Windows Xp authentication to MIT KDC
Hi,
I'm trying to get my Windows XP system to allow me to auth to our MIT KDC.
However, I'm running into some difficulty.
So far, I have:
C:\Documents and Settings\quanah>ksetup
default realm = stanford.edu (external)
stanford.edu:
kdc = kerberos1.stanford.edu
kdc = kerberos2.stanford.edu
kdc = kerberos3.stanford.edu
Realm Flags = 0x0 none
Mapping all users (*) to a local account by the same name (*).
Mapping [email]quanah@stanford.edu[/email] to quanah.
I've set up a host principal between my windows box and the KDC, and that
part seems to be working correctly, as the KDC issues me a ticket:
May 26 16:15:56 kerberos1 krb5kdc[1385]: AS_REQ (7 etypes {23 -133 -128 3 1
24 -135}) 171.66.155.86: NEEDED_PREAUTH: [email]quanah@stanford.edu[/email] for
krbtgt/stanford.edu@stanford.edu, Additional pre-authentication required
May 26 16:15:56 kerberos1 krb5kdc[1385]: AS_REQ (2 etypes {3 1})
171.66.155.86: ISSUE: authtime 1148685356, etypes {rep=3 tkt=1 ses=1},
[email]quanah@stanford.edu[/email] for krbtgt/stanford.edu@stanford.edu
May 26 16:15:56 kerberos1 krb5kdc[1385]: TGS_REQ (7 etypes {23 -133 -128 3
1 24 -135}) 171.66.155.86: ISSUE: authtime 1148685356, etypes {rep=1 tkt=1
ses=1}, [email]quanah@stanford.edu[/email] for
host/sw-90-717-287-3.stanford.edu@stanford.edu
However, my login fails with:
"Windows cannot connect to the domain, either because the domain controller
is down or otherwise unavailable, or because your computer account was not
found."
I think this is related to a lack of SRV records for our KDC, because when
I go into the properties for "My Computer" and tell it to join the
"stanford.edu" domain, I get:
The following error occurred when DNS was queried for the service location
(SRV) resource record to locate a domain controller for domain stanford.edu:
The erro was: "DNS name does not exist."
(error cdoe 0x0000232B RCODE_NAME_ERROR)
The query was for the SRV record for _ldap._tcp.dc_msdcs.stanford.edu
Common causes of this error include the following:
- The DNS SRV record is not registered in DNS.
- One or more of the following zones do not include delegation to its child
zone:
stanford.edu
edu
.. (the root zone)
Trying to connect to the domain from the command line gives me:
C:\Documents and Settings\quanah>ksetup /domain stanford.edu
Connecting to specified domain stanford.edu...
CallAuthPackage failed, status 0x0, substatus 0x8009030e.
Ticket cache query failed. Error 0x8009030e
Could not guess user's domain.
Please specify domain on command line and try again.
/Domain failed: 0x8009030e.
Any thoughts on where I can go from here? Are SRV records an absolute
requirement with windows?
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: [url]http://www.stanford.edu/~quanah/pgp.html[/url]
________________________________________________
Kerberos mailing list [email]Kerberos@mit.edu[/email]
[url]https://mailman.mit.edu/mailman/listinfo/kerberos[/url]
Re: Windows Xp authentication to MIT KDC
--On Friday, May 26, 2006 04:39:28 PM -0700 Quanah Gibson-Mount
<quanah@stanford.edu> wrote:
[color=blue]
> I think this is related to a lack of SRV records for our KDC, because
> when I go into the properties for "My Computer" and tell it to join the
> "stanford.edu" domain, I get:
> Are SRV records an absolute
> requirement with windows?[/color]
srv records are an absolute requirement for windows domains. external realm
authentication (like you set up with ksetup) does not require them.
Did you set a machine account password? is it correct? does the name of the
relevant host principal exactly match <NETBIOSNAME>.stanford.edu? It is
possible that configuring the 'primary dns suffix' (hit the 'more' button
in the dialog that allows you to join a domain) will allow you to use a
more arbitrary principal name. I have never tried, and the documentation
does not say anything about it.
________________________________________________
Kerberos mailing list [email]Kerberos@mit.edu[/email]
[url]https://mailman.mit.edu/mailman/listinfo/kerberos[/url]
Re: Windows Xp authentication to MIT KDC
[color=blue]
> Hi,
> I'm trying to get my Windows XP system to allow me to auth to our MIT KDC.
