[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Preauthentication failed

To: heimdal-discuss@sics.se
Subject: Re: Preauthentication failed
From: Florian Erfurth <floh-erfurth@arcor.de>
Date: Mon, 11 Jun 2007 14:23:26 +0200
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <f2c7lj$47d$1@sea.gmane.org> <20070515121828.f8249759.mba2000@ioplex.com> <f2l6so$ke1$1@sea.gmane.org> <f2ldci$6rb$1@sea.gmane.org> <f2v5cs$apf$2@sea.gmane.org> <f2vj92$3cf$1@sea.gmane.org> <f345rq$hp3$1@sea.gmane.org> <20070524110805.d9f8afc5.mba2000@ioplex.com>
Reply-To: heimdal-discuss@sics.se, Florian Erfurth <floh-erfurth@arcor.de>
Sender: news <news@sea.gmane.org>
User-Agent: KNode/0.10.4

Hi, sorry for taking long to answer.

Michael B Allen wrote:

> On Thu, 24 May 2007 15:52:40 +0200
> Florian Erfurth <floh-erfurth@arcor.de> wrote:
> 
>> Markus Moeller wrote:
>> 
>> > As I said in a previous mail DES might have a problem with salt values
>> > which don't exist when using RC4. Also RC4 is a stringer encryption and
>> > should be
>> > prefered over DES.  The new ktpass have a -crypto : RC4-HMAC-NT option
>> > which is the default.
>> Ah, thank you. Unfortunatelly there is no -crypto : RC4-HMAC-NT. It seems
>> that we don't have the newest version of ktpass. Now I have to find out
>> how to upgrade ktpass without upgrading to Win2k3 SP2 R2.
> 
> The latest ktpass.exe is in the 'Windows Server Support Tools'
> package. You can download it from MS' website.
After installing the latest ktpass.exe the webserver successfully got the
kerberos-ticket (with -crypto DES-CBC-MD5 and computeraccount). :)

> Also, regarding your other question, create a Computer account and use
> RC4. You can also use a User account provided that your policy allows
> you to set the 'Password does not expire' flag.
Now I did try with -crypto RC4-HMAC-NT and then try with kinit... I get
following error:
kinit: krb4_get_init_creds: Additional pre-authentication required

Why? Can I keep DES-CBC-MD5, or should I better switch to RC4-HMAC-NT
because some of you told the second ones is more secure.

> Mike
Thank you very much! :)

cu Floh

Follow-Ups:
- Re: Preauthentication failed
  - From: Michael B Allen <mba2000@ioplex.com>

Prev by Date: Re: Changing signature algorithm
Next by Date: failed to find HTTP/bsdfloh.domain.tld@DOMAIN.TLD(kvno 9) in keytab /usr/local/etc/apache2/bsdflohkeytab
Prev by thread: Re: Changing signature algorithm
Next by thread: Re: Preauthentication failed
Index(es):
- Date
- Thread