Issues with keytab creation related to switch to w2k3 w/ ktutil

Neulinger, Nathan nneul at umr.edu
Wed Apr 7 14:04:15 EDT 2004 

We thought we already had that applied... however, here's the thing
though - I see the resulting behavior even when authenticating against
the win2k DC... Does this hotfix change the behavior of password updates
in addition to ticket granting functionality?

I'm able to authenticate without any problem when providing the password
for the host/X princ, but am not able to authenticate when using a
keytab generated with ktutil with that same password and correct kvno -
but ONLY when I create/set the pw for the princ in AD via the w2k3 DC.

-- Nathan

------------------------------------------------------------
Nathan Neulinger                       EMail:  nneul at umr.edu
University of Missouri - Rolla         Phone: (573) 341-6679
UMR Information Technology             Fax: (573) 341-4216
 

> -----Original Message-----
> From: Douglas E. Engert [mailto:deengert at anl.gov] 
> Sent: Wednesday, April 07, 2004 12:50 PM
> To: Jeffrey Altman
> Cc: Neulinger, Nathan; krbdev at mit.edu
> Subject: Re: Issues with keytab creation related to switch to 
> w2k3 w/ ktutil
> 
> 
> 
> Jeffrey Altman wrote:
> > 
> > Nathan:
> > 
> > Are you sure you are receiving the correct enctype?
> > Doug has reported that he is receiving DES-CBC-MD5
> > when he is expecting DES-CBC-CRC from Windows 2003.
> 
> W2003 does not let the client select the the enctype,
> so even if you request des-cbc-crc, it will send des-cbc-md5.
> 
> See "KDC does not allow clients to specify an etype in 
> Windows Server 2003"
> 
> http://support.microsoft.com/default.aspx?scid=kb;en-us;833708
> 
> We are trying to get this hotfix and the NO_PAC hotfix together. 
> They both update kdcsrv.dll on the server. 
> 
> 
> > 
> > Do you have network traces of the exchange?
> > 
> > - Jeff
> > 
> > Neulinger, Nathan wrote:
> > 
> > >Sam, give me a little credit please. I'm well aware of the 
> kvno issue.
> > >If it were just a simple rtfm answer like that, I wouldn't 
> have asked
> > >the question here in the first place.
> > >
> > >The princ is being re-created each time, and we know the 
> kvno, and have
> > >verified that with adsiedit. The keytab has the 
> appropriate key with
> > >that kvno in it.
> > >
> > >If it were a simple kvno mismatch, this would be easy to 
> resolve - I
> > >should know, we already had to deal with that for authentications
> > >against win2k3 boxes for our afs service principals and 
> krb524 - which
> > >was resolved without any significant issues.
> > >
> > >-- Nathan
> > >
> > >
> > >
> > _______________________________________________
> > krbdev mailing list             krbdev at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/krbdev
> 
> -- 
> 
>  Douglas E. Engert  <DEEngert at anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439 
>  (630) 252-5444
> 
>

More information about the krbdev mailing list