Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [kerberos]

Kerberos is a computer network authentication protocol, which allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed primarily at a client–server model, and it provides mutual authentication — both the user and the server verify each other's identity.

As many vendors have their own implementation of Kerberos, configuration details for each implementation is likely to vary. Here are some links that may help those troubleshooting Kerberos on commonly used paltforms.

1168 questions
13
votes
1 answer

Why is MS SQL Server Using NTLM Authentication?

Windows Server 2008 R2. SQL Server 2008 R2 installed. MSSQL Service runs as Local System. Server FQDN is SQL01.domain.com. SQL01 is joined to an Active Directory domain named domain.com. The following is the output of setspn: C:\> setspn -L…
Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
13
votes
5 answers

Track Down Which Process/Program is Causing Kerberos pre-authentication error (Code 0x18)

We have a domain account that is being locked out via 1 of 2 servers. The built-in auditing only tells us that much (locked out from SERVER1, SERVER2). The account gets locked out within 5 minutes, about 1 request per minute it seems. I initially…
Jaigene Kang
  • 153
  • 1
  • 1
  • 7
13
votes
3 answers

How to automate kinit process to obtain TGT for Kerberos?

I'm currently writing a puppet module to automate the process of joining RHEL servers to an AD domain, with support for Kerberos. Currently, I have problems with automatically obtain and cache Kerberos ticket-granting ticket via kinit. If this were…
tore-
  • 1,396
  • 2
  • 10
  • 18
13
votes
5 answers

Which kerberos flavor?

So I'm setting up a small network with all the standard stuff (files, email, etc.) and I've decided to go with a Kerberos+LDAP solution. Any ideas or recommendations on Heimdal vs. MIT? I've used MIT before, and tangentially Heimdal, but I don't…
Michael Lowman
  • 3,604
  • 20
  • 36
12
votes
3 answers

Putty Kerberos/GSSAPI authentication

I configured a few Linux servers to authenticate with Active Directory Kerberos using sssd on RHEL6. I also enabled GSSAPI authentication in hopes of passwordless logins. But I can't seem to get Putty (0.63) to authenticate without a…
xdfil
  • 491
  • 2
  • 7
  • 15
12
votes
7 answers

Retreive the current Kerberos KVNO from Active Directory

I have a Kerberos problem with a Linux host connecting to a Windows KDC. I suspect that Kerberos key with the wrong version is to blame. One way to be shure would be to delete the SPN and create it anew, but this is in a production environment and I…
ixe013
  • 1,018
  • 2
  • 10
  • 26
12
votes
6 answers

How can I check if my IIS site is using NTLM or Kerberos?

How can I check if my IIS site is using NTLM or Kerberos? And how can I change authentication from Kerberos to NTLM? I'm using IIS 7.5.
KlimczakM
  • 223
  • 1
  • 2
  • 7
12
votes
3 answers

Integrated Windows Authentication with Apache HTTP Server on Linux

What is the best way to enable Integrated Windows Authentication for a PHP web application running on Apache2/Linux? There is a Windows Domain Controller in the network which should be used for authentication. I found these apache…
Florian Fankhauser
  • 253
  • 1
  • 2
  • 8
12
votes
3 answers

Apache mod_auth_kerb and LDAP user groups

I've been considering deploying mod_auth_kerb on our internal web servers to enable SSO. The one obvious problem I can see is that it's an all-or-nothing approach, either all your domain users can access a site or not. Is it possible to combine…
Kamil Kisiel
  • 12,184
  • 7
  • 48
  • 69
11
votes
2 answers

Kerberos KDC has no support for encryption type while getting credentials

I am configuring an apache/SSO authentication with an AD with Kerberos. My http server is a Debian Wheezy and the AD is a Windows Server 2012. I generated keytabs files on WS2012 with kpass command for each encryption type available on WS2012. When…
lazzio
  • 306
  • 1
  • 2
  • 11
11
votes
2 answers

keytab auth against samba 4 DC: Client not found in Kerberos database while getting initial credentials

I set up a samba 4 active directory on ubuntu 14.04 following Samba AD DC HOWTO. In principle everything works well but I'm stuck in getting kerberos authentication running using SPNs for web applications. When I try to run kinit -k -t keytabfile…
Heiko Robert
  • 331
  • 1
  • 2
  • 8
11
votes
4 answers

Multiple Realms and Multiple TGTs under MIT Kerberos for Windows

My local computer uses Windows 7 Pro and belongs to realm LR, managed by AD servers. I login to my computer while attached to that realm's network. I can view the TGT with MIT Kerberos for Windows ver. 4.0.1. I want to access resources on a foreign…
Toddius Zho
  • 260
  • 2
  • 10
11
votes
2 answers

Permissions to create an spn

According to some of the documentation I've read the service account for SQL server will create an SPN when the database engine starts up, allowing for kerberos authentication. I haven't been able to find any documentation that states what…
Thirster42
  • 354
  • 1
  • 2
  • 14
11
votes
1 answer

How to tell mod_auth_kerb to do its job despite no "require valid-user"

I implemented a SSO authentication using mod_auth_kerb on Apache. My config looks like this: AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate on KrbAuthoritative on KrbVerifyKDC on …
Benjamin Wohlwend
  • 729
  • 2
  • 7
  • 14
10
votes
2 answers

Is this Kerberos/AD setup possible?

We have a slightly complicated IDAM setup: I.e. the end user's machine and browser sit in one network with the parent AD, and our Jetty-based application and the AD that it can talk to (local AD) sit in the other. There is a two-way trust between…
Rob Grant
  • 103
  • 6
1
2
3
77 78