Bizzare problem with authenticating a service principal with AD

Tom Yu tlyu at MIT.EDU
Mon Mar 12 12:29:08 EDT 2007


>>>>> "Jason" == Jason Testart <jatestart at cs.uwaterloo.ca> writes:

Jason> So I just recreated the keytab with the different enctype.  Now when I 
Jason> kinit, I get either:

Jason>    kinit(v5): Password incorrect while getting initial credentials

Jason> or

Jason>    kinit(v5): Preauthentication failed while getting initial credentials

Jason> depending if the "require preauth" is set for the account in AD.

What version of Windows is running on the AD server?  One problem I
think I've seen is that in some recent versions of Windows, AD uses a
different salt for the password than the usual principal-name salt.
(AD stores the actual password, rather than a key.)  I thought this
should only be a problem if you're typing a password into an MIT krb5
ktutil or similar keytab tool, but I think ktpass may have the same
problem.

In one case I encountered, I think the reason was that AD was using
the NetBIOS name for the server instead of its FQDN to create the
"principal name" for the salt.  Does the server in question have a
hostname which is longer than 14 or 15 (I can't remember the exact
number) characters?

---Tom



More information about the Kerberos mailing list