Windows client authentication problem

Viji V Nair vijivijayakumar at
Tue Dec 30 12:30:58 EST 2008


I am trying to authenticate windows xp clients to an MIT kerberos server.
The Server is on a Linux machine and I have both windows and Linux clients
on my network. I have followed the below steps, but no success.

Configured the kerberos server and Linux clients are authenticating
properly, but no success on windows clients. On the kerberos Server I have
created a host principal using the following command.

# kadmin -q "ank host/" (I tried kadmin -q "ank
host/bmdata01" also)

On the windows xp client(bmdata01),

C:> ksetup /setrealm TESTING.COM
C:> ksetup /addkdc TESTING.COM
C:> ksetup /setmachpassword <password>
C:> ksetup /mapuser admin at TESTING.COM guest
C:> ksetup /mapuser * *

After the reboot windows is showing TESTING.COM as a Kerberos Realm on the
login screen, but when I try to login using a kerberos user it is throwing
the following error.

*"The system could not log you on. Make sure your user name and domain are
correct, and then type your password again. Letters in passwords must be
typed using the correct case."*

But the kerberos server is issuing the tickets, the log shows:

Dec 30 22:36:03 krb5kdc[5179](info): AS_REQ (7 etypes {23
-133 -128 3 1 24 -135}) NEEDED_PREAUTH: admin at TESTING.COM for
krbtgt/TESTING.COM at TESTING.COM, Additional pre-authentication required
Dec 30 22:36:03 krb5kdc[5179](info): AS_REQ (3 etypes {23 3
1}) ISSUE: authtime 1230656763, etypes {rep=23 tkt=18
ses=23}, admin at TESTING.COM for krbtgt/TESTING.COM at TESTING.COM
Dec 30 22:36:03 krb5kdc[5179](info): TGS_REQ (7 etypes {23
-133 -128 3 1 24 -135}) ISSUE: authtime 1230656763, etypes
{rep=23 tkt=18 ses=23}, admin at TESTING.COM for host/

I have found some article on Microsoft website, saying this is a bug and
apply the latest service pack (SP3), I even tried that, but no success.

Similar Thread:

c:> ksetup.exe
default realm = TESTING.COM (external)
        kdc =
        Realm Flags = 0x0 none
Mapping all users (*) to guest.
Mapping admin to guest.

# cat /etc/krb5.conf

 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 default_realm = TESTING.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes

  kdc =
  admin_server =
  default_domain =

[domain_realm] = TESTING.COM = TESTING.COM

 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false

    db_library = kldap
    ldap_servers = ldap://
    ldap_kerberos_container_dn = cn=kerberos,dc=testing,dc=com
    ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=testing,dc=com
    ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,dc=testing,dc=com
    ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd

Any help on this will be greatly appreciated.

Thanks & Regards

More information about the Kerberos mailing list