Hi all, Could someone tell me how to fix KRB5KRB_AP_ERR_BAD_INTEGRITY error, The search results tell me that it is because on "Decrypt integrity check failed". How do I fix this issue?
Regards, Ranjith. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Mauricio Tavares Sent: Tuesday, September 06, 2011 3:56 PM To: [email protected] Subject: Re: Kerberos & AD Setup Issue On Tue, Sep 6, 2011 at 10:32 AM, Ranjith Murugan <[email protected]> wrote: > Hi all > > > > I have been trying to setup an Kerberos and Active Directory setup, Seeing > the same issue you have mentioned in you post (Preauth and ticket > forwarding). I am currently not able to login to a windows machine using a > kerberos user. The Kerberos Server logs show a error [NEEDED_PREAUTH: > <mailto:[email protected]> [email protected] for > <mailto:krbtgt/[email protected]> krbtgt/[email protected], Additional > pre-authentication required]. > > > > Error from the kerberos server: > > > > Sep 06 15:20:14 lhr-qa12 krb5kdc[8654](info): AS_REQ (7 etypes {23 -133 > -128 3 1 24 -135}) 10.20.221.180: NEEDED_PREAUTH: [email protected] for > krbtgt/[email protected], Additional pre-authentication required > > Sep 06 15:20:14 lhr-qa12 krb5kdc[8654](info): AS_REQ (2 etypes {3 1}) > 10.20.221.180: ISSUE: authtime 1315318814, etypes {rep=3 tkt=1 ses=1}, > [email protected] for krbtgt/[email protected] > > Sep 06 15:20:14 lhr-qa12 krb5kdc[8654](info): TGS_REQ (7 etypes {23 -133 > -128 3 1 24 -135}) 10.20.221.180: ISSUE: authtime 1315318814, etypes > {rep=1 tkt=1 ses=1}, [email protected] for krbtgt/[email protected] > > Sep 06 15:20:14 lhr-qa12 krb5kdc[8654](info): TGS_REQ (7 etypes {23 -133 > -128 3 1 24 -135}) 10.20.221.180: ISSUE: authtime 1315318814, etypes > {rep=1 tkt=16 ses=1}, [email protected] for > <mailto:host/[email protected]> host/[email protected] > > > > Environment: > > - Kerberos Server(Ubuntu 10.10) > > - AD - Windows 2003 R2 > > > > Tried to do an Wireshark trace on the communication between the Windows AD > and Kerberos Server, I found that the PA-ENC-TIMESTAMP - data missing, > Could someone let me know if I am missing some configuration information. > Dumb question: which encryption types did you configure in the Windows box? If you want to do a quick test, create the windows host principal in the kdc using just arcfour and see if you are able to connect. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
