[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Preauthentication failed



accounts have (in our environment) a password expiry which otherwise would 
mean exception for users with a service principal or the keytab will get 
invalid.

Look for Dan Perry's msktutil a tool you can use on your Unix box to create 
a computer account in AD and write the principal  into a keytab. BTW there 
are other tools doing the same.

Regards
Markus

----- Original Message ----- 
From: "Michael B Allen" <mba2000@ioplex.com>
To: "Florian Erfurth" <floh-erfurth@arcor.de>
Cc: <heimdal-discuss@sics.se>; "Markus Moeller" <huaraz@moeller.plus.com>
Sent: Tuesday, May 22, 2007 10:05 PM
Subject: Re: Preauthentication failed


> On Tue, 22 May 2007 21:03:35 +0100
> "Markus Moeller" <huaraz@moeller.plus.com> wrote:
>
>> Florian,
>>
>> you may have hit a bug in ktpass on 2003. If  I understand your command
>> right you are using a computer account BSDflohKerberos$ and not a user
>> account. If I remember right the salt is not build out of the service 
>> HTTP
>> but uses host instead. This happen only for computer accounts. Can you 
>> try
>> to map to a user account.
>
> Florian,
>
> Marcus is right. DES with computer accounts has problems last I checked. I
> strongly recommend using a regular User account and RC4.
>
> Mike
>
>> ----- Original Message ----- 
>> From: "Florian Erfurth" <floh-erfurth@arcor.de>
>> To: <heimdal-discuss@sics.se>
>> Sent: Tuesday, May 22, 2007 5:13 PM
>> Subject: Re: Preauthentication failed
>>
>>
>> > Hi Michael,
>> > thank you for your quick response!
>> >
>> > Michael B Allen wrote:
>> >
>> >>> > [SNIP]
>> >> Looks like the key is wrong. Re-run ktpass.exe and copy the keytab 
>> >> file
>> >> over again.
>> >
>> > I did that, what you did suggest. I get still the same error. :( Did I
>> > entered the right:
>> > C:\>ktpass -princ HTTP/BSDfloh.domain.tld@DOMAIN.TLD -mapuser
>> > domain\BSDflohKerberos$ -crypto DES-CBC-MD5 -pass longlongpassword -out 
>> > c
>> > \temp\BSDflohkeytab
>> >
>> > Question: Which password should I use for '-pass'? Do I create a new
>> > password with this command or should I use *which* password?
>> >
>> >> Mike
>> > Floh
>> >
>>
>>
>
>
> -- 
> Michael B Allen
> PHP Active Directory Kerberos SSO
> http://www.ioplex.com/
>