Last update: 4 August 2017
Kerberos authentication does not work on specific Windows clients.
Browser returns pop-up for username and password.
The DNS cache of the client shows an uppercase letter in the Record Name , whereas the Hostnames on Linux server and DNS server have been configured throughout in lower case.
ipconfig /displaydns
host.support.fabasoft.local
----------------------------------------
Record Name . . . . . : Host.support.fabasoft.local
Record Type . . . . . : 1
Time To Live . . . . : 14389
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 192.168.12.200
Therefore the client requests a Kerberos ticket for HTTP/ Host.support.fabasoft.local@SUPPORT.FABASOFT.LOCAL , that does not match the entry on the Linux webserver krb5.keytab file:
[root@support ~]# klist -kt /etc/fabasoft/krb5.keytab
Keytab name: FILE:/etc/fabasoft/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
5 11/15/11 18:38:02 HTTP/host.support.fabasoft.local@SUPPORT.FABASOFT.LOCAL
5 11/15/11 18:38:02 ADERPC/host.support.fabasoft.local@SUPPORT.FABASOFT.LOCAL
Kerberos is case SENSITIVE !
On the desktop of the client a link to Fabasoft Folio WebDAV has been created with uppercase spelling.
During startup Windows is pre-loading all links on the desktop, so the client loaded the uppercase spelling into the DNS cache. As a result the Kerberos ticket has also been requested with the uppercase letter.
Correct the link on the desktop and make sure it matches exactly the keytab entry.
You can temporarily delete the DNS cache and the Kerberos ticket on the client by using these commands
ipconfig /flushdns
klist purge
klist is part of the Windows Server 2003 Resource Kit Tools