msktutil problem with Windows 2008

Douglas E. Engert deengert at anl.gov
Mon Aug 31 10:48:05 EDT 2009





Markus Moeller wrote:
> I use the latest msktutil (0.3.16-7) and can add an entry to Windows 2008, 
> but when I run kinit -kt test.keytab HTTP/fqdn I get 
> KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. Is there a setting in 2008 which need to be 
> changed ?

I think AD will search for the UPN of HTTP/fqdn when a TGT is requested
by kinit.

Do you have any output from msktutil, or any dump of the
AD entry?  The UPN and SPNs would be helpful.

It could be that the UPN of the account is host/fqdn at realm,
with SPNs of host/fqdn and HTTP/fqdn. When you ran
msktutil what options did you use?

Is the UPN HTTP/fqdn at realm?
Did you use the --upn HTTP/fqdn option?

Since AD will let an account have one UPN, with multiple SPNs
deriving the keys from the same password, msktutil will assume
multiple principals in a keytab are for the same account.

We always have one principal per account with separate keytabs,
and use the --upn service/fqdn option too.

> 
> Thank you
> Markus 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list