Authenticating Windows 7 against a MIT Kerberos 5 Server RRS feed

  • Question

  • Hi Guys,

    I'm in desperate need of a Kerberos Guru! I've been wracking my brains trying to get a Windows 7 client machine to authenticate against a Linux-based Kerberos 5 KDC server.

    I have setup the following on the Arch Linux server:

    • ank addpol hosts
    • ank addpol users
    • ank -policy users tom@TNET.LOC
    • ank -policy hosts -pw MYPASSWORDHERE host/wdesk3.tnet.loc
    • ACL file just looks like this: *@TNET.LOC *

    I have setup the following on the Windows 7 client:

    • A local user called tom with a password which differs to the kerberos account (so I can prove which account Windows is logging in with)
    • ksetup /SetRealm TNET.LOC
    • ksetup /AddKdc dc1.tnet.loc
    • ksetup /SetComputerPassword MYPASSWORDHERE
    • ksetup /MapUser * *
    • Rebooted the client

    However, when I attempt to logon to my realm, I get the error: "The user name or password is incorrect".

    The guys at MIT suggested that I try to run "runas /netonly /user:tom@TNET.LOC cmd.exe", **which works absolutely fine**, however when I remove the '/netonly' flag (they tell me this is closer to what the actual login procedure does); I get the exact same error as I did on login: "login failure: the user name or password is incorrect".

    Is there anybody who can tell me if MIT's Kerberos 5 still works with Windows? Is there a certain type of encryption method I am supposed to be using? Can anybody help me get this working? Has anybody seen this working before?

    Any help at all would be most greatly appreciated!

    Many Thanks in advance,

    Monday, April 5, 2010 9:31 PM

All replies

  • When I reboot the server I get the following in the KDC log file... might be related?

    Monday, April 5, 2010 9:59 PM
  • Hi Tom,

    It looks like there's an IP address problem on the KDC server itself. You can't change passwords over IPv6, so IPv4 DNS resolution needs to be setup properly. That's beyond my area of expertise. I do know, however, that interop is supported, but Windows 7 needs to have the following Secpol.msc settings turned on:

      secpol.msc à Local Policies à Security Options à Network Security: Configure encryption types allowed for Kerberos.  


    Wednesday, April 20, 2011 10:06 PM
  • I think you need this on the client:

    ksetup /addkpasswd TNET.LOC <IPv4 address of the KDC>

    Wednesday, April 20, 2011 10:26 PM