Discussion:
Kerberos Authentication with W2K ADS
John Waller
2004-10-20 16:19:53 UTC
Permalink
I am trying to get kerberos auth working with a windows active
directory server. kinit works fine for getting tickets for a user, but
i am unable to login locally using krb5 auth in the login.conf. klist
shows:
krbtgt/***@DOMAIN.COM as the principal

My krb5.conf is pretty much empty (everything works using dns).
[logging]
default=FILE:/var/log/krb5.log
[libdefaults]
krb4_get_tickets = FALSE
default_etypes = des-cbc-crc
default_etypes_des = des-cbc-crc

If i issue a `kinit -k` i get:
kinit: krb5_get_init_creds: Additional pre-authentication required

When I try to login, i get nothing in the authlog. If i give a bad
password, i get (in the authlog):
krb5-or-pwd: verify: Preauthentication failed

I have exported the keytab from the w2k machine using instructions
found on microsoft's site.
The service? name is host which from what i've read is all i need:
Vno Type Principal
1 des-cbc-crc host/***@DOMAIN.COM

Do i need another service principal in the keytab? I think that
perhaps the problem stems from `kinit -k` failing?

I have found a few references to the same problem, but none have
resolutions. Maybe I am exporting the keytab entries wrong from the
w2k server?

Everything resolves correctly through dns, but my hosts file gives the
ip address for machine.domain.com as 127.0.0.1. tcpdump shows
communication between the server and client.

unfortunately, even though i enabled kerberos logging on the w2k
server, nothing shows in the logs.

Thanks for you help,
--
John Waller
***@gmail.com
John Waller
2004-10-26 15:14:25 UTC
Permalink
I looked through the info you sent, however, i think my problem lies
somewhere else. I ran the packets through ethereal and it looks like
the authentication process is working properly. The only problem is
openbsd will not use the ticket i've been granted to log-on a user
locally (i'm not even sure that's what is supposed to happen).

Below is an analysis of the traffic between the KDC and the host.

No. Time Source Destination Protocol Info
1 0.000000 192.168.0.152 192.168.0.65 KRB5 AS-REQ

Frame 1 (202 bytes on wire, 202 bytes captured)
Ethernet II, Src: 00:00:00:00:00:00, Dst: 00:00:00:00:00:01
Internet Protocol, Src Addr: 192.168.0.152 (192.168.0.152), Dst Addr:
192.168.0.65 (192.168.0.65)
User Datagram Protocol, Src Port: 36603 (36603), Dst Port: kerberos (88)
Kerberos AS-REQ
Pvno: 5
MSG Type: AS-REQ (10)
KDC_REQ_BODY
Padding: 0
KDCOptions: 00000000
Client Name (Principal): jsmith
Name-type: Principal (1)
Name: jsmith
Realm: REALM.COM
Server Name (Principal): krbtgt REALM.COM
till: 2004-10-27 00:54:04 (Z)
Nonce: 3750450790
Encryption Types: des-cbc-crc
Encryption type: des-cbc-crc (1)
HostAddresses: 192.168.0.152
HostAddress 192.168.0.152
Addr-type: IPv4 (2)
IP Address: 192.168.0.152 (192.168.0.152)

No. Time Source Destination Protocol Info
2 0.002396 192.168.0.65 192.168.0.152 KRB5
KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED

Frame 2 (216 bytes on wire, 216 bytes captured)
Ethernet II, Src: 00:00:00:00:00:01, Dst: 00:00:00:00:00:00
Internet Protocol, Src Addr: 192.168.0.65 (192.168.0.65), Dst Addr:
192.168.0.152 (192.168.0.152)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 36603 (36603)
Kerberos KRB-ERROR
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2004-10-26 14:53:53 (Z)
susec: 541995
error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25)
Realm: REALM.COM
Server Name (Service and Instance): krbtgt REALM.COM
e-data
padata: PA-ENCTYPE-INFO PA-ENC-TIMESTAMP PA-PK-AS-REP

No. Time Source Destination Protocol Info
3 0.006327 192.168.0.152 192.168.0.65 KRB5 AS-REQ

