--- "Douglas E. Engert" <[EMAIL PROTECTED]> wrote: > > > Lara Adianto wrote: > > > > Hi, > > > > I have a strange problem with cross-realm > authentication. > > It's a windows 2000 machine authenticating to an > MIT KDC, then it accesses a computer in a windows > domain. This should be possible theoritically with > ksetup, and all the necessary steps described in the > step by step kerberos interoperability document. > > > > However, this is what happen in my environment: > > 1. The user is able to login into windows 2000 > machine with his credential in MT KDC. The windows > 2000 is configured to be a member of workgroup. > However, when I examine the setting setup using > ksetup, this is what I got: > > ksetup: > > default realm = ADIANTO.COM (external) > > ADIANTO.COM: > > kdc = kerberos.adianto.com > > Failed to create Kerberos key: 5 (0x5) > > I don't see the Failed message on my machine which > is setup similiarly, but I do > have some Mappings of principals to local accounts. >
I should have made it clearer. I did a name mappings with ksetup as well ksetup: default realm = ADIANTO.COM (external) ADIANTO.COM: kdc = kerberos.adianto.com Mapping [EMAIL PROTECTED] to lara Besides the above info, I also added RealmFlags set to 8, LogLevel set to 1 in the registry. But, when I logged in as lara, and checked ksetup. It shows this: default realm = ADIANTO.COM (external) ADIANTO.COM: kdc = kerberos.adianto.com Failed to create Kerberos key: 5 (0x5) > > I'm not sure whether the last line is fatal. > > Since you where able to login, and you next note > show you got > a host/[EMAIL PROTECTED] ticket during > login, > the kerberos on the w2000 box looks good. > > > > > 2. When the user tried to access a computer in a > windows domain (should be possible due to the cross > realm setup), the following error occured: > > What do you mean "tried to access a computer in a > windows domain"? > > What applicaiton are you using? What I mean is opening the network neighborhood, opening a windows domain to access one of its computer. It should be a single sign-on right ? But instead, it prompts me with user logon and password ! This is because the cross-realm auth failed with KRB_AP_ERR_MODIFIED (I checked it through ethereal) > > Event Type: Error > > Event Source: Kerberos > > Event Category: None > > Event ID: 594 > > Date: 7/29/2004 > > Time: 7:37:30 PM > > User: N/A > > Computer: TEST > > Description: > > A Kerberos Error Message was received: > > on logon session > InitializeSecurityContext > > Client Time: > > Server Time: > > Error Code: 11:36:30.0000 7/29/2004 (null) 0x29 > > Extended Error: KRB_AP_ERR_MODIFIED > > Client Realm: > > Client Name: > > Server Realm: WINDOMAIN.COM > > Server Name: krbtgt/WINDOMAIN.COM > > Target Name: HOST/[EMAIL PROTECTED] > > Error Text: > > File: > > Line: > > Error Data is in record data. > > > Doing a google search for KRB_AP_ERR_MODIFIED shows > this in one of the messages: > > The kerberos client received a KRB_AP_ERR_MODIFIED > error from the server > COMPANY$. This indicates that the password used > to encrypt the kerberos > service ticket is different than that on the > target server. Commonly, > this is due to identically named machine accounts > in the target realm > (COMPANY.NET), and the client realm. Please > contact your system > administrator. I know what the error code means :-) I did a search in google as well. But I dont' have identically named machine account... > This might also mean the cross realm keys don't > match, i.e. the user's realm > issued a tgt for the service realm, but the service > realm can not decrypt it. > Did you ever get any cross realm to work with the > user in the MIT realm, and the > service in the AD? > Did the UMich modification make any changes in this > area? This is more possible for me. I noticed (with ethereal) that the checksum is wrong. Not sure why though... No, I don't try Windows KDC and MIT client... In fact, I got my setup working before. User can login to windows machine using MIT credentials, then access resources in win domain and even does a password change ! But yesterday, it suddenly failed...:-( Not sure why...maybe bec I just reinstalled my the win2k server that serves as win KDC... maybe bec I modified the ksetup in win client... sigh... > > > > > Win2kServer is the computer that Test tried to > access, belonged to WINDOMAIN, which is a windows > domain. > > > > My guess is that the Failed to generate key caused > the KRB_AP_ERR_MODIFIED... > > but I can't confirm it... > > I'm not sure what caused it to fail to generate > the key... > > > > I've followed the steps in the step by step > kerberos interoperability document carefully... > > > > Any clue ? > > > > regards, > > lara > > > > > ------------------------------------------------------------------------------------ > > La vie, voyez-vous, ca n'est jamais si bon ni si > mauvais qu'on croit > > > - Guy de Maupassant - > > > ------------------------------------------------------------------------------------ > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam > protection around > > http://mail.yahoo.com > > ________________________________________________ > > Kerberos mailing list [EMAIL PROTECTED] > > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- > > Douglas E. Engert <[EMAIL PROTECTED]> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > ===== ------------------------------------------------------------------------------------ La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit - Guy de Maupassant - ------------------------------------------------------------------------------------ __________________________________ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
