Bizzare problem with authenticating a service principal with AD

Jason Testart jatestart at cs.uwaterloo.ca
Mon Mar 12 13:28:46 EDT 2007



Tom Yu said the following on 3/12/2007 12:29 PM:
>>>>>> "Jason" == Jason Testart <jatestart at cs.uwaterloo.ca> writes:
> 
> Jason> So I just recreated the keytab with the different enctype.  Now when I 
> Jason> kinit, I get either:
> 
> Jason>    kinit(v5): Password incorrect while getting initial credentials
> 
> Jason> or
> 
> Jason>    kinit(v5): Preauthentication failed while getting initial credentials
> 
> Jason> depending if the "require preauth" is set for the account in AD.
> 
> What version of Windows is running on the AD server?  One problem I
> think I've seen is that in some recent versions of Windows, AD uses a
> different salt for the password than the usual principal-name salt.
> (AD stores the actual password, rather than a key.)  I thought this
> should only be a problem if you're typing a password into an MIT krb5
> ktutil or similar keytab tool, but I think ktpass may have the same
> problem.

The server is running Server 2003 SP1.  One thing I am not clear on is 
the password you give ktpass.  Does this set the actual "login" password 
for the AD account, or is there a different password for the key?

> 
> In one case I encountered, I think the reason was that AD was using
> the NetBIOS name for the server instead of its FQDN to create the
> "principal name" for the salt.  Does the server in question have a
> hostname which is longer than 14 or 15 (I can't remember the exact
> number) characters?

Well the hostname is 6 characters long, the FQDN is of course much 
longer (> 15 characters).



More information about the Kerberos mailing list