Frame 3 (268 bytes on wire, 268 bytes captured)
Ethernet II, Src: 00:00:00:00:00:00, Dst: 00:00:00:00:00:01
Internet Protocol, Src Addr: 192.168.0.152 (192.168.0.152), Dst Addr:
192.168.0.65 (192.168.0.65)
User Datagram Protocol, Src Port: 41575 (41575), Dst Port: kerberos (88)
Kerberos AS-REQ
Pvno: 5
MSG Type: AS-REQ (10)
padata: PA-ENC-TIMESTAMP
KDC_REQ_BODY
Padding: 0
KDCOptions: 00000000
Client Name (Principal): jsmith
Name-type: Principal (1)
Name: jsmith
Realm: REALM.COM
Server Name (Principal): krbtgt REALM.COM
till: 2004-10-27 00:54:04 (Z)
Nonce: 3750450790
Encryption Types: des-cbc-crc
Encryption type: des-cbc-crc (1)
HostAddresses: 192.168.0.152
HostAddress 192.168.0.152
Addr-type: IPv4 (2)
IP Address: 192.168.0.152 (192.168.0.152)

No. Time Source Destination Protocol Info
4 0.010487 192.168.0.65 192.168.0.152 KRB5 AS-REP

Frame 4 (1291 bytes on wire, 1291 bytes captured)
Ethernet II, Src: 00:00:00:00:00:01, Dst: 00:00:00:00:00:00
Internet Protocol, Src Addr: 192.168.0.65 (192.168.0.65), Dst Addr:
192.168.0.152 (192.168.0.152)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 41575 (41575)
Kerberos AS-REP
Pvno: 5
MSG Type: AS-REP (11)
padata: PA-PW-SALT
Client Realm: REALM.COM
Client Name (Principal): jsmith
Name-type: Principal (1)
Name: jsmith
Ticket
Tkt-vno: 5
Realm: REALM.COM
Server Name (Principal): krbtgt REALM.COM
enc-part des-cbc-crc
enc-part des-cbc-crc

No. Time Source Destination Protocol Info
5 0.016320 192.168.0.152 192.168.0.65 KRB5 TGS-REQ

Frame 5 (1283 bytes on wire, 1283 bytes captured)
Ethernet II, Src: 00:00:00:00:00:00, Dst: 00:00:00:00:00:01
Internet Protocol, Src Addr: 192.168.0.152 (192.168.0.152), Dst Addr:
192.168.0.65 (192.168.0.65)
User Datagram Protocol, Src Port: 29665 (29665), Dst Port: kerberos (88)
Kerberos TGS-REQ
Pvno: 5
MSG Type: TGS-REQ (12)
padata: PA-TGS-REQ
KDC_REQ_BODY
Padding: 0
KDCOptions: 00000000
Realm: REALM.COM
Server Name (Principal): host theos.realm.com
till: 1970-01-01 00:00:00 (Z)
Nonce: 1346486156
Encryption Types: des-cbc-crc
Encryption type: des-cbc-crc (1)
HostAddresses: 192.168.0.152
HostAddress 192.168.0.152
Addr-type: IPv4 (2)
IP Address: 192.168.0.152 (192.168.0.152)

No. Time Source Destination Protocol Info
6 0.019673 192.168.0.65 192.168.0.152 KRB5 TGS-REP

Frame 6 (1218 bytes on wire, 1218 bytes captured)
Ethernet II, Src: 00:00:00:00:00:01, Dst: 00:00:00:00:00:00
Internet Protocol, Src Addr: 192.168.0.65 (192.168.0.65), Dst Addr:
192.168.0.152 (192.168.0.152)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 29665 (29665)
Kerberos TGS-REP
Pvno: 5
MSG Type: TGS-REP (13)
Client Realm: REALM.COM
Client Name (Principal): jsmith
Name-type: Principal (1)
Name: jsmith
Ticket
Tkt-vno: 5
Realm: REALM.COM
Server Name (Principal): host theos.realm.com
enc-part des-cbc-crc
enc-part des-cbc-crc
Hi,
dunno if it'll help but i did some similar successful testing with
NetBSD's K5 vs. MS AD
see here http://mail-index.netbsd.org/tech-net/2001/01/
Pete
Post by John Waller
I am trying to get kerberos auth working with a windows active
directory server. kinit works fine for getting tickets for a user, but
i am unable to login locally using krb5 auth in the login.conf. klist
My krb5.conf is pretty much empty (everything works using dns).
[logging]
default=FILE:/var/log/krb5.log
[libdefaults]
krb4_get_tickets = FALSE
default_etypes = des-cbc-crc
default_etypes_des = des-cbc-crc
kinit: krb5_get_init_creds: Additional pre-authentication required
When I try to login, i get nothing in the authlog. If i give a bad
krb5-or-pwd: verify: Preauthentication failed
I have exported the keytab from the w2k machine using instructions
found on microsoft's site.
Vno Type Principal
Do i need another service principal in the keytab? I think that
perhaps the problem stems from `kinit -k` failing?
I have found a few references to the same problem, but none have
resolutions. Maybe I am exporting the keytab entries wrong from the
w2k server?
Everything resolves correctly through dns, but my hosts file gives the
ip address for machine.domain.com as 127.0.0.1. tcpdump shows
communication between the server and client.
unfortunately, even though i enabled kerberos logging on the w2k
server, nothing shows in the logs.
Thanks for you help,
--
John Waller
--
John Waller
***@gmail.com
John Waller
2004-10-26 16:45:10 UTC
Permalink
sorry about the confusion, they do match, i just changed the names to
protect the innocent.