> However, I'm running into some difficulty.
>
> So far, I have:
>
> C:\Documents and Settings\quanah>ksetup
> default realm = stanford.edu (external)
> stanford.edu:
> kdc = kerberos1.stanford.edu
> kdc = kerberos2.stanford.edu
> kdc = kerberos3.stanford.edu
> Realm Flags = 0x0 none
> Mapping all users (*) to a local account by the same name (*).
> Mapping [email]quanah@stanford.edu[/email] to quanah.
>
>
> I've set up a host principal between my windows box and the KDC, and that
> part seems to be working correctly, as the KDC issues me a ticket:
>
> May 26 16:15:56 kerberos1 krb5kdc[1385]: AS_REQ (7 etypes {23 -133 -128 3 1
> 24 -135}) 171.66.155.86: NEEDED_PREAUTH: [email]quanah@stanford.edu[/email] for
> krbtgt/stanford.edu@stanford.edu, Additional pre-authentication required
> May 26 16:15:56 kerberos1 krb5kdc[1385]: AS_REQ (2 etypes {3 1})
> 171.66.155.86: ISSUE: authtime 1148685356, etypes {rep=3 tkt=1 ses=1},
> [email]quanah@stanford.edu[/email] for krbtgt/stanford.edu@stanford.edu
> May 26 16:15:56 kerberos1 krb5kdc[1385]: TGS_REQ (7 etypes {23 -133 -128 3
> 1 24 -135}) 171.66.155.86: ISSUE: authtime 1148685356, etypes {rep=1 tkt=1
> ses=1}, [email]quanah@stanford.edu[/email] for
> host/sw-90-717-287-3.stanford.edu@stanford.edu[/color]
All your realm names are lower case. Is that really correct? It's very
unusual.
[color=blue]
> However, my login fails with:
>
> "Windows cannot connect to the domain, either because the domain controller
> is down or otherwise unavailable, or because your computer account was not
> found."
>
>
> I think this is related to a lack of SRV records for our KDC, because when
> I go into the properties for "My Computer" and tell it to join the
> "stanford.edu" domain, I get:
>
> The following error occurred when DNS was queried for the service location
> (SRV) resource record to locate a domain controller for domain stanford.edu:
>
> The erro was: "DNS name does not exist."
> (error cdoe 0x0000232B RCODE_NAME_ERROR)
>
> The query was for the SRV record for _ldap._tcp.dc_msdcs.stanford.edu[/color]
This means that on some level, the client still thinks this realm is a
Windows domain, as opposed to an external realm. It's trying to find a
domain controller.
[color=blue]
> Any thoughts on where I can go from here? Are SRV records an absolute
> requirement with windows?[/color]
They actually would not matter in your case (the right ones), since you
gave it static configuration for the KDCs.
--
Richard Silverman
[email]res@qoxp.net[/email]
RE: Windows Xp authentication to MIT KDC
The steps below should apply to Windows XP as well as Windows Server
2003. I would also confirm the case of your realm. Usually realms are
upper case. If it is you should reconfigure your realm settings on the
XP client to match the case of the MIT realm.
SRV records are not a requirement. As long as you define the FQDN of
the KDCs with the ksetup /addkdc command, you don't need SRV records but
you do need to be able to resolve the FQDN of the KDCs you specified.
Using an MIT KDC with a Standalone Windows Server 2003 Client
For the Windows Server 2003 client to use a non-Windows KDC, you must
configure both the non-Windows KDC and the Windows Server 2003 client as
described next.
To configure the MIT KDC server and the Windows Server 2003 client
1. On the MIT KDC, create a host principal for the computer. Use
the command:
Kadmin -q "ank host/machine-name.dns-domain_name"
Note: After executing the above command you will be prompted to provide
a password. Provide a complex password and make note of it. You will be
required to provide the same password in a subsequent command on the
Windows Server 2003 client.
For example, if the Windows Server 2003 client name is WS03SRV1 and the
primary DNS suffix of this computer is realm.reskit.com, the principal
name is host/ws03srv1.realm.reskit.com.
Kadmin is a utility that is part of the MIT Kerberos distribution.
2. Run the Ksetup utility to configure the Windows Server 2003
client to be aware of the non-Windows KDC and realm.
