f



Re: failed to create kerberos key: 5

I think I need to provide more information about my setup:
- I used UMICH patch for cross realm auth, I can see from the log file that the cross-realm ticket is issued by MIT Realm
- The krbtgt/adianto.com@windomain.com and krbtgt/windomain.com@adianto.com key is des-cbc-crc32
- the TGT in win client:

Cached TGT:
ServiceName: krbtgt
TargetName: krbtgt
FullServiceName: lara
DomainName: ADIANTO.COM
TargetDomainName: ADIANTO.COM
AltTargetDomainName: ADIANTO.COM
TicketFlags: 0x40c00000
KeyExpirationTime: 1/1/1601 8:00:00
StartTime: 7/29/2004 19:32:15
EndTime: 7/30/2004 19:32:15
RenewUntil: 7/29/2004 19:32:15
TimeSkew: 1/1/1601 8:00:00
 
- the tickets:

Cached Tickets: (2)
   Server: krbtgt/ADIANTO.COM@ADIANTO.COM
      KerbTicket Encryption Type: Kerberos DES-CBC-MD5
      End Time: 7/30/2004 19:32:15
      Renew Time: 7/29/2004 19:32:15

   Server: host/test.adianto.com@ADIANTO.COM
      KerbTicket Encryption Type: Kerberos DES-CBC-MD5
      End Time: 7/30/2004 19:32:15
      Renew Time: 7/29/2004 19:32:15

regards,
lara
 

Lara Adianto <m1r4cle_26@yahoo.com> wrote:
Hi,
 
I have a strange problem with cross-realm authentication.
It's a windows 2000 machine authenticating to an MIT KDC, then it accesses a computer in a windows domain. This should be possible theoritically with ksetup, and all the necessary steps described in the step by step kerberos interoperability document.
 
However, this is what happen in my environment:
1. The user is able to login into windows 2000 machine with his credential in MT KDC. The windows 2000 is configured to be a member of workgroup. However, when I examine the setting setup using ksetup, this is what I got:
ksetup:
default realm = ADIANTO.COM (external)
ADIANTO.COM:
 kdc = kerberos.adianto.com
Failed to create Kerberos key: 5 (0x5)
 
I'm not sure whether the last line is fatal.
 
2. When the user tried to access a computer in a windows domain (should be possible due to the cross realm setup), the following error occured:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 594
Date:  7/29/2004
Time:  7:37:30 PM
User:  N/A
Computer: TEST
Description:
A Kerberos Error Message was received:
         on logon session InitializeSecurityContext
 Client Time: 
 Server Time: 
 Error Code: 11:36:30.0000 7/29/2004 (null) 0x29
 Extended Error: KRB_AP_ERR_MODIFIED
 Client Realm: 
 Client Name: 
 Server Realm: WINDOMAIN.COM
 Server Name: krbtgt/WINDOMAIN.COM
 Target Name: HOST/Win2kServer@WINDOMAIN.COM
 Error Text: 
 File: 
 Line: 
 Error Data is in record data. 

Win2kServer is the computer that Test tried to access, belonged to WINDOMAIN, which is a windows domain.
 
My guess is that the Failed to generate key caused the KRB_AP_ERR_MODIFIED...
but I can't confirm it...
I'm not sure what caused it to fail to generate the key...
 
I've followed the steps in the step by step kerberos interoperability document carefully...
 
Any clue ?
 
regards,
lara


------------------------------------------------------------------------------------ 
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de Maupassant -
------------------------------------------------------------------------------------
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


------------------------------------------------------------------------------------ 
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -
------------------------------------------------------------------------------------
		
---------------------------------
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
m1r4cle_26 (40)
7/29/2004 12:13:44 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

0 Replies
1300 Views

Similar Articles

[PageSpeed] 48

Reply: