kerberos preauthentication IIS

Henry B. Hotz hotz at jpl.nasa.gov
Thu Nov 13 14:12:44 EST 2008 

I'll second what Sam says:

1)  You should get better information from kerberos at mit.edu.

2)  The "solution" you show is a bad idea, though it does suggest some 
areas where the real problem may be.

Most likely you have a problem with Windows setup interactions.  This 
list is for MIT Kerberos, not Microsoft Kerberos issues.

I will suggest one hint for you to consider:  the /TrustEncryp option on 
the ktpass command.  I don't do much Windows, though, so I may be way 
off base.  I also can't help with any more details.

krbdev-request at mit.edu wrote:
> Date: Wed, 12 Nov 2008 18:28:41 -0500
> From: "Stephen Ince" <since at opendemand.com>
> Subject: Re: kerberos preauthentication IIS
> To: "Sam Hartman" <hartmans at mit.edu>
> Cc: krbdev at mit.edu
> Message-ID: <02e701c9451e$65f65e30$6e00a8c0 at desktop2>
> Content-Type: text/plain; format=flowed; charset="iso-8859-1";
>         reply-type=original
> 
> I figured it out. Here is is the solution.
> krb5.ini
> [libdefaults]
>         default_tgs_enctypes = des-cbc-crc
>         default_tkt_enctypes = des-cbc-crc
> 
> code
> ------------------------------------------------------------
> krb5_preauthtype PREAUTH_LIST[] = {KRB5_PADATA_ENC_TIMESTAMP,0};
> :
>     err = krb5_get_in_tkt_with_password(
>         krb5->context,
>         kdcFlags, NULL, NULL, PREAUTH_LIST, password, krb5->ccache,
> &krb5->credentials, 0);
> 
>     /* if we failed try one more time w/o preauthentication */
>     if(err){
>         err = krb5_get_in_tkt_with_password(
>             krb5->context,
>             kdcFlags, NULL, NULL, NULL, password, krb5->ccache,
> &krb5->credentials, 0);
>     }
> 
> ----- Original Message -----
> From: "Sam Hartman" <hartmans at mit.edu>
> To: "Stephen Ince" <since at opendemand.com>
> Cc: <krbdev at mit.edu>; "Matthew Devine" <mdevine at opendemand.com>
> Sent: Wednesday, November 12, 2008 9:46 AM
> Subject: Re: kerberos preauthentication IIS
> 
> 
>> Hi.  You posted this message previously.  I guess you did not get a
>> response.  First, you're posting to the wrong place; krbdev at mit.edu is
>> for de.development discussions of MIT Kerberos.  You're not really
>> talking about how to write code for Kerberos; you're more talking
>> about how to use the product.  That discussion belongs on
>> kerberos at mit.edu.
>>
>> However, I can also explain why I at least did not answer your
>> question.  As far as I know, IIS does not do pre-authentication--I
>> mean that in the sense that I cannot think of anything that IIS would
>> be doing that would be called pre-authentication.  There is something
>> Kerberos does that is called pre-authentication, but that doesn't fit
>> well into your question.
>>
>> --Sam

-- 
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu

More information about the krbdev mailing list