AcceptSecurityContext (SSPI) fails with SEC_E_LOGON_DENIED and a GSS-API Linux client

Matthew M. DeLoera mdeloera at
Wed Jun 24 12:02:37 EDT 2009

I apologize if this isn't appropriate for this list, but hopefully 
someone will see something silly that I shouldn't do, or need to do! 
I've searched but haven't seemed to find the answer I need.

I'm running MIT KRB5 (krb5-kdc, kadmin) on an Ubuntu box, and using it 
for my kdc and my test client. I'm running Windows XP SP2 (DNS name for my test server.

I created 2 Windows users - kerbsvr (pw 54321) and kerbclt (pw 12345) - 
and configured XP to authenticate to my KDC with Microsoft's ksetup:

ksetup /setrealm EXACQLINUX.ORG
ksetup /addkdc EXACQLINUX.ORG
ksetup /setcomputerpassword machpw
ksetup /addkpasswd
ksetup /mapuser kerbsvr at EXACQLINUX.ORG kerbsvr
ksetup /mapuser kerbclt at EXACQLINUX.ORG kerbclt

I added to my Windows hosts file.

I created kerbsvr at EXACQLINUX.ORG (pw ks1234), kerbclt at EXACQLINUX.ORG (pw 
kc1234), and host/ at EXACQLINUX.ORG (pw machpw) on 
the kdc. The 2 user passwords are intentionally different between 
Windows and the kdc to prove things to myself. I added to the kdc's /etc/hosts.

I rebooted XP and successfully logged in with kerbsvr/ks1234 to my 
EXACQLINUX.ORG realm (in the dropdown). I traced in Linux with 
Wireshark. The kdc rejects the first AS-REQ with 
material succeeds, and then there's a successful TGS-REQ/TGS-REP. 
Everything looks nominally good from the kdc's end. In WireShark, I see 
the expected kerbsvr and host/ principals.


- Start my test server in Windows (AcquireCredentialsHandle with NULL, 
to use cached credentials).
- In Linux, I successfully kinit kerbclt at EXACQLINUX.ORG then start my 
test client and WireShark. The client successfully calls gss_import_name 
with kerbclt at EXACQLINUX.ORG and gss_acquire_cred.
- The client successfully calls gss_import_name with 
host at and then gss_init_sec_context, and sends the 
token to my test server.
- The server calls AcceptSecurityContext with the token, and fails with 

Any suggestions? Since I was able to log into Windows as kerbsvr, then 
I'd think Windows and my kdc must be configured correctly. I 
successfully kinit'd on Linux, so the principals should all be fine.

I apologize if this is more of an SSPI question, but I was hoping some 
of you have done some interoperability testing and perhaps have 
encountered this same situation.

- Matthew DeLoera

More information about the krbdev mailing list