pamkrbval: KDC policy rejects request for this entry

Tom Yu tlyu at MIT.EDU
Wed Aug 27 15:49:10 EDT 2008

"Richard Curtis" <ricurtis at> writes:

> Hi,
>   I am trying to get an HPUX 11i box to authenticate against our
> active directory (Windows 2003r2) domain with kerberos but I am
> getting nowhere fast.
> As per the docs I have, I have created a user account in active
> directory, then used "ktpass -princ
> host/ at DOMAIN.HOST.COM -mapuser unix_lient
> -pass <pass> -out c:\krb5.keytab"
> The keytab looks fine when I used ktutil, but I cannot do a kinit... I
> keep getting "KDC policy rejects request for this entry"

It may be that the AD server is forbidding the use of the
"host/" principal as a client principal.

More information about the Kerberos mailing list