Windows Xp authentication to MIT KDC - Kerberos

This is a discussion on Windows Xp authentication to MIT KDC - Kerberos ; Hi, I'm trying to get my Windows XP system to allow me to auth to our MIT KDC. However, I'm running into some difficulty. So far, I have: C:\Documents and Settings\quanah>ksetup default realm = stanford.edu (external) stanford.edu: kdc = kerberos1.stanford.edu ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Windows Xp authentication to MIT KDC

  1. Windows Xp authentication to MIT KDC

    Hi,

    I'm trying to get my Windows XP system to allow me to auth to our MIT KDC.
    However, I'm running into some difficulty.

    So far, I have:

    C:\Documents and Settings\quanah>ksetup
    default realm = stanford.edu (external)
    stanford.edu:
    kdc = kerberos1.stanford.edu
    kdc = kerberos2.stanford.edu
    kdc = kerberos3.stanford.edu
    Realm Flags = 0x0 none
    Mapping all users (*) to a local account by the same name (*).
    Mapping quanah@stanford.edu to quanah.


    I've set up a host principal between my windows box and the KDC, and that
    part seems to be working correctly, as the KDC issues me a ticket:

    May 26 16:15:56 kerberos1 krb5kdc[1385]: AS_REQ (7 etypes {23 -133 -128 3 1
    24 -135}) 171.66.155.86: NEEDED_PREAUTH: quanah@stanford.edu for
    krbtgt/stanford.edu@stanford.edu, Additional pre-authentication required
    May 26 16:15:56 kerberos1 krb5kdc[1385]: AS_REQ (2 etypes {3 1})
    171.66.155.86: ISSUE: authtime 1148685356, etypes {rep=3 tkt=1 ses=1},
    quanah@stanford.edu for krbtgt/stanford.edu@stanford.edu
    May 26 16:15:56 kerberos1 krb5kdc[1385]: TGS_REQ (7 etypes {23 -133 -128 3
    1 24 -135}) 171.66.155.86: ISSUE: authtime 1148685356, etypes {rep=1 tkt=1
    ses=1}, quanah@stanford.edu for
    host/sw-90-717-287-3.stanford.edu@stanford.edu


    However, my login fails with:

    "Windows cannot connect to the domain, either because the domain controller
    is down or otherwise unavailable, or because your computer account was not
    found."


    I think this is related to a lack of SRV records for our KDC, because when
    I go into the properties for "My Computer" and tell it to join the
    "stanford.edu" domain, I get:

    The following error occurred when DNS was queried for the service location
    (SRV) resource record to locate a domain controller for domain stanford.edu:

    The erro was: "DNS name does not exist."
    (error cdoe 0x0000232B RCODE_NAME_ERROR)

    The query was for the SRV record for _ldap._tcp.dc_msdcs.stanford.edu

    Common causes of this error include the following:

    - The DNS SRV record is not registered in DNS.

    - One or more of the following zones do not include delegation to its child
    zone:

    stanford.edu
    edu
    .. (the root zone)



    Trying to connect to the domain from the command line gives me:

    C:\Documents and Settings\quanah>ksetup /domain stanford.edu
    Connecting to specified domain stanford.edu...
    CallAuthPackage failed, status 0x0, substatus 0x8009030e.
    Ticket cache query failed. Error 0x8009030e
    Could not guess user's domain.
    Please specify domain on command line and try again.
    /Domain failed: 0x8009030e.


    Any thoughts on where I can go from here? Are SRV records an absolute
    requirement with windows?


    --Quanah


    --
    Quanah Gibson-Mount
    Principal Software Developer
    ITS/Shared Application Services
    Stanford University
    GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Windows Xp authentication to MIT KDC



    --On Friday, May 26, 2006 04:39:28 PM -0700 Quanah Gibson-Mount
    wrote:

    > I think this is related to a lack of SRV records for our KDC, because
    > when I go into the properties for "My Computer" and tell it to join the
    > "stanford.edu" domain, I get:
    > Are SRV records an absolute
    > requirement with windows?

    srv records are an absolute requirement for windows domains. external realm
    authentication (like you set up with ksetup) does not require them.

    Did you set a machine account password? is it correct? does the name of the
    relevant host principal exactly match .stanford.edu? It is
    possible that configuring the 'primary dns suffix' (hit the 'more' button
    in the dialog that allows you to join a domain) will allow you to use a
    more arbitrary principal name. I have never tried, and the documentation
    does not say anything about it.