here is the `ktutil list` (revised):

Vno Type Principal
On Tue, 26 Oct 2004 10:14:25 -0500
Post by John Waller
Below is an analysis of the traffic between the KDC and the host.
[cut]
Post by John Waller
Frame 5 (1283 bytes on wire, 1283 bytes captured)
Ethernet II, Src: 00:00:00:00:00:00, Dst: 00:00:00:00:00:01
192.168.0.65 (192.168.0.65)
User Datagram Protocol, Src Port: 29665 (29665), Dst Port: kerberos
(88) Kerberos TGS-REQ
Pvno: 5
MSG Type: TGS-REQ (12)
padata: PA-TGS-REQ
KDC_REQ_BODY
Padding: 0
KDCOptions: 00000000
Realm: REALM.COM
Server Name (Principal): host theos.realm.com
Here you ask for a ticket for host/theos.realm.com and in the next
Post by John Waller
Post by John Waller
I have exported the keytab from the w2k machine using instructions
found on microsoft's site.
Vno Type Principal
Those names should match.
--
Björn Sandell DCE/DFS Sysadmin IT department
Chalmers University of Technology www.dce.chalmers.se
--
John Waller
***@gmail.com
Björn Sandell
2004-10-27 11:15:29 UTC
Permalink
On Tue, 26 Oct 2004 11:45:10 -0500
Post by John Waller
sorry about the confusion, they do match, i just changed the names to
protect the innocent.
Vno Type Principal
So does 'sudo kinit -k host/***@REALM.COM' work or not?
--
Björn Sandell DCE/DFS Sysadmin IT department
Chalmers University of Technology www.dce.chalmers.se
scott rankin
2004-10-28 15:47:42 UTC
Permalink
Post by Björn Sandell
On Tue, 26 Oct 2004 11:45:10 -0500
Post by John Waller
sorry about the confusion, they do match, i just changed the names to
protect the innocent.
Vno Type Principal
--
[trim sig]
Hello,

I am struggling with the same setup (I have OpenBSD 3.6-current
(GENERIC)) although my ADS is Win2003 and I am seeing very similar
failure. My realm is MYDOMAIN.COM.

When I try the above command for my host (named loogey) and REALM I recieve,
kinit: krb5_get_init_creds: Client
(host/***@MYDOMAIN.COM) unknown

I also tried just,
$ sudo kinit -k host/***@MYDOMAIN.COM

and I receive the same Client unknown error.

I have tried modifying the default authentication type in
/etc/login.conf to either krb5 or krb5-or-pwd and typically I only see
something like (in /var/log/authlog):
Oct 27 17:46:21 loogey krb5-or-pwd: verify: Server not found in
Kerberos database

if I try a login as ***@MYDOMAIN.COM:

login: ***@MYDOMAIN.COM
Password:

If I try using just scott and my local password I see,
Oct 27 17:46:21 loogey krb5-or-pwd: verify: Preauthentication failed

You mentioned needing to pull a keytab down from the AD KDC. Is this
really necessary for user authentication at login?

Did you add the OpenBSD as a computer in your AD domain?

I have some questions about the commandline syntax of that ktpass
utility of Microsoft's and what exactly you used? I have read their
online documentation (filled with a number of errors and incorrect
statements) and it hasn't gotten me any closer.

