Lara Adianto wrote: > > Hi, > > I have a strange problem with cross-realm authentication. > It's a windows 2000 machine authenticating to an MIT KDC, then it accesses a > computer in a windows domain. This should be possible theoritically with ksetup, and > all the necessary steps described in the step by step kerberos interoperability > document. > > However, this is what happen in my environment: > 1. The user is able to login into windows 2000 machine with his credential in MT > KDC. The windows 2000 is configured to be a member of workgroup. However, when I > examine the setting setup using ksetup, this is what I got: > ksetup: > default realm = ADIANTO.COM (external) > ADIANTO.COM: > kdc = kerberos.adianto.com > Failed to create Kerberos key: 5 (0x5)
I don't see the Failed message on my machine which is setup similiarly, but I do have some Mappings of principals to local accounts. > > I'm not sure whether the last line is fatal. Since you where able to login, and you next note show you got a host/[EMAIL PROTECTED] ticket during login, the kerberos on the w2000 box looks good. > > 2. When the user tried to access a computer in a windows domain (should be possible > due to the cross realm setup), the following error occured: What do you mean "tried to access a computer in a windows domain"? What applicaiton are you using? > Event Type: Error > Event Source: Kerberos > Event Category: None > Event ID: 594 > Date: 7/29/2004 > Time: 7:37:30 PM > User: N/A > Computer: TEST > Description: > A Kerberos Error Message was received: > on logon session InitializeSecurityContext > Client Time: > Server Time: > Error Code: 11:36:30.0000 7/29/2004 (null) 0x29 > Extended Error: KRB_AP_ERR_MODIFIED > Client Realm: > Client Name: > Server Realm: WINDOMAIN.COM > Server Name: krbtgt/WINDOMAIN.COM > Target Name: HOST/[EMAIL PROTECTED] > Error Text: > File: > Line: > Error Data is in record data. Doing a google search for KRB_AP_ERR_MODIFIED shows this in one of the messages: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server COMPANY$. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (COMPANY.NET), and the client realm. Please contact your system administrator. This might also mean the cross realm keys don't match, i.e. the user's realm issued a tgt for the service realm, but the service realm can not decrypt it. Did you ever get any cross realm to work with the user in the MIT realm, and the service in the AD? Did the UMich modification make any changes in this area? > > Win2kServer is the computer that Test tried to access, belonged to WINDOMAIN, which > is a windows domain. > > My guess is that the Failed to generate key caused the KRB_AP_ERR_MODIFIED... > but I can't confirm it... > I'm not sure what caused it to fail to generate the key... > > I've followed the steps in the step by step kerberos interoperability document > carefully... > > Any clue ? > > regards, > lara > > ------------------------------------------------------------------------------------ > La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit > - Guy de > Maupassant - > ------------------------------------------------------------------------------------ > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > ________________________________________________ > Kerberos mailing list [EMAIL PROTECTED] > https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