    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Windows Xp authentication to MIT KDC


    > Hi,
    > I'm trying to get my Windows XP system to allow me to auth to our MIT KDC.
    > However, I'm running into some difficulty.
    >
    > So far, I have:
    >
    > C:\Documents and Settings\quanah>ksetup
    > default realm = stanford.edu (external)
    > stanford.edu:
    > kdc = kerberos1.stanford.edu
    > kdc = kerberos2.stanford.edu
    > kdc = kerberos3.stanford.edu
    > Realm Flags = 0x0 none
    > Mapping all users (*) to a local account by the same name (*).
    > Mapping quanah@stanford.edu to quanah.
    >
    >
    > I've set up a host principal between my windows box and the KDC, and that
    > part seems to be working correctly, as the KDC issues me a ticket:
    >
    > May 26 16:15:56 kerberos1 krb5kdc[1385]: AS_REQ (7 etypes {23 -133 -128 3 1
    > 24 -135}) 171.66.155.86: NEEDED_PREAUTH: quanah@stanford.edu for
    > krbtgt/stanford.edu@stanford.edu, Additional pre-authentication required
    > May 26 16:15:56 kerberos1 krb5kdc[1385]: AS_REQ (2 etypes {3 1})
    > 171.66.155.86: ISSUE: authtime 1148685356, etypes {rep=3 tkt=1 ses=1},
    > quanah@stanford.edu for krbtgt/stanford.edu@stanford.edu
    > May 26 16:15:56 kerberos1 krb5kdc[1385]: TGS_REQ (7 etypes {23 -133 -128 3
    > 1 24 -135}) 171.66.155.86: ISSUE: authtime 1148685356, etypes {rep=1 tkt=1
    > ses=1}, quanah@stanford.edu for
    > host/sw-90-717-287-3.stanford.edu@stanford.edu


    All your realm names are lower case. Is that really correct? It's very
    unusual.

    > However, my login fails with:
    >
    > "Windows cannot connect to the domain, either because the domain controller
    > is down or otherwise unavailable, or because your computer account was not
    > found."
    >
    >
    > I think this is related to a lack of SRV records for our KDC, because when
    > I go into the properties for "My Computer" and tell it to join the
    > "stanford.edu" domain, I get:
    >
    > The following error occurred when DNS was queried for the service location
    > (SRV) resource record to locate a domain controller for domain stanford.edu:
    >
    > The erro was: "DNS name does not exist."
    > (error cdoe 0x0000232B RCODE_NAME_ERROR)
    >
    > The query was for the SRV record for _ldap._tcp.dc_msdcs.stanford.edu


    This means that on some level, the client still thinks this realm is a
    Windows domain, as opposed to an external realm. It's trying to find a
    domain controller.

    > Any thoughts on where I can go from here? Are SRV records an absolute
    > requirement with windows?


    They actually would not matter in your case (the right ones), since you
    gave it static configuration for the KDCs.


    --
    Richard Silverman
    res@qoxp.net


  4. RE: Windows Xp authentication to MIT KDC

    The steps below should apply to Windows XP as well as Windows Server
    2003. I would also confirm the case of your realm. Usually realms are
    upper case. If it is you should reconfigure your realm settings on the
    XP client to match the case of the MIT realm.

    SRV records are not a requirement. As long as you define the FQDN of
    the KDCs with the ksetup /addkdc command, you don't need SRV records but
    you do need to be able to resolve the FQDN of the KDCs you specified.


    Using an MIT KDC with a Standalone Windows Server 2003 Client
    For the Windows Server 2003 client to use a non-Windows KDC, you must
    configure both the non-Windows KDC and the Windows Server 2003 client as
    described next.
    To configure the MIT KDC server and the Windows Server 2003 client
    1. On the MIT KDC, create a host principal for the computer. Use
    the command:

    Kadmin -q "ank host/machine-name.dns-domain_name"

    Note: After executing the above command you will be prompted to provide
    a password. Provide a complex password and make note of it. You will be
    required to provide the same password in a subsequent command on the
    Windows Server 2003 client.