1. Is it true that the /princ is just ***@REALM.COM (literally the
word 'host')?

I tried host, my host's FQDN loogey.mydomain.com and just loogey
(which is what my box spits out when I run hostname) as well.

2. What about the /mapuser argument? I tried my AD user account
(***@MYDOMAIN.COM) because I couldn't get it to take the hostname
***@MYDOMAIN.COM or ***@MYDOMAIN.COM. Perhaps I
needed to use the host/***@MYDOMAIN.COM syntax?

3. Did you take the default for /ptype (KRB5_NT_PRINCIPAL)? Or did you
specify /ptype KRB5_NT_SRV_HST?

4. On your OpenBSD box how did you copy your keytab into your existing
keytab file? Did you use ktutil or kadmin. I just used:
$ sudo ktutil copy loogey.keytab /etc/kerberosV/krb5.keytab

to add the keytabs and:
$ sudo ktutil -v list to show them.


On the OpenBSD side does anyone know if the password prompt is
supposed to change from 'Password' to the ***@MYDOMAIN.COM's
Password: I get from kinit?

Like I said above the only change I made to /etc/login.conf is:
-auth-defaults:auth=passwd:
+auth-defaults:auth=krb5-or-pwd:

I have also experimented with modifying the auth under the default: class like,
- :tc=auth-defaults:\
+ :auth=krb5-or-pwd:\

My /etc/kerberosV/krb5.conf has,
[libdefaults]
# Set the realm of this host here
default_realm = MYDOMAIN.COM

# Maximum allowed time difference between KDC and this host
clockskew = 300

# Uncomment this if you run NAT on the client side of kauth.
# This may be considered a security issue though.
# no-addresses = yes

default_etypes = des-cbc-crc
default_etypes_des = des-cbc-crc
[realms]
MYDOMAIN.COM = {
# Specify KDC here
kdc = win2kc3.mydomain.com

# Administration server, used for creating users etc.
admin_server = win2kc3.mydomain.com
}


# This sections describes how to figure out a realm given a DNS name
[domain_realm]
loogey = MYDOMAIN.COM
loogey.mydomain.com = MYDOMAIN.COM
win2kc3.mydomain.com = MYDOMAIN.COM


[logging]
default = SYSLOG:VERBOSE:USER


I am very eager to get this working any suggestions greatly appreciated.

cheers,
scott rankin
John Waller
2004-10-28 16:13:28 UTC
Permalink
I finally got mine to work properly. Your krb5.conf looks good and to
get the host principle in your keytab, follow the instructions here:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx#EFAA

you create a user in AD with the username of "loogey" (set "can't
change password" and "password never expires") REMEMBER THE PASSWORD!

export your keytab:

C:> Ktpass princ host/***@MYDOMAIN.COM mapuser loogey
-pass * out loogey.keytab

(The * character just means to prompt for password)

I just copied the created keytab file from the windows box to
/etc/krb5.keytab and it worked fine

