Kerberos' role in a 'std. setup' without bells & whistles

From: Kim Noer (kn_at_nospam.dk)
Date: 06/30/05


Date: Thu, 30 Jun 2005 19:29:48 +0200

Hi there...

I haven't quite figured out just yet, what my DC uses Kerberos for, so can
anyone here clue me in, what it is used for[1]? I've figured out it's about
issueing tickets in some security context, and that my DC current acts as a
Kerberos Key Distribution Center- and it somehow relates to LDAP/AD. But a
look in my event log shows that it runs in a rather fault way -

Event ID 594 :

A Kerberos Error Message was received:
         on logon session InitializeSecurityContext
 Client Time:
 Server Time:
 Error Code: 4:30:5.0000 6/30/2005 (null) 0x20
 Extended Error: KRB_AP_ERR_TKT_EXPIRED
 Client Realm:
 Client Name:
 Server Realm: domain.tld
 Server Name: krbtgt/domain.tld
 Target Name: krbtgt/domain.tld@domain.tld
 Error Text:
 File:
 Line:
 Error Data is in record data.

And since I apparently don't know what the server is using Kerberos for it
makes it difficult to nick this error. Futhermore, a search on this error,
indicates to me that it's quite an extensive task to fix it - eek!

A "klist tickets" shows some tickets that have expired, but not reviewed -

Server: myDC@domain.tld
   KerbTicket Encryption Type: RSADSI RC4-HMAC(NT
   End Time: 6/17/2005 7:16:25
   Renew Time: 6/23/2005 21:16:25

- presumeably, this failure to renew the ticket, is what generets the error
in the event log?

[1] I primarily need some quick advice that enables to either investigate
further (read up on Kerberos etc.) if you think I need Kerberos, or some
advice on how to disable Kerberos, if you think I don't need Kerberos.

-- 
I doubt, therefore I might be. 


Relevant Pages

  • Re: Kerberos with Windows Integrated authentication
    ... behaviour if your Web server is in the client broweser's Internet zone. ... referencing it by computer name rather than FQDN), the browser will request ... Obviously, if you want to use Kerberos for authentication, you will either ...
    (microsoft.public.windows.server.security)
  • Re: Kerberised NFS
    ... Kerberised NFS presumably requires authentication and encryption between client and server, so presumably the client needs to get a ticket prior to contacting the server. ... server with kerberos security options, and successfully automounting user's home directories on client machines when they log in. ...
    (comp.protocols.kerberos)
  • Re: Kerberos authentication fails
    ... we had have kerberos log activated yesterday while we test the ... Client Server Name: ... * System Event logs in GPRSServer03 ... Server domain: DISTROMEL.GPRS ...
    (microsoft.public.sqlserver)
  • Re: Kerberos authentication fails
    ... we had have kerberos log activated yesterday while we test the ... Client Server Name: ... * System Event logs in GPRSServer03 ... Server domain: DISTROMEL.GPRS ...
    (microsoft.public.win2000.security)
  • Re: Server not found in Kerberos Database
    ... Server not found in Kerberos Database ... When I am trying to do a kinit on the client, ... I have a KDC on Win2003 and a client which is a Linux is trying = ...
    (comp.protocols.kerberos)