Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [kerberos]

Kerberos is a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed primarily at a client–server model, and it provides mutual authentication — both the user and the server verify each other's identity.

As many vendors have their own implementation of Kerberos, configuration details for each implementation is likely to vary. Here are some links that may help those troubleshooting Kerberos on commonly used paltforms.

1136 questions
13
votes
5 answers

Track Down Which Process/Program is Causing Kerberos pre-authentication error (Code 0x18)

We have a domain account that is being locked out via 1 of 2 servers. The built-in auditing only tells us that much (locked out from SERVER1, SERVER2). The account gets locked out within 5 minutes, about 1 request per minute it seems. I initially…
Jaigene Kang
  • 153
  • 1
  • 1
  • 7
13
votes
3 answers

How to automate kinit process to obtain TGT for Kerberos?

I'm currently writing a puppet module to automate the process of joining RHEL servers to an AD domain, with support for Kerberos. Currently, I have problems with automatically obtain and cache Kerberos ticket-granting ticket via kinit. If this were…
tore-
  • 1,386
  • 2
  • 10
  • 18
12
votes
2 answers

Kerberos ktutil, what kinds of encryption are available?

I am attempting to make a keytab using ktutil. I get to choose the encryption type, but the ktutil man page does not offer a list of possible choices. I also don't know which encryption method is the best! How can I find out both of these? I want…
Dylan Klomparens
  • 614
  • 2
  • 8
  • 22
12
votes
7 answers

Retreive the current Kerberos KVNO from Active Directory

I have a Kerberos problem with a Linux host connecting to a Windows KDC. I suspect that Kerberos key with the wrong version is to blame. One way to be shure would be to delete the SPN and create it anew, but this is in a production environment and I…
ixe013
  • 928
  • 2
  • 7
  • 25
12
votes
6 answers

How can I check if my IIS site is using NTLM or Kerberos?

How can I check if my IIS site is using NTLM or Kerberos? And how can I change authentication from Kerberos to NTLM? I'm using IIS 7.5.
KlimczakM
  • 223
  • 1
  • 2
  • 7
12
votes
3 answers

Integrated Windows Authentication with Apache HTTP Server on Linux

What is the best way to enable Integrated Windows Authentication for a PHP web application running on Apache2/Linux? There is a Windows Domain Controller in the network which should be used for authentication. I found these apache…
Florian Fankhauser
  • 253
  • 1
  • 2
  • 8
12
votes
3 answers

Apache mod_auth_kerb and LDAP user groups

I've been considering deploying mod_auth_kerb on our internal web servers to enable SSO. The one obvious problem I can see is that it's an all-or-nothing approach, either all your domain users can access a site or not. Is it possible to combine…
Kamil Kisiel
  • 11,946
  • 7
  • 46
  • 68
12
votes
5 answers

Which kerberos flavor?

So I'm setting up a small network with all the standard stuff (files, email, etc.) and I've decided to go with a Kerberos+LDAP solution. Any ideas or recommendations on Heimdal vs. MIT? I've used MIT before, and tangentially Heimdal, but I don't…
Michael Lowman
  • 3,584
  • 19
  • 36
11
votes
2 answers

Kerberos KDC has no support for encryption type while getting credentials

I am configuring an apache/SSO authentication with an AD with Kerberos. My http server is a Debian Wheezy and the AD is a Windows Server 2012. I generated keytabs files on WS2012 with kpass command for each encryption type available on WS2012. When…
lazzio
  • 306
  • 1
  • 2
  • 11
11
votes
3 answers

Putty Kerberos/GSSAPI authentication

I configured a few Linux servers to authenticate with Active Directory Kerberos using sssd on RHEL6. I also enabled GSSAPI authentication in hopes of passwordless logins. But I can't seem to get Putty (0.63) to authenticate without a…
xdfil
  • 481
  • 2
  • 6
  • 15
11
votes
4 answers

Multiple Realms and Multiple TGTs under MIT Kerberos for Windows

My local computer uses Windows 7 Pro and belongs to realm LR, managed by AD servers. I login to my computer while attached to that realm's network. I can view the TGT with MIT Kerberos for Windows ver. 4.0.1. I want to access resources on a foreign…
Toddius Zho
  • 260
  • 2
  • 10
11
votes
2 answers

Permissions to create an spn

According to some of the documentation I've read the service account for SQL server will create an SPN when the database engine starts up, allowing for kerberos authentication. I haven't been able to find any documentation that states what…
Thirster42
  • 354
  • 1
  • 2
  • 14
11
votes
1 answer

How to tell mod_auth_kerb to do its job despite no "require valid-user"

I implemented a SSO authentication using mod_auth_kerb on Apache. My config looks like this: AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate on KrbAuthoritative on KrbVerifyKDC on …
Benjamin Wohlwend
  • 729
  • 2
  • 7
  • 14
10
votes
2 answers

Is this Kerberos/AD setup possible?

We have a slightly complicated IDAM setup: I.e. the end user's machine and browser sit in one network with the parent AD, and our Jetty-based application and the AD that it can talk to (local AD) sit in the other. There is a two-way trust between…
Rob Grant
  • 103
  • 6
10
votes
5 answers

How to integrate Active Directory with FreeBSD 10.0 using security/sssd?

What are the required steps to authenticate users from an Active Directory running on Windows Server 2012 R2 in FreeBSD 10.0 using sssd with the AD backend with Kerberos TGT working?
Vinícius Ferrão
  • 5,400
  • 10
  • 52
  • 91
1
2
3
75 76