locked
Authentication with external Kerberos Realm

    Question

  •  

    I know it's early to bring this up, but the Developer Preview does not seem to work in a domain that has a trust to an external Kerberos Realm. We are getting the error  KRB5KRB_AP_ERR_BAD_INTEGRITY. This usually indicates a bad password or time, but in this case the time is good (Kerb tickets work when logging directly into the domain) and the password is verified good.

    Various combinations of Encryption type have been tried, DES, RC4, AES, etc.

    Has anyone else tried this configuration yet?

    Karen

    Friday, September 16, 2011 2:39 PM

All replies

  • Hi Karen,

    I was wondering if you could tell me more about this problem. For instance where do you see the error  KRB5KRB_AP_ERR_BAD_INTEGRITY coming from, an API or a tool? I.e. are you developing an application and you get this error, or are you trying to join the win8 machine to the kerberos realm and you get an error from the UI or a utility (such as ktpass.exe)?

    Where did you specify the encryption types DES, RC4, AES.. via an interface or a utility?

    I am just trying to get at whether this is a programming or a configuration issue. It seems like a configuration issue, but i just want to be sure.

    thank you -  mark

    Friday, September 16, 2011 9:12 PM
  • I've added a Win8 machine to my production AD domain to test some of our processes on it. The domain serves a single department of a large organisation. The organisation does not run AD but does run a Kerberos realm. A trust exists between the two. An existing GPO allows the following encryption types for Kerberos:

     

     DES-CBC-CRC,DES-CBC-MD5,RC4-HMAC_MD5,AES128-CTS-HMAC-SHA1,AES256-CTS-HMAC-SHA1,Future encryption types

     

    Passwords for AD domain user accounts are not sync'd with the Kerberos Realm and are not disclosed to users. An existing GPO applies the Kerberos principles and sets the Kerberos realm as the default domain for logon. So when Kerberos username and password are submitted to the Win8 machine, the user is correctly authenticated by the Kerberos realm and authorized by the AD domain.
     
    All is as it should be and ever was. Until the user's session is locked and they attempt to unlock it, whereupon Win8 prompts for the AD domain password which is not disclosed to users!
     
    * Cue switchboard overloaded with calls from thousands of locked-out users just back from lunch! *
     
    Dear Mr. Ballmer, please put your best people on this now. Thanks, Mark







    Wednesday, December 7, 2011 11:45 AM