[Freeipa-users] Freeipa Windows 7 client authentication
Brett Maton
matonb at ltresources.co.uk
Thu Feb 10 10:30:36 UTC 2011
Thanks for the replies,
Simo, I know the password is correct as I can kinit <user> from other
linux boxes.
All machines are using the same time source, and I checked the time on each
machine so unfortunately it's neither of those this time round.
Dimitri,
I did run through the "Configuring Windows Client" section on that web
page, although I didn't install any additional software (ksetup / klist /
kinit tools already installed).
The client is connecting correctly as I get "Your password has expired,
please change it" as a response when I login.
It appears that the password change from the Windows Client fails with the
"Decrypt integrity check" errors.
If I change the password on a linux server when requested by kinit, I get
the same Decrypt errors when trying to login to the Windows 7 client
(Windows 7 Professional).
I did change the local security policy to Accept all Kerberos Encryption
types, except "Future encryption types".
Thanks,
Brett
-----Original Message-----
From: Simo Sorce
Sent: 10 February 2011 05:33
To: Brett Maton
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Freeipa Windows 7 client authentication
On Wed, 9 Feb 2011 16:13:39 +0000
Brett Maton wrote:
> Hi,
>
> I can't get a Windows 7 client to authenticate against Freeipa (ver
> 2.0.0.pre2) running on Fedora 14.
>
> Feb 09 16:03:22 krb5kdc[32355](info): AS_REQ (7 etypes {18 17 23 3 1
> 24 -135}) 192.168.0.2: NEEDED_PREAUTH: matonb at EXAMPLE.COM for
> krbtgt/EXAMPLE.COM at EXAMPLE.COM, Additional pre-authentication
> required Feb 09 16:03:22 krb5kdc[32355](info): preauth (timestamp)
> verify failure: Decrypt integrity check failed Feb 09 16:03:22
> krb5kdc[32355](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135})
> 192.168.0.2: PREAUTH_FAILED: matonb at EXAMPLE.COM for
> krbtgt/EXAMPLE.COM at EXAMPLE.COM, Decrypt integrity check failed Feb 09
> 16:03:23 krb5kdc[32355](info): preauth (timestamp) verify failure:
> Decrypt integrity check failed Feb 09 16:03:23 krb5kdc[32355](info):
> AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.0.2: PREAUTH_FAILED:
> matonb at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Decrypt
> integrity check failed
>
> Any help with where to start looking or what might be wrong would be
> greatly appreciated.
Either the password is wrong or the time on your client is not within 5
min. of the time on the KDC.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
__________ Information from ESET NOD32 Antivirus, version of virus signature
database 5860 (20110209) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
__________ Information from ESET NOD32 Antivirus, version of virus signature
database 5860 (20110209) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
More information about the Freeipa-users
mailing list