Bizzare problem with authenticating a service principal with AD
Jason Testart
jatestart at cs.uwaterloo.ca
Mon Mar 12 13:28:46 EDT 2007
Tom Yu said the following on 3/12/2007 12:29 PM:
>>>>>> "Jason" == Jason Testart <jatestart at cs.uwaterloo.ca> writes:
>
> Jason> So I just recreated the keytab with the different enctype. Now when I
> Jason> kinit, I get either:
>
> Jason> kinit(v5): Password incorrect while getting initial credentials
>
> Jason> or
>
> Jason> kinit(v5): Preauthentication failed while getting initial credentials
>
> Jason> depending if the "require preauth" is set for the account in AD.
>
> What version of Windows is running on the AD server? One problem I
> think I've seen is that in some recent versions of Windows, AD uses a
> different salt for the password than the usual principal-name salt.
> (AD stores the actual password, rather than a key.) I thought this
> should only be a problem if you're typing a password into an MIT krb5
> ktutil or similar keytab tool, but I think ktpass may have the same
> problem.
The server is running Server 2003 SP1. One thing I am not clear on is
the password you give ktpass. Does this set the actual "login" password
for the AD account, or is there a different password for the key?
>
> In one case I encountered, I think the reason was that AD was using
> the NetBIOS name for the server instead of its FQDN to create the
> "principal name" for the salt. Does the server in question have a
> hostname which is longer than 14 or 15 (I can't remember the exact
> number) characters?
Well the hostname is 6 characters long, the FQDN is of course much
longer (> 15 characters).
More information about the Kerberos
mailing list