[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Preauthentication failed



On Mon, 11 Jun 2007 14:23:26 +0200
Florian Erfurth <floh-erfurth@arcor.de> wrote:

> Hi, sorry for taking long to answer.
> 
> Michael B Allen wrote:
> 
> > On Thu, 24 May 2007 15:52:40 +0200
> > Florian Erfurth <floh-erfurth@arcor.de> wrote:
> > 
> >> Markus Moeller wrote:
> >> 
> >> > As I said in a previous mail DES might have a problem with salt values
> >> > which don't exist when using RC4. Also RC4 is a stringer encryption and
> >> > should be
> >> > prefered over DES.  The new ktpass have a -crypto : RC4-HMAC-NT option
> >> > which is the default.
> >> Ah, thank you. Unfortunatelly there is no -crypto : RC4-HMAC-NT. It seems
> >> that we don't have the newest version of ktpass. Now I have to find out
> >> how to upgrade ktpass without upgrading to Win2k3 SP2 R2.
> > 
> > The latest ktpass.exe is in the 'Windows Server Support Tools'
> > package. You can download it from MS' website.
> After installing the latest ktpass.exe the webserver successfully got the
> kerberos-ticket (with -crypto DES-CBC-MD5 and computeraccount). :)
> 
> > Also, regarding your other question, create a Computer account and use
> > RC4. You can also use a User account provided that your policy allows
> > you to set the 'Password does not expire' flag.
> Now I did try with -crypto RC4-HMAC-NT and then try with kinit... I get
> following error:
> kinit: krb4_get_init_creds: Additional pre-authentication required

Wierd. Not sure why it's trying krb4 as opposed to krb5. That must be an
MIT thing. Have you tryied the kinit from Heimdal? And 'pre-authentication
required' basically means the key was wrong. Provided you ran ktpass
successfully and then kinit with the generated keytab it should work.

Mike

-- 
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/