Kerberos Authentication will not work on specific clients
Kerberos Authentication will not work on specific clients
Summary
Kerberos authentication does not work on specific Windows clients.
Browser returns pop-up for username and password.
The DNS cache of the client shows an uppercase letter in the Record Name , whereas the Hostnames on Linux server and DNS server have been configured throughout in lower case.
ipconfig /displaydns host.support.fabasoft.local ---------------------------------------- Record Name . . . . . : Host.support.fabasoft.local Record Type . . . . . : 1 Time To Live . . . . : 14389 Data Length . . . . . : 4 Section . . . . . . . : Answer A (Host) Record . . . : 192.168.12.200
Therefore the client requests a Kerberos ticket for HTTP/Host.support.fabasoft.local@SUPPORT.FABASOFT.LOCAL, that does not match the entry on the Linux webserver krb5.keytab file:
[root@support ~]# klist -kt /etc/fabasoft/krb5.keytab Keytab name: FILE:/etc/fabasoft/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 5 11/15/11 18:38:02 HTTP/host.support.fabasoft.local@SUPPORT.FABASOFT.LOCAL 5 11/15/11 18:38:02 ADERPC/host.support.fabasoft.local@SUPPORT.FABASOFT.LOCAL
Information
Kerberos is case SENSITIVE!
On the desktop of the client a link to Fabasoft Folio WebDAV has been created with uppercase spelling.
During startup Windows is pre-loading all links on the desktop, so the client loaded the uppercase spelling into the DNS cache. As a result the Kerberos ticket has also been requested with the uppercase letter.
Solution
Correct the link on the desktop and make sure it matches exactly the keytab entry.
You can temporarily delete the DNS cache and the Kerberos ticket on the client by using these commands
ipconfig /flushdns klist purge
klist is part of the Windows Server 2003 Resource Kit Tools
Applies to:
- Windows Clients
- Linux Webserver with Kerberos authentication