failed to create kerberos key: 5

Thu, 29 Jul 2004 05:01:15 -0700 

Hi,
 
I have a strange problem with cross-realm authentication.
It's a windows 2000 machine authenticating to an MIT KDC, then it accesses a computer 
in a windows domain. This should be possible theoritically with ksetup, and all the 
necessary steps described in the step by step kerberos interoperability document.
 
However, this is what happen in my environment:
1. The user is able to login into windows 2000 machine with his credential in MT KDC. 
The windows 2000 is configured to be a member of workgroup. However, when I examine 
the setting setup using ksetup, this is what I got:
ksetup:
default realm = ADIANTO.COM (external)
ADIANTO.COM:
 kdc = kerberos.adianto.com
Failed to create Kerberos key: 5 (0x5)
 
I'm not sure whether the last line is fatal.
 
2. When the user tried to access a computer in a windows domain (should be possible 
due to the cross realm setup), the following error occured:
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 594
Date:  7/29/2004
Time:  7:37:30 PM
User:  N/A
Computer: TEST
Description:
A Kerberos Error Message was received:
         on logon session InitializeSecurityContext
 Client Time: 
 Server Time: 
 Error Code: 11:36:30.0000 7/29/2004 (null) 0x29
 Extended Error: KRB_AP_ERR_MODIFIED
 Client Realm: 
 Client Name: 
 Server Realm: WINDOMAIN.COM
 Server Name: krbtgt/WINDOMAIN.COM
 Target Name: HOST/[EMAIL PROTECTED]
 Error Text: 
 File: 
 Line: 
 Error Data is in record data. 

Win2kServer is the computer that Test tried to access, belonged to WINDOMAIN, which is 
a windows domain.
 
My guess is that the Failed to generate key caused the KRB_AP_ERR_MODIFIED...
but I can't confirm it...
I'm not sure what caused it to fail to generate the key...
 
I've followed the steps in the step by step kerberos interoperability document 
carefully...
 
Any clue ?
 
regards,
lara


------------------------------------------------------------------------------------ 
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de 
Maupassant -
------------------------------------------------------------------------------------
__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to