kerberos preauthentication IIS

Stephen Ince since at
Wed Nov 12 18:28:41 EST 2008

I figured it out. Here is is the solution.
        default_tgs_enctypes = des-cbc-crc
        default_tkt_enctypes = des-cbc-crc

krb5_preauthtype PREAUTH_LIST[] = {KRB5_PADATA_ENC_TIMESTAMP,0};
    err = krb5_get_in_tkt_with_password(
        kdcFlags, NULL, NULL, PREAUTH_LIST, password, krb5->ccache, 
&krb5->credentials, 0);

    /* if we failed try one more time w/o preauthentication */
        err = krb5_get_in_tkt_with_password(
            kdcFlags, NULL, NULL, NULL, password, krb5->ccache, 
&krb5->credentials, 0);

----- Original Message ----- 
From: "Sam Hartman" <hartmans at>
To: "Stephen Ince" <since at>
Cc: <krbdev at>; "Matthew Devine" <mdevine at>
Sent: Wednesday, November 12, 2008 9:46 AM
Subject: Re: kerberos preauthentication IIS

> Hi.  You posted this message previously.  I guess you did not get a
> response.  First, you're posting to the wrong place; krbdev at is
> for de.development discussions of MIT Kerberos.  You're not really
> talking about how to write code for Kerberos; you're more talking
> about how to use the product.  That discussion belongs on
> kerberos at
> However, I can also explain why I at least did not answer your
> question.  As far as I know, IIS does not do pre-authentication--I
> mean that in the sense that I cannot think of anything that IIS would
> be doing that would be called pre-authentication.  There is something
> Kerberos does that is called pre-authentication, but that doesn't fit
> well into your question.
> --Sam

More information about the krbdev mailing list