for the application
> server using keytab. Are there any changes to the ktpass tool in 2003
> server when compared to ktpass tool given for 2000. I googled and found
> that keyversion number in 2003 is incremeted unlike 2000 server. Is
> this the cause ? I am creating the keytab file on the KDC and using
> it on the device. I am not able to find whats the cause for this
> failure. Can anybody please help me ? Hoiw to find which keyversion to
> use when creating the keytab using ktpass tool on wondows 2003 ?
>
> Also, one more observation is, when I use the ktpass tool to map
> account to principal, it says failed to map the "servicePrincipalName".
> This is happening for the newly created acccount also. Can you please
> tell me if this is related to ktpass tool or it could be related to
> configuration error ?
>
> Regards,
> Sandy.
>
You can use the 'kvno' tool provided with MIT Kerberos to obtain the
kvno for the requested ticket. For Windows 2000, the kvno is always 0.
For Windows 2003, you have to specify the correct kvno when generating
the keytab file with ktpass.
More information about the Kerberos
mailing list