Kerberos Authentication will not work on specific clientsPermanent link for this heading

Last update: 4 August 2017

SummaryPermanent link for this heading

Kerberos authentication does not work on specific Windows clients.
Browser returns pop-up for username and password.
The DNS cache of the client shows an uppercase letter in the Record Name , whereas the Hostnames on Linux server and DNS server have been configured throughout in lower case.

       ipconfig /displaydns

host.support.fabasoft.local

----------------------------------------

Record Name . . . . . : Host.support.fabasoft.local

Record Type . . . . . : 1

Time To Live  . . . . : 14389

Data Length . . . . . : 4

Section . . . . . . . : Answer

A (Host) Record . . . : 192.168.12.200

    

Therefore the client requests a Kerberos ticket for HTTP/ Host.support.fabasoft.local@SUPPORT.FABASOFT.LOCAL , that does not match the entry on the Linux webserver krb5.keytab file:

       [root@support ~]# klist -kt /etc/fabasoft/krb5.keytab

Keytab name: FILE:/etc/fabasoft/krb5.keytab

KVNO Timestamp         Principal

---- ----------------- --------------------------------------------------------

5 11/15/11 18:38:02 HTTP/host.support.fabasoft.local@SUPPORT.FABASOFT.LOCAL

5 11/15/11 18:38:02 ADERPC/host.support.fabasoft.local@SUPPORT.FABASOFT.LOCAL

    

InformationPermanent link for this heading

Kerberos is case SENSITIVE !
On the desktop of the client a link to Fabasoft Folio WebDAV has been created with uppercase spelling.
During startup Windows is pre-loading all links on the desktop, so the client loaded the uppercase spelling into the DNS cache. As a result the Kerberos ticket has also been requested with the uppercase letter.

SolutionPermanent link for this heading

Correct the link on the desktop and make sure it matches exactly the keytab entry.
You can temporarily delete the DNS cache and the Kerberos ticket on the client by using these commands

       ipconfig /flushdns

klist purge

    

klist is part of the Windows Server 2003 Resource Kit Tools

Applies to:Permanent link for this heading

  • Windows Clients
  • Linux Webserver with Kerberos authentication

Download PDF

Download PDF