    For example, if the Windows Server 2003 client name is WS03SRV1 and the
    primary DNS suffix of this computer is realm.reskit.com, the principal
    name is host/ws03srv1.realm.reskit.com.

    Kadmin is a utility that is part of the MIT Kerberos distribution.
    2. Run the Ksetup utility to configure the Windows Server 2003
    client to be aware of the non-Windows KDC and realm.
    Since the MIT realm is not an Active Directory domain, the
    computer will be configured as a member of a workgroup. This is
    automatic when you set the Kerberos realm and add a KDC server as
    follows:

    C:> Ksetup /setrealm REALM.RESKIT.COM
    C:> Ksetup /addkdc REALM.RESKIT.COM kdc.realm.reskit.com
    Set the local machine account password, as follows:

    C:> Ksetup /setmachpassword password
    Replace password with the password you supplied above in step 1.

    3. Restart your computer for the changes to take effect. (This is a
    required step.) Whenever changes are made to the realm or domain
    membership, a restart is required.
    4. Use Ksetup to configure single sign on to local workstation
    accounts. Define the account mappings; this will map local machine
    accounts to Kerberos principals. For example:

    C:> Ksetup /mapuser auser@REALM.RESKIT.COM guest
    C:> Ksetup /mapuser * *

    Note that the second command maps clients to local accounts of the same
    name.
    5. Use Ksetup with no arguments to see the current settings.


    --Joey

    -----Original Message-----
    From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On
    Behalf Of Quanah Gibson-Mount
    Sent: Friday, May 26, 2006 6:39 PM
    To: kerberos@mit.edu
    Subject: Windows Xp authentication to MIT KDC

    Hi,

    I'm trying to get my Windows XP system to allow me to auth to our MIT
    KDC.
    However, I'm running into some difficulty.

    So far, I have:

    C:\Documents and Settings\quanah>ksetup
    default realm = stanford.edu (external)
    stanford.edu:
    kdc = kerberos1.stanford.edu
    kdc = kerberos2.stanford.edu
    kdc = kerberos3.stanford.edu
    Realm Flags = 0x0 none
    Mapping all users (*) to a local account by the same name (*).
    Mapping quanah@stanford.edu to quanah.


    I've set up a host principal between my windows box and the KDC, and
    that
    part seems to be working correctly, as the KDC issues me a ticket:

    May 26 16:15:56 kerberos1 krb5kdc[1385]: AS_REQ (7 etypes {23 -133 -128
    3 1
    24 -135}) 171.66.155.86: NEEDED_PREAUTH: quanah@stanford.edu for
    krbtgt/stanford.edu@stanford.edu, Additional pre-authentication required
    May 26 16:15:56 kerberos1 krb5kdc[1385]: AS_REQ (2 etypes {3 1})
    171.66.155.86: ISSUE: authtime 1148685356, etypes {rep=3 tkt=1 ses=1},
    quanah@stanford.edu for krbtgt/stanford.edu@stanford.edu
    May 26 16:15:56 kerberos1 krb5kdc[1385]: TGS_REQ (7 etypes {23 -133 -128
    3
    1 24 -135}) 171.66.155.86: ISSUE: authtime 1148685356, etypes {rep=1
    tkt=1
    ses=1}, quanah@stanford.edu for
    host/sw-90-717-287-3.stanford.edu@stanford.edu


    However, my login fails with:

    "Windows cannot connect to the domain, either because the domain
    controller
    is down or otherwise unavailable, or because your computer account was
    not
    found."


    I think this is related to a lack of SRV records for our KDC, because
    when
    I go into the properties for "My Computer" and tell it to join the
    "stanford.edu" domain, I get:

    The following error occurred when DNS was queried for the service
    location
    (SRV) resource record to locate a domain controller for domain
    stanford.edu:

    The erro was: "DNS name does not exist."
    (error cdoe 0x0000232B RCODE_NAME_ERROR)

    The query was for the SRV record for _ldap._tcp.dc_msdcs.stanford.edu

    Common causes of this error include the following:

    - The DNS SRV record is not registered in DNS.

    - One or more of the following zones do not include delegation to its
    child
    zone:

    stanford.edu
    edu
    .. (the root zone)



    Trying to connect to the domain from the command line gives me:

    C:\Documents and Settings\quanah>ksetup /domain stanford.edu
    Connecting to specified domain stanford.edu...
    CallAuthPackage failed, status 0x0, substatus 0x8009030e.
    Ticket cache query failed. Error 0x8009030e
    Could not guess user's domain.
    Please specify domain on command line and try again.
    /Domain failed: 0x8009030e.


