preauth failed KRB5KDC_ERR_CLIENT_NAME_MISMATCH

Kevin Coffman kwc at umich.edu
Thu May 29 09:04:39 EDT 2008


This means that you are either missing a Subject Alternative Name
(SAN) in your client's certificate, or it doesn't match the principal
name you are trying to authenticate.

By default, the KDC requires that the client certificate has the
id-pkinit-san as defined in rfc4556.  If you specify "pkinit_allow_upn
 = true" in the KDC's config, it will also accept a Microsoft UPN SAN.
 There is no KDC configuration option to completely turn off the
requirement for a SAN.

K.C.

On Thu, May 29, 2008 at 5:53 AM, naveen.bn <naveen.bn at globaledgesoft.com> wrote:
>
> Hi kevin,
>
> Thank you, I took the help of the example file that you had sent me and
> generated the certificates in pem
> formate . Now the AS_REQ is sent with the patype field with PA-DAS (16), I
> am getting the error KRB5KDC_ERR_CLIENT_NAME_MISMATCH
>
> this is what i am doing and my config files are shown.
>
> kinit -X
> X509_user_identity=FILE:/client/other/naveen.pem,/client/other/naveen.key
> naveen
>
> kinit(v5): Client name mismatch while getting initial credentials
>
> /************** krb5 .conf  ************/
>
> [libdefaults]
>
>   krb4_config = /usr/kerberos/lib/krb.conf
>
>   krb4_realms = /usr/kerberos/lib/krb.realms
>
> default_realm = globaledgesoft.com
> [realms]
>
>    globaledgesoft.com = {
>
>       kdc = 172.16.8.141
>
>       admin_server = 172.16.8.141
>
>       pkinit_anchors  = DIR:/ca/other
>
>       pkinit_require_eku = true
>
>       pkinit_require_krbtgt_otherName = false
>
>           pkinit_require_hostname_match = flase
>
>       }
>
> [domain_realm]
>
>   .globaledgesoft.com = globaledgesoft.com
>
>   globaledgesoft.com =  globaledgesoft.com
>
> [logging]
>
>   kdc=FILE:/var/krb5kdc.log
>
>   admin_server = FILE:/var/log/kadmin.log
>
>       default = FILE:/var/log/krb5lib.log
>
> /********* end of krb5.conf ***************/
>
> /********** kdc.conf ****************/
>
> [kdcdefaults]
>
> default_realm = globaledgesoft.com
>
> kdc_ports = 750,88
>
> [realms]
>
>  globaledgesoft.com = {
>
>       database_name = /usr/local/var/krb5kdc/principal
>
>       admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
>
>       acl_file = /usr/local/var/krb5kdc/kadm5.acl
>
>       key_stash_file =
> /usr/local/var/krb5kdc/.k5._kerberos._udp.globaledgesoft.com
>
>       kdc_ports = 750,88
>
>       max_life = 10h 0m 0s
>
>       max_renewable_life = 7d 0h 0m 0s
>
>       pkinit_anchors = DIR:/ca/other
>
>       pkinit_identity = FILE:/kdc/other/server.pem,/kdc/other/server.key
>
> #                pkinit_allow_upn = true
>
> #            pkinit_eku_checking = none
>
>       pkinit_revoke = DIR:/ca/other
>
>   }
>
> /********* end of kdc.conf ***************/
>
> Thank you
> with regards
> naveen
>
>
>
> This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely
> for the use of the addressee(s). If you are not the intended recipient,
> please notify the sender by e-mail and delete the original message.Global
> Edge Software Ltd has taken every reasonable precaution to minimize this
> risk, but is not liable for any damage you may sustain as a result of any
> virus in this e-mail. You should carry out your own virus checks before
> opening the e-mail or attachment. Global Edge Software Ltd reserves the
> right to monitor and review the content of all messages sent to or from this
> e-mail address
>
>



More information about the Kerberos mailing list