I will be creating a HOWTO as soon as i get a chance

John
Post by scott rankin
Post by Björn Sandell
On Tue, 26 Oct 2004 11:45:10 -0500
Post by John Waller
sorry about the confusion, they do match, i just changed the names to
protect the innocent.
Vno Type Principal
--
[trim sig]
Hello,
I am struggling with the same setup (I have OpenBSD 3.6-current
(GENERIC)) although my ADS is Win2003 and I am seeing very similar
failure. My realm is MYDOMAIN.COM.
When I try the above command for my host (named loogey) and REALM I recieve,
kinit: krb5_get_init_creds: Client
I also tried just,
and I receive the same Client unknown error.
I have tried modifying the default authentication type in
/etc/login.conf to either krb5 or krb5-or-pwd and typically I only see
Oct 27 17:46:21 loogey krb5-or-pwd: verify: Server not found in
Kerberos database
If I try using just scott and my local password I see,
Oct 27 17:46:21 loogey krb5-or-pwd: verify: Preauthentication failed
You mentioned needing to pull a keytab down from the AD KDC. Is this
really necessary for user authentication at login?
Did you add the OpenBSD as a computer in your AD domain?
I have some questions about the commandline syntax of that ktpass
utility of Microsoft's and what exactly you used? I have read their
online documentation (filled with a number of errors and incorrect
statements) and it hasn't gotten me any closer.
word 'host')?
I tried host, my host's FQDN loogey.mydomain.com and just loogey
(which is what my box spits out when I run hostname) as well.
2. What about the /mapuser argument? I tried my AD user account
3. Did you take the default for /ptype (KRB5_NT_PRINCIPAL)? Or did you
specify /ptype KRB5_NT_SRV_HST?
4. On your OpenBSD box how did you copy your keytab into your existing
$ sudo ktutil copy loogey.keytab /etc/kerberosV/krb5.keytab
$ sudo ktutil -v list to show them.
On the OpenBSD side does anyone know if the password prompt is
Password: I get from kinit?
I have also experimented with modifying the auth under the default: class like,
- :tc=auth-defaults:\
+ :auth=krb5-or-pwd:\
My /etc/kerberosV/krb5.conf has,
[libdefaults]
# Set the realm of this host here
default_realm = MYDOMAIN.COM
# Maximum allowed time difference between KDC and this host
clockskew = 300
# Uncomment this if you run NAT on the client side of kauth.
# This may be considered a security issue though.
# no-addresses = yes
default_etypes = des-cbc-crc
default_etypes_des = des-cbc-crc
[realms]
MYDOMAIN.COM = {
# Specify KDC here
kdc = win2kc3.mydomain.com
# Administration server, used for creating users etc.
admin_server = win2kc3.mydomain.com
}
# This sections describes how to figure out a realm given a DNS name
[domain_realm]
loogey = MYDOMAIN.COM
loogey.mydomain.com = MYDOMAIN.COM
win2kc3.mydomain.com = MYDOMAIN.COM
[logging]
default = SYSLOG:VERBOSE:USER
I am very eager to get this working any suggestions greatly appreciated.
cheers,
scott rankin
--
John Waller
***@gmail.com
scott rankin
2004-10-28 23:43:29 UTC
Permalink
John,
Thanks for your reply.
Post by John Waller
I finally got mine to work properly. Your krb5.conf looks good and to
http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx#EFAA
you create a user in AD with the username of "loogey" (set "can't
change password" and "password never expires") REMEMBER THE PASSWORD!
-pass * out loogey.keytab
I tried both:
ktpass -princ host/***@MYDOMAIN.COM -mapuser loogey
-pass * -out loogey.keytab

and,
ktpass -princ host/***@MYDOMAIN.COM -mapuser loogey -pass * -out
loogey2.keytab

just in case.
Post by John Waller
(The * character just means to prompt for password)
I just copied the created keytab file from the windows box to
/etc/krb5.keytab and it worked fine
I used:
$ sudo ktutil -v copy loogey.keytab /etc/kerberosV/krb5.keytab
$ sudo ktutil -v copy loogey2.keytab /etc/kerberosV/krb5.keytab

to copy up the keytabs. I did them one at a time.
Post by John Waller
I will be creating a HOWTO as soon as i get a chance
That is definitely needed. The documentation about this process is
spread wide and thin.
I still cannot get it to work. But the error in /var/log/authlog is
now "krb5-or-pwd: verify: Key table entry not found"

Any thoughts? I googled this and didn't find too much worthwhile...


This command,
$ sudo kinit -k host/***@MYDOMAIN.COM

no longer reports an error though.

So when you login at the console, do you login with your 'user' or
'***@REALM' ?

What about the password prompt? Does it change to what you get with kinit?
Post by John Waller
John
cheers,
scott

[trim forwards]
John Waller
2004-10-29 14:23:07 UTC
Permalink
Scott, what does `hostname` spit out? It looks like everything is
right and it seems that "key table entry not found" may be related to
a dns lookup failure.

Make sure that you can resolve the FQDN of loogey from your ADC and
loogey knows it's domain name and can resolv the ADC.

If I were you, I would just use the FQDN keytab, for I think that is
the only way to interoperate with windows (I'm not entirely sure about
this statement though).

If you dns investigation turns up no inconsistencies, dump the traffic
to/from your ADS box with tcpdump(8) and then run it through an
analyzer like ethereal.

