kinit: Client not found in Kerberos database while getting initial credentials

hi all,

i trying configure application uses kerberos authentication.

error message:

kinit: client not found in kerberos database while getting initial credentials

i use windows server 2003 domain controller ldap server, tomcat application (on linux) , iis application client, , apache load balancer.
there multidomain environment: russia.domain.net, europa.domain.net, asia.domain.net;
tomcat , iis servers works behind proxy server (apache on linux).
for applications created 2 dns records type a. dns use ip address of apache proxy server:

application-sandbox.russia.domain.net
applicationweb-sandbox.russia.domain.net

to confiure kerberos authentication have performed following steps:

1. create user account in europa domain , configure delegation this:

europe\application_sandbox

2. register spn account:

setspn -a http/application-sandbox.russia.domain.net europe\application_sandbox

setspn -a http/application-sandbox europe\application_sandbox

3. after verified registered spn account:

setspn.exe -l europe\application_sandbox
registered serviceprincipalnames cn=kxxb999,ou=users,dc=europe,dc=domain,dc=net:
http/application-sandbox
http/application-sandbox.russia.domain.net

3. after generate keytab file:

ktpass /princ http/application-sandbox.russia.domain.net:@russia.domain.net /ptype krb5_nt_principal /crypto rc4-hmac-nt /mapuser europe\application_sandbox /out application_sandbox.keytab -kvno 0 /pass pa$$w0rd

4. properties of account looks following:

get-aduser -identity appication_sandbox -properties cn, serviceprincipalnames, userprincipalname    cn                    : kxxb999  distinguishedname     : cn=kxxb999,ou=users,dc=europe,dc=domain,dc=net  enabled               : true  givenname             :  name                  : kxxb999  objectclass           : user  samaccountname        : application_sandbox  serviceprincipalnames : {http/application-sandbox, http/application-sandbox.russia.domain.net}  surname               : application_sandbox  userprincipalname     : http/application-sandbox.russia.domain.net@russia.domain.net

4.note cn , user logon name different. spn registered dns record.

there no computer in domain name application-sandbox.russia.domain.net. dns record application.

5. copy keytab file linux machine, configure krb5.conf file , trying tgt registered principal name.

krb5.conf file:

[libdefaults]  default_realm = europe.domain.net  dns_lookup_realm = false  dns_lookup_kdc = false  default_tkt_enctypes = rc4-hmac  default_tgs_enctypes = rc4-hmac        [realms]  russia.domain.net = {                          kdc = dc01.russia.domain.net                          admin_server = dc01.russia.domain.net                          default_domain = russia.domain.net                  }      europe.domain.net = {                          kdc = dc01.europe.domain.net                          admin_server = dc01.europe.domain.net                          default_domain = europe.domain.net                  }      [domain_realm]  europe.domain.net = europe.domain.net  .europe.domain.net = europe.domain.net  russia.domain.net = russia.domain.net  .russia.domain.net = russia.domain.net    [appdefaults]  autologin = true  forward = true  forwardable = true  encrypt = true

then verified created keytab file:

klist -e -k -t application_sandbox.keytab  keytab name: file:application_sandbox.keytab  kvno timestamp         principal  ---- ----------------- --------------------------------------------------------     0 01/01/70 01:00:00 http/application-sandbox.russia.domain.net@russia.domain.net (arcfour-hmac)

and trying tgt ticket:

kinit -v -k -t application_sandbox.keytab http/application-sandbox.russia.domain.net@russia.domain.net  using default cache: /tmp/krb5cc_0  using principal: http/application-sandbox.russia.domain.net@russia.domain.net  using keytab: application_sandbox.keytab  kinit: client not found in kerberos database while getting initial credentials

but if use samaccountname name kinit commant can aquire tgt ticket:

[root@localhost security]# kinit application_sandbox  password application_sandbox@europe.domain.net:  [root@localhost security]# klist  ticket cache: file:/tmp/krb5cc_0  default principal: application_sandbox@europe.domain.net    valid starting     expires            service principal  06/30/14 16:37:41  07/01/14 02:37:38  krbtgt/europe.domain.net@europe.domain.net          renew until 07/01/14 16:37:41

i'm in trouble. can faced problem?

thank you

hi all,

according amy answer i thought, how user principal not found in kerberos database, e.g ad domain.

my http service works in russia domain, user principal created in europe domain.

next, have checked ktpass command:

ktpass /princ http/application-sandbox.russia.domain.net@russia.domain.net /ptype krb5_nt_principal /crypto rc4-hmac-nt /mapuser europe\application_sandbox /out application_sandbox.keytab -kvno 0 /pass pa$$w0rd

especially the following parameters:

/princ http/application-sandbox.russia.domain.net@russia.domain.net

/mapuser europe\application_sandbox

when generating keytab changes userlogon name to http/application-sandbox.russia.domain.net , set domain domain to russia.domain.net

but no user principal name application_sandbox in russia.domain.net domain (e.g. kerberos realm)

so solution change russia.domain.net europe.domain.name in ktpass command.

after able tgt , authenticate in domain.

Windows Server > Windows Server General Forum

Search This Blog

My fan

kinit: Client not found in Kerberos database while getting initial credentials

Comments

Post a Comment

Popular posts from this blog

Motherboard replacement

Cannot create Full Text Search catalog after upgrading to V12 - Database is not fully started up or it is not in an ONLINE state

Remote Desktop App - Error 0x207 or 0x607