Re: pamkrbval: KDC policy rejects request for this entry - Kerberos

This is a discussion on Re: pamkrbval: KDC policy rejects request for this entry - Kerberos ; "Richard Curtis" writes: > Hi, > I am trying to get an HPUX 11i box to authenticate against our > active directory (Windows 2003r2) domain with kerberos but I am > getting nowhere fast. > > As per the docs ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: pamkrbval: KDC policy rejects request for this entry

  1. Re: pamkrbval: KDC policy rejects request for this entry

    "Richard Curtis" writes:

    > Hi,
    > I am trying to get an HPUX 11i box to authenticate against our
    > active directory (Windows 2003r2) domain with kerberos but I am
    > getting nowhere fast.
    >
    > As per the docs I have, I have created a user account in active
    > directory, then used "ktpass -princ
    > host/unix_client.domain.host.com@DOMAIN.HOST.COM -mapuser unix_lient
    > -pass -out c:\krb5.keytab"
    > The keytab looks fine when I used ktutil, but I cannot do a kinit... I
    > keep getting "KDC policy rejects request for this entry"


    It may be that the AD server is forbidding the use of the
    "host/unix_client.domain.host.com" principal as a client principal.

  2. Re: pamkrbval: KDC policy rejects request for this entry

    I am making some progress with this and no longer believe it to be a
    Kerberos issue (not directly)..

    Our windows admins have enabled enhanced logging of the KDC service in
    Windows, and now instead of Just a straight "0xC: KDC Policy rejects
    this request", we still get the 0xC error, but we get enhanced info
    stating "NT Status: STATUS_INVALID_WORKSTATION (0xc0000070)"

    If anyone want to know the registry keys changed to get this logging,
    it was HKLM\SYSTEM\CurrentControlSet\Services\KDC, then kdcdebuglevel
    (DWORD, value=0x10000000) and kdcextraloglevel (DWORD, 0x00000004)

    It looks as though the request is being rejected because AD expects to
    find some form of workstation entry for this host. I thought the
    ktpass side should cater for this, but obvjously I am wrong.

    I will continue to investigate this with our Windows admins and will
    post back if I fix it.

    On 27 Aug, 20:49, Tom Yu wrote:
    > "Richard Curtis" writes:
    > > Hi,
    > > * I am trying to get an HPUX 11i box to authenticate against our
    > > active directory (Windows 2003r2) domain with kerberos but I am
    > > getting nowhere fast.

    >
    > > As per the docs I have, I have created a user account in active
    > > directory, then used "ktpass -princ
    > > host/unix_client.domain.host....@DOMAIN.HOST.COM -mapuser unix_lient
    > > -pass -out c:\krb5.keytab"
    > > The keytab looks fine when I used ktutil, but I cannot do a kinit... I
    > > keep getting "KDC policy rejects request for this entry"

    >
    > It may be that the AD server is forbidding the use of the
    > "host/unix_client.domain.host.com" principal as a client principal.



+ Reply to Thread