pamkrbval: KDC policy rejects request for this entry ricurtis at
Fri Aug 29 06:39:59 EDT 2008

I am making some progress with this and no longer believe it to be a
Kerberos issue (not directly)..

Our windows admins have enabled enhanced logging of the KDC service in
Windows, and now instead of Just a straight "0xC: KDC Policy rejects
this request", we still get the 0xC error, but we get enhanced info
stating "NT Status: STATUS_INVALID_WORKSTATION (0xc0000070)"

If anyone want to know the registry keys changed to get this logging,
it was HKLM\SYSTEM\CurrentControlSet\Services\KDC, then kdcdebuglevel
(DWORD, value=0x10000000) and kdcextraloglevel (DWORD, 0x00000004)

It looks as though the request is being rejected because AD expects to
find some form of workstation entry for this host.  I thought the
ktpass side should cater for this, but obvjously I am wrong.

I will continue to investigate this with our Windows admins and will
post back if I fix it.

On 27 Aug, 20:49, Tom Yu <t... at MIT.EDU> wrote:
> "Richard Curtis" <ricur... at> writes:
> > Hi,
> >   I am trying to get an HPUX 11i box to authenticate against our
> > active directory (Windows 2003r2) domain with kerberos but I am
> > getting nowhere fast.
> > As per the docs I have, I have created a user account in active
> > directory, then used "ktpass -princ
> > host/ at DOMAIN.HOST.COM -mapuser unix_lient
> > -pass <pass> -out c:\krb5.keytab"
> > The keytab looks fine when I used ktutil, but I cannot do a kinit... I
> > keep getting "KDC policy rejects request for this entry"
> It may be that the AD server is forbidding the use of the
> "host/" principal as a client principal.

More information about the Kerberos mailing list