Marc, glad we made some thing clear. I also noted the unknown client issue (authtime = 0) and had already checked the MIT codes, but had no idea where exactly it is emitted. We need to debug to figure it out. I have a MIT KDC installation. May be you could let know how to repeat this in my side? In the process, is the TGS-REQ separated from AS-REQ? If so, you might try use the TGT generated by MIT client -> MIT KDC, and then use the TGT for Kerby client -> MIT KDC. I'm working on Kerby CMS/X509 things, but surely would have some time on this given more inputs. Thanks.
Regards, Kai -----Original Message----- From: Marc Boorshtein [mailto:[email protected]] Sent: Sunday, November 22, 2015 11:13 AM To: [email protected] Subject: Re: KDC is rejecting my TGS OK, so I fixed the kvno and its still not working. Looking at the mit kerberos log I see the following for the control: Nov 21 21:47:55 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 etypes {17 23 16}) 192.168.2.102: NEEDED_PREAUTH: HTTP/[email protected] for krbtgt/[email protected], Additional pre-authentication required Nov 21 21:47:55 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (3 etypes {17 23 16}) 192.168.2.102: ISSUE: authtime 1448160475, etypes {rep=17 tkt=18 ses=17}, HTTP/[email protected] for krbtgt/[email protected] Nov 21 21:47:55 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (3 etypes {17 23 16}) 192.168.2.102: ISSUE: authtime 1448160475, etypes {rep=17 tkt=18 ses=17}, HTTP/[email protected] for HTTP/[email protected] here's for kerby Nov 21 21:47:11 freeipa.rhelent.lan krb5kdc[7507](info): AS_REQ (1 etypes {17}) 192.168.2.102: ISSUE: authtime 1448160431, etypes {rep=17 tkt=18 ses=17}, HTTP/[email protected] for krbtgt/[email protected] Nov 21 21:47:11 freeipa.rhelent.lan krb5kdc[7507](info): TGS_REQ (1 etypes {17}) 192.168.2.102: PROCESS_TGS: authtime 0, <unknown client> for HTTP/[email protected], ASN.1 structure is missing a required field The TGS_REQ line shows that the client is unknown...so maybe there's an issue with how the TGT is being used to create SGT in Kerby?
