Bizzare problem with authenticating a service principal with AD
Jason Testart
jatestart at cs.uwaterloo.ca
Mon Mar 12 15:46:30 EDT 2007
Jason Testart said the following on 3/12/2007 1:55 PM:
>
>
> Tom Yu said the following on 3/12/2007 12:29 PM:
>
>>
>> In one case I encountered, I think the reason was that AD was using
>> the NetBIOS name for the server instead of its FQDN to create the
>> "principal name" for the salt. Does the server in question have a
>> hostname which is longer than 14 or 15 (I can't remember the exact
>> number) characters?
>
> I just watched the traffic, and I'm getting a pre-auth required followed
> by a pre-auth failed. In both cases, the salt appears to be the name of
> the AD account that the service principal is mapped to. Is this my
> problem? How does one fix this?
>
>
The source of my problems all along was ktpass.exe. For some reason, it
just isn't generating proper keytab files.
My solution was to remove the AD account for the principal, then change
my perl script to make the service/user principal mapping directly, and
to set the account password (unicodePwd). I then re-created the
principal using the perl script, and used the password to manually
generate a keytab file using addent in ktutil.
I'm so happy to now get a TGT when running "kinit -k
host/<MyFQDN>@<MyREALM>"!!
Thanks for the help!
jt
P.S.: Is there a PERL interface to something ktutil-like? I have yet to
Google for this...
More information about the Kerberos
mailing list