[Freeipa-users] Freeipa Windows 7 client authentication
Dmitri Pal
dpal at redhat.com
Fri Feb 11 20:34:04 UTC 2011
On 02/10/2011 05:30 AM, Brett Maton wrote:
> Thanks for the replies,
>
> Simo, I know the password is correct as I can kinit <user> from other
> linux boxes.
> All machines are using the same time source, and I checked the time on each
> machine so unfortunately it's neither of those this time round.
>
> Dimitri,
> I did run through the "Configuring Windows Client" section on that web
> page, although I didn't install any additional software (ksetup / klist /
> kinit tools already installed).
>
> The client is connecting correctly as I get "Your password has expired,
> please change it" as a response when I login.
> It appears that the password change from the Windows Client fails with the
> "Decrypt integrity check" errors.
> If I change the password on a linux server when requested by kinit, I get
> the same Decrypt errors when trying to login to the Windows 7 client
> (Windows 7 Professional).
>
> I did change the local security policy to Accept all Kerberos Encryption
> types, except "Future encryption types".
>
> Thanks,
> Brett
>
> -----Original Message-----
> From: Simo Sorce
> Sent: 10 February 2011 05:33
> To: Brett Maton
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Freeipa Windows 7 client authentication
>
> On Wed, 9 Feb 2011 16:13:39 +0000
> Brett Maton wrote:
>
>> Hi,
>>
>> I can't get a Windows 7 client to authenticate against Freeipa (ver
>> 2.0.0.pre2) running on Fedora 14.
>>
>> Feb 09 16:03:22 krb5kdc[32355](info): AS_REQ (7 etypes {18 17 23 3 1
>> 24 -135}) 192.168.0.2: NEEDED_PREAUTH: matonb at EXAMPLE.COM for
>> krbtgt/EXAMPLE.COM at EXAMPLE.COM, Additional pre-authentication
>> required Feb 09 16:03:22 krb5kdc[32355](info): preauth (timestamp)
>> verify failure: Decrypt integrity check failed Feb 09 16:03:22
>> krb5kdc[32355](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135})
>> 192.168.0.2: PREAUTH_FAILED: matonb at EXAMPLE.COM for
>> krbtgt/EXAMPLE.COM at EXAMPLE.COM, Decrypt integrity check failed Feb 09
>> 16:03:23 krb5kdc[32355](info): preauth (timestamp) verify failure:
>> Decrypt integrity check failed Feb 09 16:03:23 krb5kdc[32355](info):
>> AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.0.2: PREAUTH_FAILED:
>> matonb at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Decrypt
>> integrity check failed
>>
>> Any help with where to start looking or what might be wrong would be
>> greatly appreciated.
> Either the password is wrong or the time on your client is not within 5
> min. of the time on the KDC.
>
> Simo.
>
Can you please log a bug then and we will try to check this scenario?
You might be the first person who tries this scenario and something can
be wrong on either side.
I am not sure we would be able to jump on this right away but the bug
would at least give us a way to get to it in due time.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list