    Any thoughts on where I can go from here? Are SRV records an absolute
    requirement with windows?


    --Quanah


    --
    Quanah Gibson-Mount
    Principal Software Developer
    ITS/Shared Application Services
    Stanford University
    GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. RE: Windows Xp authentication to MIT KDC



    --On Saturday, May 27, 2006 9:59 AM -0700 Joey Seifert
    wrote:

    > The steps below should apply to Windows XP as well as Windows Server
    > 2003. I would also confirm the case of your realm. Usually realms are
    > upper case. If it is you should reconfigure your realm settings on the
    > XP client to match the case of the MIT realm.
    >
    > SRV records are not a requirement. As long as you define the FQDN of
    > the KDCs with the ksetup /addkdc command, you don't need SRV records but
    > you do need to be able to resolve the FQDN of the KDCs you specified.
    >
    >
    > Using an MIT KDC with a Standalone Windows Server 2003 Client
    > For the Windows Server 2003 client to use a non-Windows KDC, you must
    > configure both the non-Windows KDC and the Windows Server 2003 client as
    > described next.
    > To configure the MIT KDC server and the Windows Server 2003 client
    > 1. On the MIT KDC, create a host principal for the computer. Use
    > the command:
    >
    > Kadmin -q "ank host/machine-name.dns-domain_name"
    >
    > Note: After executing the above command you will be prompted to provide
    > a password. Provide a complex password and make note of it. You will be
    > required to provide the same password in a subsequent command on the
    > Windows Server 2003 client.
    >
    > For example, if the Windows Server 2003 client name is WS03SRV1 and the
    > primary DNS suffix of this computer is realm.reskit.com, the principal
    > name is host/ws03srv1.realm.reskit.com.
    >
    > Kadmin is a utility that is part of the MIT Kerberos distribution.
    > 2. Run the Ksetup utility to configure the Windows Server 2003
    > client to be aware of the non-Windows KDC and realm.
    > Since the MIT realm is not an Active Directory domain, the
    > computer will be configured as a member of a workgroup. This is
    > automatic when you set the Kerberos realm and add a KDC server as
    > follows:
    >
    > C:> Ksetup /setrealm REALM.RESKIT.COM
    > C:> Ksetup /addkdc REALM.RESKIT.COM kdc.realm.reskit.com
    > Set the local machine account password, as follows:
    >
    > C:> Ksetup /setmachpassword password
    > Replace password with the password you supplied above in step 1.
    >
    > 3. Restart your computer for the changes to take effect. (This is a
    > required step.) Whenever changes are made to the realm or domain
    > membership, a restart is required.
    > 4. Use Ksetup to configure single sign on to local workstation
    > accounts. Define the account mappings; this will map local machine
    > accounts to Kerberos principals. For example:
    >
    > C:> Ksetup /mapuser auser@REALM.RESKIT.COM guest
    > C:> Ksetup /mapuser * *
    >
    > Note that the second command maps clients to local accounts of the same
    > name.
    > 5. Use Ksetup with no arguments to see the current settings.


    Joey,

    Thanks for the reply. Other than the "guest" mapping in step #4, none of
    these steps differ from what I already did. As you can see from the logs I
    supplied from my KDC, the host keytab is aleady set up, and both the
    windows box & the KDC are happily talking to one another, as the KDC logs
    me getting a tgt. I simply cannot log into my system. Is the "guest"
    mapping required? I'd thought that my two mappings I already have defined
    would cover things:


    Mapping all users (*) to a local account by the same name (*).
    Mapping quanah@stanford.edu to quanah.


    And yes, our K5 domain name is lower case.


    --Quanah

    --
    Quanah Gibson-Mount
    Principal Software Developer
    ITS/Shared Application Services
    Stanford University
    GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  6. Re: Windows Xp authentication to MIT KDC

    Hello,

    I have exactly the same issue and I don't know where the error can come from. Getting a ticket without succeeding to log on successfully (Windows Server 2003 in my case) seems to me quite strange.

    Anybody has a feedback about that or any suggestion about what is the problem ?

    Thank you

+ Reply to Thread