Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [kerberos]

Kerberos is a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed primarily at a client–server model, and it provides mutual authentication — both the user and the server verify each other's identity.

As many vendors have their own implementation of Kerberos, configuration details for each implementation is likely to vary. Here are some links that may help those troubleshooting Kerberos on commonly used paltforms.

1136 questions
4
votes
1 answer

Can I share one SPN between two service accounts?

I am running IIS and SQL Reporting Server on the same server. IIS runs as d\acct1 and SSRS is running as d\acct2. Initially, I registered an SPN HTTP/server.d.com for both d\acct1 and d\acct2 and configured both for unconstrained kerberos delegation…
Ryan Michela
  • 1,137
  • 3
  • 16
  • 23
4
votes
1 answer

Kerberos - Maximum renewable lifetime

I am trying to set the maximum renewable lifetime of the issued Kerberos tickets to 365 days, however, the following changes that I have made seem to be ignored: Inside /etc/krb5.conf: [libdefaults] ... renew_lifetime =…
sacrum_victum
  • 61
  • 1
  • 5
4
votes
1 answer

Apache 2.4 with Kerberos Auth and LDAP Authorization

I am trying to setup an Apache SVN repository with Kerberos authentication and LDAP group membership authorization, so that only users that belong to a specific group can access it. Kerberos auth on its own is working OK, as LDAP on its own does.…
vidas
  • 61
  • 2
  • 5
4
votes
2 answers

Ubuntu SSH passwordless login using kerberos

This is driving me batty. I'm trying to setup an AD integrated Ubuntu 16.04 server to accept Kerberos tickets when logging in via SSH. I have a CentOS 7 server that accepts tickets without a problem after being joined to the AD domain, but I haven't…
quinnr
  • 429
  • 1
  • 4
  • 8
4
votes
2 answers

SSSD AD synchronization fails after Active Directory UPN change

I have recently run into a problem with my AD integration on a number of debian boxes. I use SSSD and krb5 to allow PAM to synchronize and authenticate users against the Active Directory. This has been working for over a year, until the AD…
Martin Nielsen
  • 73
  • 2
  • 12
4
votes
2 answers

Using resources in foreign Kerberos Realm from windows without cross-domain trust?

I'm not a Windows person at all, but I understand the basic idea that an Active Directory is LDAP + Kerberos 5 + microsoft special sauce. So, in a situation where I have a windows machine over which I have no control which is in an existing Active…
dlakelan
  • 86
  • 8
4
votes
1 answer

Are there non-DC KDCs in Active Directory?

Each Active Directory domain controller acts as a KDC, AFAIK. But are there any cases when Active Directory could have a standalone KDC server? Is it even possible with Active Directory?
bahrep
  • 664
  • 1
  • 9
  • 27
4
votes
1 answer

Can Windows Authenticate Against ApacheDS?

ApacheDS claims to have support for ldap and Kerberos, so is it possible to authenticate Windows machines using it?
leeand00
  • 4,807
  • 13
  • 64
  • 106
4
votes
0 answers

Questions about ktpass/kerberos with Active Directory

I got a few questions about Kerberos with Active Directory, specifically about the ktpass tool. The example AD I'm using (everything is on 2012R2 level): Active Directory Domain Name: ad.example.com Domain Controller: dc.ad.example.com Service…
Fionn
  • 475
  • 5
  • 14
4
votes
2 answers

Clients can't update dNSHostName attribute after DNS suffix change

We have a bunch of Windows 7 and Windows Vista clients that belong to domain contoso.com. The clients are registered in DNS to client.contoso.com. We have changed the DNS suffix via GPO from client.contoso.com to contoso.com. This worked fine for…
Matthias Güntert
  • 2,358
  • 11
  • 38
  • 58
4
votes
2 answers

AWS Simple AD: "KDC has no support for encryption type" for users created with adtool, but not with MS Management Console

Background I am trying to log in (via SSH, to an Amazon Linux EC2 instance running sssd) as users that I've created in my AWS Directory Services Simple AD. I am authenticating with kerberos and identifying the user with LDAP (all through…
2rs2ts
  • 325
  • 3
  • 11
4
votes
0 answers

Windows Authentication to a Remote Server within an Intranet Environment

I have several servers (all on the same DC) within an Intranet environment at my company. For simplicity, I'll focus my question on the IIS and SQL Servers. I have an IIS 7.5 web server and a remote SQL Server 2005 on another machine on the…
Chiramisu
  • 600
  • 1
  • 3
  • 16
4
votes
1 answer

At which point becomes a changed computer group membership active?

When adding a computer object to an AD group, at which point in time does the group membership become active? Is there some kind of kerberos refresh interval (similar to group policy refresh)? I know it becomes active for sure when the computer…
Matthias Güntert
  • 2,358
  • 11
  • 38
  • 58
4
votes
3 answers

Alternatives to Kerberos for passwordless server access

I have a bunch of Linux servers and three Windows servers 2008 R2. I would need a solution which would enable passwordless SSH login from each of those servers to all others. I could do this by generating keys on all machines and distribute them to…
Reb
  • 71
  • 1
  • 2
  • 5
4
votes
1 answer

Why is sshd engaging PAM still?

Background/Behavior is: if you ssh to box via and GSSAPI/Kerberos succeeds and you have a local user in /etc/passwd, you login fine per below PAM config. All Good there. But if you don't have a local user in /etc/passwd but you can get a…
jouell
  • 601
  • 1
  • 5
  • 20
1 2 3
75 76