I am making some progress with this and no longer believe it to be a Kerberos issue (not directly)..
Our windows admins have enabled enhanced logging of the KDC service in Windows, and now instead of Just a straight "0xC: KDC Policy rejects this request", we still get the 0xC error, but we get enhanced info stating "NT Status: STATUS_INVALID_WORKSTATION (0xc0000070)" If anyone want to know the registry keys changed to get this logging, it was HKLM\SYSTEM\CurrentControlSet\Services\KDC, then kdcdebuglevel (DWORD, value=0x10000000) and kdcextraloglevel (DWORD, 0x00000004) It looks as though the request is being rejected because AD expects to find some form of workstation entry for this host. I thought the ktpass side should cater for this, but obvjously I am wrong. I will continue to investigate this with our Windows admins and will post back if I fix it. On 27 Aug, 20:49, Tom Yu <[EMAIL PROTECTED]> wrote: > "Richard Curtis" <[EMAIL PROTECTED]> writes: > > Hi, > > I am trying to get an HPUX 11i box to authenticate against our > > active directory (Windows 2003r2) domain with kerberos but I am > > getting nowhere fast. > > > As per the docs I have, I have created a user account in active > > directory, then used "ktpass -princ > > host/[EMAIL PROTECTED] -mapuser unix_lient > > -pass <pass> -out c:\krb5.keytab" > > The keytab looks fine when I used ktutil, but I cannot do a kinit... I > > keep getting "KDC policy rejects request for this entry" > > It may be that the AD server is forbidding the use of the > "host/unix_client.domain.host.com" principal as a client principal. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
