Kerberos Authentication will not work on specific clients

Last update: 4 August 2017

Kerberos Authentication will not work on specific clients

Summary

Kerberos authentication does not work on specific Windows clients.
Browser returns pop-up for username and password.
The DNS cache of the client shows an uppercase letter  in the Record Name , whereas the Hostnames on Linux server and DNS server have been configured throughout in lower case.

ipconfig /displaydns
host.support.fabasoft.local
----------------------------------------
Record Name . . . . . : Host.support.fabasoft.local
Record Type . . . . . : 1
Time To Live  . . . . : 14389
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 192.168.12.200

Therefore the client requests a Kerberos ticket for HTTP/Host.support.fabasoft.local@SUPPORT.FABASOFT.LOCAL, that does not match the entry on the Linux webserver krb5.keytab  file:

[root@support ~]# klist -kt /etc/fabasoft/krb5.keytab
Keytab name: FILE:/etc/fabasoft/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
5 11/15/11 18:38:02 HTTP/host.support.fabasoft.local@SUPPORT.FABASOFT.LOCAL
5 11/15/11 18:38:02 ADERPC/host.support.fabasoft.local@SUPPORT.FABASOFT.LOCAL

Information

Kerberos is case SENSITIVE!
On the desktop of the client a link to Fabasoft Folio WebDAV has been created with uppercase spelling.
During startup Windows is pre-loading all links on the desktop, so the client loaded the uppercase spelling into the DNS cache. As a result the Kerberos ticket has also been requested with the uppercase letter.

Solution

Correct the link on the desktop and make sure it matches exactly the keytab entry.
You can temporarily delete the DNS cache and the Kerberos ticket on the client by using these commands

ipconfig /flushdns
klist purge

klist  is part of the Windows Server 2003 Resource Kit Tools

Applies to:

  • Windows Clients
  • Linux Webserver with Kerberos authentication

Further questions?