Issue with Ktpass usage + windows 2003 KDC + non windows client - Kerberos

This is a discussion on Issue with Ktpass usage + windows 2003 KDC + non windows client - Kerberos ; Hi all, I am working on implementating Kerberos for IPsec for an embedded device. I am not able to test it with Windows 2003 server as KDC. But with 2000 server as KDC, it is working fine. When the device ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Issue with Ktpass usage + windows 2003 KDC + non windows client

  1. Issue with Ktpass usage + windows 2003 KDC + non windows client

    Hi all,

    I am working on implementating Kerberos for IPsec for an embedded
    device. I am not able to test it with Windows 2003 server as KDC. But
    with 2000 server as KDC, it is working fine. When the device is acting
    as application server, the error is in accept_sec_context().

    The routine accept_sec_context() says Keytable version number doesn't
    match. Validation error. But I am ble to get TGT for the application
    server using keytab. Are there any changes to the ktpass tool in 2003
    server when compared to ktpass tool given for 2000. I googled and found
    that keyversion number in 2003 is incremeted unlike 2000 server. Is
    this the cause ? I am creating the keytab file on the KDC and using
    it on the device. I am not able to find whats the cause for this
    failure. Can anybody please help me ? Hoiw to find which keyversion to
    use when creating the keytab using ktpass tool on wondows 2003 ?

    Also, one more observation is, when I use the ktpass tool to map
    account to principal, it says failed to map the "servicePrincipalName".
    This is happening for the newly created acccount also. Can you please
    tell me if this is related to ktpass tool or it could be related to
    configuration error ?

    Regards,
    Sandy.


  2. Re: Issue with Ktpass usage + windows 2003 KDC + non windows client

    sandypossible@gmail.com wrote:
    > Hi all,
    >
    > I am working on implementating Kerberos for IPsec for an embedded
    > device. I am not able to test it with Windows 2003 server as KDC. But
    > with 2000 server as KDC, it is working fine. When the device is acting
    > as application server, the error is in accept_sec_context().
    >
    > The routine accept_sec_context() says Keytable version number doesn't
    > match. Validation error. But I am ble to get TGT for the application
    > server using keytab. Are there any changes to the ktpass tool in 2003
    > server when compared to ktpass tool given for 2000. I googled and found
    > that keyversion number in 2003 is incremeted unlike 2000 server. Is
    > this the cause ? I am creating the keytab file on the KDC and using
    > it on the device. I am not able to find whats the cause for this
    > failure. Can anybody please help me ? Hoiw to find which keyversion to
    > use when creating the keytab using ktpass tool on wondows 2003 ?
    >
    > Also, one more observation is, when I use the ktpass tool to map
    > account to principal, it says failed to map the "servicePrincipalName".
    > This is happening for the newly created acccount also. Can you please
    > tell me if this is related to ktpass tool or it could be related to
    > configuration error ?
    >
    > Regards,
    > Sandy.
    >


    You can use the 'kvno' tool provided with MIT Kerberos to obtain the
    kvno for the requested ticket. For Windows 2000, the kvno is always 0.
    For Windows 2003, you have to specify the correct kvno when generating
    the keytab file with ktpass.

  3. Re: Issue with Ktpass usage + windows 2003 KDC + non windows client

    On Sat, 23 Sep 2006 06:31:41 GMT
    Jeffrey Altman wrote:

    > For Windows 2003, you have to specify the correct kvno when generating
    > the keytab file with ktpass.


    Can you elaborate on this a litte? With Windows 2003, I've never use
    the /kvno option with ktpass and it still always worked.

    I know about the knvo problem with Windows 2000. Perhaps you mean that
    the kvno option must be used with the Windows 2000 ktpass to set the
    proper kvno?

    Mike

    --
    Michael B Allen
    PHP Active Directory SSO
    http://www.ioplex.com/
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Issue with Ktpass usage + windows 2003 KDC + non windows client

    Hi All,

    By going through the previous posts on the issue, found that its better
    to use the ktpass tool given with 2003, not the sp1.

    The below link was useful:
    http://groups.google.com/group/comp....mO1nk4CbSXWulr

    I was successfully able to use the ktpass tool given with the windows
    2003.

    Thanks a lot.

    Michael B Allen wrote:
    > On Sat, 23 Sep 2006 06:31:41 GMT
    > Jeffrey Altman wrote:
    >
    > > For Windows 2003, you have to specify the correct kvno when generating
    > > the keytab file with ktpass.

    >
    > Can you elaborate on this a litte? With Windows 2003, I've never use
    > the /kvno option with ktpass and it still always worked.
    >
    > I know about the knvo problem with Windows 2000. Perhaps you mean that
    > the kvno option must be used with the Windows 2000 ktpass to set the
    > proper kvno?
    >
    > Mike
    >


    > --
    > Michael B Allen
    > PHP Active Directory SSO
    > http://www.ioplex.com/
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos



+ Reply to Thread