Since the MIT realm is not an Active Directory domain, the
computer will be configured as a member of a workgroup. This is
automatic when you set the Kerberos realm and add a KDC server as
follows:
C:> Ksetup /setrealm REALM.RESKIT.COM
C:> Ksetup /addkdc REALM.RESKIT.COM kdc.realm.reskit.com
Set the local machine account password, as follows:
C:> Ksetup /setmachpassword password
Replace password with the password you supplied above in step 1.
3. Restart your computer for the changes to take effect. (This is a
required step.) Whenever changes are made to the realm or domain
membership, a restart is required.
4. Use Ksetup to configure single sign on to local workstation
accounts. Define the account mappings; this will map local machine
accounts to Kerberos principals. For example:
C:> Ksetup /mapuser [email]auser@REALM.RESKIT.COM[/email] guest
C:> Ksetup /mapuser * *
Note that the second command maps clients to local accounts of the same
name.
5. Use Ksetup with no arguments to see the current settings.
--Joey
-----Original Message-----
From: [email]kerberos-bounces@mit.edu[/email] [mailto:kerberos-bounces@mit.edu] On
Behalf Of Quanah Gibson-Mount
Sent: Friday, May 26, 2006 6:39 PM
To: [email]kerberos@mit.edu[/email]
Subject: Windows Xp authentication to MIT KDC
Hi,
I'm trying to get my Windows XP system to allow me to auth to our MIT
KDC.
However, I'm running into some difficulty.
So far, I have:
C:\Documents and Settings\quanah>ksetup
default realm = stanford.edu (external)
stanford.edu:
kdc = kerberos1.stanford.edu
kdc = kerberos2.stanford.edu
kdc = kerberos3.stanford.edu
Realm Flags = 0x0 none
Mapping all users (*) to a local account by the same name (*).
Mapping [email]quanah@stanford.edu[/email] to quanah.
I've set up a host principal between my windows box and the KDC, and
that
part seems to be working correctly, as the KDC issues me a ticket:
May 26 16:15:56 kerberos1 krb5kdc[1385]: AS_REQ (7 etypes {23 -133 -128
3 1
24 -135}) 171.66.155.86: NEEDED_PREAUTH: [email]quanah@stanford.edu[/email] for
krbtgt/stanford.edu@stanford.edu, Additional pre-authentication required
May 26 16:15:56 kerberos1 krb5kdc[1385]: AS_REQ (2 etypes {3 1})
171.66.155.86: ISSUE: authtime 1148685356, etypes {rep=3 tkt=1 ses=1},
[email]quanah@stanford.edu[/email] for krbtgt/stanford.edu@stanford.edu
May 26 16:15:56 kerberos1 krb5kdc[1385]: TGS_REQ (7 etypes {23 -133 -128
3
1 24 -135}) 171.66.155.86: ISSUE: authtime 1148685356, etypes {rep=1
tkt=1
ses=1}, [email]quanah@stanford.edu[/email] for
host/sw-90-717-287-3.stanford.edu@stanford.edu
However, my login fails with:
"Windows cannot connect to the domain, either because the domain
controller
is down or otherwise unavailable, or because your computer account was
not
found."
I think this is related to a lack of SRV records for our KDC, because
when
I go into the properties for "My Computer" and tell it to join the
"stanford.edu" domain, I get:
The following error occurred when DNS was queried for the service
location
(SRV) resource record to locate a domain controller for domain
stanford.edu:
The erro was: "DNS name does not exist."
(error cdoe 0x0000232B RCODE_NAME_ERROR)
The query was for the SRV record for _ldap._tcp.dc_msdcs.stanford.edu
Common causes of this error include the following:
- The DNS SRV record is not registered in DNS.
- One or more of the following zones do not include delegation to its
child
zone:
stanford.edu
edu
.. (the root zone)
Trying to connect to the domain from the command line gives me:
C:\Documents and Settings\quanah>ksetup /domain stanford.edu
Connecting to specified domain stanford.edu...
CallAuthPackage failed, status 0x0, substatus 0x8009030e.
Ticket cache query failed. Error 0x8009030e
Could not guess user's domain.
Please specify domain on command line and try again.
/Domain failed: 0x8009030e.
Any thoughts on where I can go from here? Are SRV records an absolute
requirement with windows?
