OK, so I fixed the kvno and its still not working. Looking at the mit
kerberos log I see the following for the control:
Nov 21 21:47:55 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 etypes
{17 23 16}) 192.168.2.102: NEEDED_PREAUTH: HTTP/[email protected]
for krbtgt/[email protected], Additional pre-authentication required
Nov 21 21:47:55 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 etypes
{17 23 16}) 192.168.2.102: ISSUE: authtime 1448160475, etypes {rep=17
tkt=18 ses=17}, HTTP/[email protected] for
krbtgt/[email protected]
Nov 21 21:47:55 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (3 etypes
{17 23 16}) 192.168.2.102: ISSUE: authtime 1448160475, etypes {rep=17
tkt=18 ses=17}, HTTP/[email protected] for
HTTP/[email protected]
here's for kerby
Nov 21 21:47:11 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1 etypes
{17}) 192.168.2.102: ISSUE: authtime 1448160431, etypes {rep=17 tkt=18
ses=17}, HTTP/[email protected] for krbtgt/[email protected]
Nov 21 21:47:11 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1 etypes
{17}) 192.168.2.102: PROCESS_TGS: authtime 0, <unknown client> for
HTTP/[email protected], ASN.1 structure is missing a required
field
The TGS_REQ line shows that the client is unknown...so maybe there's an
issue with how the TGT is being used to create SGT in Kerby?
