Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [kerberos]

Kerberos is a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed primarily at a client–server model, and it provides mutual authentication — both the user and the server verify each other's identity.

As many vendors have their own implementation of Kerberos, configuration details for each implementation is likely to vary. Here are some links that may help those troubleshooting Kerberos on commonly used paltforms.

1136 questions
0
votes
1 answer

Kerberos: ticket with no REALM after principal name (i.e. `principal@`)

When I run a klist after ssh-ing into a Kerberized instance, I obtain the TGS for the principal host/vmtest001, however, why do I get two of them including one with no REALM after the @ separator? Here is the output of klist: Ticket cache:…
explogx
  • 103
  • 2
0
votes
0 answers

Why isn't Kerberos used for SSO to cloud apps?

When comparing Kerberos to SAML, a common argument on StackOverflow sites and the rest of Internet is that SAML is for Internet / cloud applications while Kerberos is for enterprise LAN. There are several claims to support such an…
Ryan
  • 177
  • 1
  • 7
0
votes
1 answer

Subversion repository throws HTTP 403 Bad Request when accessed via https & Kerberos (Windwos Integrated) authentication

We encountered this problem with different versions of OS & Subversion on the server side, the following details being the same: We used https protocol to access the SVN repositories. We used Apache HTTPD + mod_dav_svn + mod_authz_svn. We also used…
Attila Csipak
  • 123
  • 1
  • 9
0
votes
0 answers

IIS: Kerberos authentication only works from local machine

I'm setting up an IIS application on a server within my domain. I configured SPN's and settings to allow windows authentication to work with kerberos and Single Sign On, and everything works fine on my local machine. The problem is that whenever I…
עומר אנגי
  • 1
0
votes
1 answer

What will happen if a kerberos timestamp will be futuristic?

In kerberos authentication, the encrypted messages are added a timestamp, in order to prevent replay attacks. Basically once someone decrypts a message that was sent for him, it compares the timestamp with the current time, and if it can tolerate…
עומר אנגי
  • 1
0
votes
1 answer

In SASL authentication, are the messages between a particular client and server the same every time it connects?

I wrote a test client and server using the Cyrus SASL library, and I'm manually forcing it to select GSSAPI as the mechanism. While debugging, I printed the md5sum of each message as it was passed between the two. I noticed that the sequence seems…
karenc
0
votes
1 answer

Implementing LDAP with Public IP

I'd like to implement an LDAP using FreeIPA for centralized authentication and for security sake (Kerberos). The problem is my servers (Ubuntu) running as public cloud with no private interface provided. So, my only choice is using public but I'm…
BTH.S3
  • 1
0
votes
1 answer

Getting javax.naming.CommunicationException: Connection reset and AD "event ID 1216" while trying to perform LDAP search using JNDI and GSSAPI

I am trying to analyze the reason for exceptions/ failures during the Ldap search. I am performing operations using JNDI on Active directory domain controller. Here is the background for the things that I am trying to do: Using SASL (Kerberos…
theimpatientcoder
  • 111
  • 3
0
votes
0 answers

Cygwin and Kerberos for GSSAPI

I'm trying to setup a Cygwin instance running in Windows Server 2019, joined to a domain. OpenSSH Server is successfully installed in Cygwin and working with password method for AD Users. The goal is to enable GSSAPI for SSO login. However Kerberos…
rgomez
  • 143
  • 1
  • 2
  • 10
0
votes
1 answer

Kerberos using JAAS and SMB protocol

We are using JAAS for Kerberos authentication. As a requirement from the customer, we want to make sure that SMB V2 or higher must be used during communication with KDC/AD. I've few basic questions related to this. Please excuse me if I sound too…
Bhushan Karmarkar
  • 103
  • 3
0
votes
1 answer

Kerberos rdns=false Breaking Connections From Linux Clients to Windows IIS Server

Recently I changed the krb5.conf file on Linux clients to use: [libdefaults] rdns = false These clients can still successfully use kerberos auth to connect to other Linux webservers. However, now their connections break to IIS webservers. An…
Howard_Roark
  • 55
  • 6
0
votes
1 answer

ubuntu ignores default_ccache_name

I'm having trouble with Kerberos and Ubuntu 20.04. Im running a FreeIPA Server, but since it works on my Centos machines, I guess it's a client issue. The big goal is to have a SSO System, for multiple services. Mostly it works as intended, but one…
Poehli
  • 103
  • 3
0
votes
1 answer

Windows gMSA How To Secure Use of CredentialSpec Used By Docker Container Engine

The gMSA strategy Microsoft recommends for Containers here and here works very well. The general idea is the Container host retrieves the gMSA password from an Active Directory domain controller and gives it to the Container. The Identity…
Howard_Roark
  • 55
  • 6
0
votes
2 answers

Errors with new version of Kerberos | CentOS 8

Yesterday all kerberos packages on in my container builds got updated to 1.18.2-5.el8 and 1.17-18.el8 is no longer available. This is causing some big problems on servers. Our connections all show Pre-authentication failed: No key table entry found…
David West
  • 101
  • 4
0
votes
1 answer

Why am I getting the kerberos error "Failed to decrypt AP-REQ ticket"?

I'm trying to get SASL + OpenLDAP working over saslauthd to AD via kerberos. I've fired up saslauthd in debug mode and getting the error below in the trace log when I try to su to the LDAP account user101: [12450] 1605731046.958412: Failed to…
Server Fault
  • 3,454
  • 7
  • 48
  • 88
1 2 3
75 76