KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN (6) using windows server 2008
Hi. I'm setting a service to use kerberos, and I'm attemptingto get tickets but the command kinit fail. The wireshark traceshowed me thenext message from the KDC: error_code: KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN (6) The AD accounts are created and mapped succesfullyinto the Windows server 2008, and I'm trying to definea iSeries as a service principal to request tickets (TGS) from the KDC , The keytab entries in the iSeries are created successfully but whenI attempt to issue the kint command the results is a error , with the message that indicates that the service principal is not located in the AD. kinit -k krbsvr400/system1.ibm.com@REALM EUVF06014E Unable to obtain initial credentials. Status 0x96c73a06 - Client principal is not found in security registry. kinit -k HTTP/system1.ibm.com@REALM EUVF06014E Unable to obtain initial credentials. Status 0x96c73a06 - Client principal is not found in security registry. I made a test with a user principal (user@REALM) and the kinit returned success, so my idea is that there is something weird with the principals that has the next format ( service/serviceprincipal@REALM) could someone help me to analyze if there is something that I need to define in the accounts ? thanks in advance.
March 5th, 2008 1:06am
Yes. The format is goingto give you trouble. If the user is getting passed in UPN form with that whack, you can change the UPN logon name to match. As an example, you could create a user with the UPN logon of HTTPfirstname.lastname@example.org and a legacy logon of domainnetbiosname\system.ibm.com. This will allow you to work around the clumsy interraction between IBM and Microsoft... Edit: Oh, by the way - you will have to have multiple AD accounts for this one sytem1 IBM identity, eachAD accountwill have different prefixes like HTTP/ and krbsvr400/... Let me know what you think,
March 5th, 2008 7:08pm
Hi Aaron . thanks for you answer, but I not passing in UPD form, basically I'm trying to create a Service Principal Name with an unique format <service class>/<service name>, this service principal will be used to get TGS from the KDC to my service. The wireshark shows me that in the KRB-ERROR message there are a error in the checksums with the next output: Internet Protocol : Header checksum: 0x0000 [incorrect, should be 0xebd1]. Transmission Control ProtocolChecksum: 0xbd85 [incorrect, should be 0x07ea (maybe caused by "TCP checksum offload"?)] My conserns are:Is there is a known problem with the "/" character that could be the the cause of the problem?Is there something that I need to check in my windows server 2008 to avoid the checksum errors in the data transmision.?
March 5th, 2008 11:35pm
You can contain "/" in the UPN, not not in the legacy logon. So, it really depends on what kind of method you are using to pass the credentials. In your output: kinit -k krbsvr400/system1.ibm.com@REALM EUVF06014E Unable to obtain initial credentials. Status 0x96c73a06 - Client principal is not found in security registry. kinit -k HTTP/system1.ibm.com@REALM EUVF06014E Unable to obtain initial credentials. Status 0x96c73a06 - Client principal is not found in security registry. It looks like UPN is being used (assuming REALM is your domain)... I would look at the domain controller that you are pointed at to see what it has to tell you. If you enable some logging, you may be able to see what credentials are getting passed to the domain controller and then create a user account in the according format.
March 5th, 2008 11:41pm
HI , Aaron, Thanks for your update. I was wondering what should I set to enable the enough logging to see how the principals are been used.? Thanks .
March 13th, 2008 12:42am
This guy gives a pretty good explaination fo the old-school options: http://www.windowsecurity.com/articles/Windows-Active-Directory-Auditing.html Logon Events failures and Object Access failures are probably going to be of interest for you, but you may have to experiment with it to get the right piece of information. Luck,
March 13th, 2008 12:53am
The KDC on Windows Server 2008 fails to properly handle requests for a UPN with a "/" at RTM. Look for a hotfix to come soon.
April 11th, 2008 7:12pm
May 25th, 2008 5:31am
Just as an update, this hotfix is included in Windows Server 2008 Service Pack 2
June 5th, 2009 12:47am