#tcpdump -s 10240 -Xti fxp0 -w krb5cap.dump port 88 or port 53
move the file to a box with ethereal and look where the errors are.

the above will get you dns queries and kerberos communication for diagnostics
Post by scott rankin
John,
Thanks for your reply.
Post by John Waller
I finally got mine to work properly. Your krb5.conf looks good and to
http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/kerbstep.mspx#EFAA
you create a user in AD with the username of "loogey" (set "can't
change password" and "password never expires") REMEMBER THE PASSWORD!
-pass * out loogey.keytab
-pass * -out loogey.keytab
and,
loogey2.keytab
just in case.
Post by John Waller
(The * character just means to prompt for password)
I just copied the created keytab file from the windows box to
/etc/krb5.keytab and it worked fine
$ sudo ktutil -v copy loogey.keytab /etc/kerberosV/krb5.keytab
$ sudo ktutil -v copy loogey2.keytab /etc/kerberosV/krb5.keytab
to copy up the keytabs. I did them one at a time.
Post by John Waller
I will be creating a HOWTO as soon as i get a chance
That is definitely needed. The documentation about this process is
spread wide and thin.
I still cannot get it to work. But the error in /var/log/authlog is
now "krb5-or-pwd: verify: Key table entry not found"
Any thoughts? I googled this and didn't find too much worthwhile...
This command,
no longer reports an error though.
So when you login at the console, do you login with your 'user' or
What about the password prompt? Does it change to what you get with kinit?
Post by John Waller
John
cheers,
scott
[trim forwards]
--
John Waller
***@gmail.com
scott rankin
2004-10-29 23:21:10 UTC
Permalink
John,
Thanks for the reply.
Post by John Waller
Scott, what does `hostname` spit out? It looks like everything is
right and it seems that "key table entry not found" may be related to
a dns lookup failure.
hostname spits out my fully qualified domain name (loogey.mydomain.com).
Post by John Waller
Make sure that you can resolve the FQDN of loogey from your ADC and
loogey knows it's domain name and can resolv the ADC.
ADC could ping loogey.mydomain.com by name.
Post by John Waller
If I were you, I would just use the FQDN keytab, for I think that is
the only way to interoperate with windows (I'm not entirely sure about
this statement though).
I initially put both in my keytab.
Post by John Waller
If you dns investigation turns up no inconsistencies, dump the traffic
to/from your ADS box with tcpdump(8) and then run it through an
analyzer like ethereal.
#tcpdump -s 10240 -Xti fxp0 -w krb5cap.dump port 88 or port 53
move the file to a box with ethereal and look where the errors are.
the above will get you dns queries and kerberos communication for diagnostics
My interface is xl0 but this was by far the best way to troubleshoot!
I can't believe I didn't think about this before.

So first I noticed that my client would send an AS_REQ (without
pre-authentication) and get an error back from the KDC stating that
pre-auth was required.

Then the client would send a TGS_REQ and get back a TGS_REP with the
host/loogey.mydomain.com service ticket.

I drilled down and noticed that even though I had specifically used
the -crypto DES-CBC-CRC argument with ktpass on the windoze drone when
creating the keytab, that the encryption type for this service ticket
was des-cbc-md5. Hmm.

So I went back to the ADC. Deleted and recreated the loogey user
account. Regenerated another host/loogey.mydomain.com keytab with
des-cbc-md5 and copied it over to my OpenBSD box.

I tried again and this time the packet trace revealed a kerberos error
30 which I couldn't find defined anywhere.

So, I added des-cbc-md5 (I had previously read to only have
des-cbc-crc) to the default_etypes and default_etypes_des for my
default realm in krb5.conf and tried again and boom! I'm in!

w00t!

Thanks for all your help and suggestions.

cheers,
scott

[trim forwards]
scott rankin
2004-10-30 00:35:02 UTC
Permalink
Just for the record I was slightly incorrect in my initial response.

On Fri, 29 Oct 2004 16:21:10 -0700, scott rankin <***@gmail.com> wrote:
[trim]
Post by scott rankin
So first I noticed that my client would send an AS_REQ (without
pre-authentication) and get an error back from the KDC stating that
pre-auth was required.
After this the client would send an AS_REQ with the proper
pre-authentication and then receive an AS_REP with the tgt for my
user. The rest followed correctly.
Post by scott rankin
Then the client would send a TGS_REQ and get back a TGS_REP with the
host/loogey.mydomain.com service ticket.
[trim rest]

cheers,
scott

Loading...