Now we wants to switch from Windows AD to MIT KDC. Currently windows
can be authenticated by MIT KDC without any problem but Windows API >LSALogonUser() in our application fails.
Nov 03 14:01:40 niuniu krb5kdc[13724](info): TGS_REQ (5 etypes >{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), >DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), >UNSUPPORTED:(-135)}) 192.168.0.5: LOOKING_UP_SERVER: authtime 0, >host/win11client.mylab.com@MYLAB.COM<mailto:host/win11client.mylab.com@ >MYLAB.COM> for host\/win11client.mylab.com@MYLAB.COM, Server not found
in Kerberos database
Now we wants to switch from Windows AD to MIT KDC. Currently windows
can be authenticated by MIT KDC without any problem but Windows API >LSALogonUser() in our application fails.
Nov 03 14:01:40 niuniu krb5kdc[13724](info): TGS_REQ (5 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135)}) 192.168.0.5: LOOKING_UP_SERVER: authtime 0,host/win11client.mylab.com@MYLAB.COM<mailto:host/win11client.mylab.com@MYLAB.COM> for host\/win11client.mylab.com@MYLAB.COM, Server not found in Kerberos database
From MIT Kerberos document, I can see S4U can be supported. My question is that for S4U, does MIT KDC have interoperability with Windows API? Any feedback will be greatly appreciated.
In fact, principle "host/win11client.mylab.com@MYLAB.COM" exists. By Wireshark I can see Windows sends "host/win11client.mylab.com@MYLAB.COM" as sname, KDC converts the sname to host\/win11client.mylab.com@MYLAB.COM.
I have a look at the code but find no parameters or setting can change this behavior.
The digitally signed Privilege Attribute Certificate (PAC) that contains the authorization information for client user in realm MYLAB.COM could not be validated.
This error is usually caused by domain trust failures; Contact your system administrator.
In fact, principle "host/win11client.mylab.com@MYLAB.COM" exists. By Wireshark I can see Windows sends "host/win11client.mylab.com@MYLAB.COM" as sname, KDC converts the sname to host\/win11client.mylab.com@MYLAB.COM.
I have a look at the code but find no parameters or setting can change this behavior.
The digitally signed Privilege Attribute Certificate (PAC) that contains the authorization information for client user in realm MYLAB.COM could not be validated.
This error is usually caused by domain trust failures; Contact your system administrator.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 300 |
Nodes: | 16 (2 / 14) |
Uptime: | 08:09:32 |
Calls: | 6,706 |
Files: | 12,236 |
Messages: | 5,350,705 |