kerberos preauthentication IIS

Henry B. Hotz hotz at
Thu Nov 13 14:12:44 EST 2008

I'll second what Sam says:

1)  You should get better information from kerberos at

2)  The "solution" you show is a bad idea, though it does suggest some 
areas where the real problem may be.

Most likely you have a problem with Windows setup interactions.  This 
list is for MIT Kerberos, not Microsoft Kerberos issues.

I will suggest one hint for you to consider:  the /TrustEncryp option on 
the ktpass command.  I don't do much Windows, though, so I may be way 
off base.  I also can't help with any more details.

krbdev-request at wrote:
> Date: Wed, 12 Nov 2008 18:28:41 -0500
> From: "Stephen Ince" <since at>
> Subject: Re: kerberos preauthentication IIS
> To: "Sam Hartman" <hartmans at>
> Cc: krbdev at
> Message-ID: <02e701c9451e$65f65e30$6e00a8c0 at desktop2>
> Content-Type: text/plain; format=flowed; charset="iso-8859-1";
>         reply-type=original
> I figured it out. Here is is the solution.
> krb5.ini
> [libdefaults]
>         default_tgs_enctypes = des-cbc-crc
>         default_tkt_enctypes = des-cbc-crc
> code
> ------------------------------------------------------------
> krb5_preauthtype PREAUTH_LIST[] = {KRB5_PADATA_ENC_TIMESTAMP,0};
> :
>     err = krb5_get_in_tkt_with_password(
>         krb5->context,
>         kdcFlags, NULL, NULL, PREAUTH_LIST, password, krb5->ccache,
> &krb5->credentials, 0);
>     /* if we failed try one more time w/o preauthentication */
>     if(err){
>         err = krb5_get_in_tkt_with_password(
>             krb5->context,
>             kdcFlags, NULL, NULL, NULL, password, krb5->ccache,
> &krb5->credentials, 0);
>     }
> ----- Original Message -----
> From: "Sam Hartman" <hartmans at>
> To: "Stephen Ince" <since at>
> Cc: <krbdev at>; "Matthew Devine" <mdevine at>
> Sent: Wednesday, November 12, 2008 9:46 AM
> Subject: Re: kerberos preauthentication IIS
>> Hi.  You posted this message previously.  I guess you did not get a
>> response.  First, you're posting to the wrong place; krbdev at is
>> for de.development discussions of MIT Kerberos.  You're not really
>> talking about how to write code for Kerberos; you're more talking
>> about how to use the product.  That discussion belongs on
>> kerberos at
>> However, I can also explain why I at least did not answer your
>> question.  As far as I know, IIS does not do pre-authentication--I
>> mean that in the sense that I cannot think of anything that IIS would
>> be doing that would be called pre-authentication.  There is something
>> Kerberos does that is called pre-authentication, but that doesn't fit
>> well into your question.
>> --Sam

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the krbdev mailing list