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: [url]http://www.stanford.edu/~quanah/pgp.html[/url]
________________________________________________
Kerberos mailing list [email]Kerberos@mit.edu[/email]
[url]https://mailman.mit.edu/mailman/listinfo/kerberos[/url]
________________________________________________
Kerberos mailing list [email]Kerberos@mit.edu[/email]
[url]https://mailman.mit.edu/mailman/listinfo/kerberos[/url]
RE: Windows Xp authentication to MIT KDC
--On Saturday, May 27, 2006 9:59 AM -0700 Joey Seifert
<jseifert@microsoft.com> wrote:
[color=blue]
> The steps below should apply to Windows XP as well as Windows Server
> 2003. I would also confirm the case of your realm. Usually realms are
> upper case. If it is you should reconfigure your realm settings on the
> XP client to match the case of the MIT realm.
>
> SRV records are not a requirement. As long as you define the FQDN of
> the KDCs with the ksetup /addkdc command, you don't need SRV records but
> you do need to be able to resolve the FQDN of the KDCs you specified.
>
>
> Using an MIT KDC with a Standalone Windows Server 2003 Client
> For the Windows Server 2003 client to use a non-Windows KDC, you must
> configure both the non-Windows KDC and the Windows Server 2003 client as
> described next.
> To configure the MIT KDC server and the Windows Server 2003 client
> 1. On the MIT KDC, create a host principal for the computer. Use
> the command:
>
> Kadmin -q "ank host/machine-name.dns-domain_name"
>
> Note: After executing the above command you will be prompted to provide
> a password. Provide a complex password and make note of it. You will be
> required to provide the same password in a subsequent command on the
> Windows Server 2003 client.
>
> For example, if the Windows Server 2003 client name is WS03SRV1 and the
> primary DNS suffix of this computer is realm.reskit.com, the principal
> name is host/ws03srv1.realm.reskit.com.
>
> Kadmin is a utility that is part of the MIT Kerberos distribution.
> 2. Run the Ksetup utility to configure the Windows Server 2003
> client to be aware of the non-Windows KDC and realm.
> Since the MIT realm is not an Active Directory domain, the
> computer will be configured as a member of a workgroup. This is
> automatic when you set the Kerberos realm and add a KDC server as
> follows:
>
> C:> Ksetup /setrealm REALM.RESKIT.COM
> C:> Ksetup /addkdc REALM.RESKIT.COM kdc.realm.reskit.com
> Set the local machine account password, as follows:
>
> C:> Ksetup /setmachpassword password
> Replace password with the password you supplied above in step 1.
>
> 3. Restart your computer for the changes to take effect. (This is a
> required step.) Whenever changes are made to the realm or domain
> membership, a restart is required.
> 4. Use Ksetup to configure single sign on to local workstation
> accounts. Define the account mappings; this will map local machine
> accounts to Kerberos principals. For example:
>
> C:> Ksetup /mapuser [email]auser@REALM.RESKIT.COM[/email] guest
> C:> Ksetup /mapuser * *
>
> Note that the second command maps clients to local accounts of the same
> name.
> 5. Use Ksetup with no arguments to see the current settings.[/color]
Joey,
Thanks for the reply. Other than the "guest" mapping in step #4, none of
these steps differ from what I already did. As you can see from the logs I
supplied from my KDC, the host keytab is aleady set up, and both the
windows box & the KDC are happily talking to one another, as the KDC logs
me getting a tgt. I simply cannot log into my system. Is the "guest"
mapping required? I'd thought that my two mappings I already have defined
would cover things:
Mapping all users (*) to a local account by the same name (*).
Mapping [email]quanah@stanford.edu[/email] to quanah.
And yes, our K5 domain name is lower case. ;)
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: [url]http://www.stanford.edu/~quanah/pgp.html[/url]
________________________________________________
Kerberos mailing list [email]Kerberos@mit.edu[/email]
[url]https://mailman.mit.edu/mailman/listinfo/kerberos[/url]
Re: Windows Xp authentication to MIT KDC
Hello,
I have exactly the same issue and I don't know where the error can come from. Getting a ticket without succeeding to log on successfully (Windows Server 2003 in my case) seems to me quite strange.
Anybody has a feedback about that or any suggestion about what is the problem ?
Thank you
