Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: Kerberos

1,782 views
Skip to first unread message

Darren Sundborg

unread,
Apr 12, 2007, 12:23:31 PM4/12/07
to

Hi Hope someone can help..

 

I have been trying to set up Kerberos for my Authentication.

I keep getting the same error message!

 

DsCrackNames returned 0x2 in the name entry for cgatepro.

ktpass:failed getting target domain for specified user.

 

Any suggestions would be really helpful.

 

Thanks in advance.

 

 

Disclaimer

 

================================================================

This email (which includes any files transmitted with it) is confidential and may also be legally privileged.

It is intended solely for the use of the individual to whom it is addressed. Any views or opinions presented are solely those of the author and do not necessarily represent those of UKIP Media & Events Ltd.

 

If you are not the intended recipient, be advised that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you have received this message in error, do not open any attachment but please notify the sender (above) deleting this message from your system. Please rely on your own anti-virus system, no responsibility is taken by the sender for any damage rising out of virus infection.

 

UKIP Media & Events Ltd.

Registered Address: 82 St John Street, London EC1M 4JN VAT No . GB879 4451 71 Registration Number: 5893940 Company registered in England and Wales

 

 

Graeme Fowler

unread,
Apr 12, 2007, 12:32:11 PM4/12/07
to
Hi

On Thursday, April 12, 2007 5:24 PM, CommuniGate Pro Discussions wrote:
> I have been trying to set up Kerberos for my Authentication.
> I keep getting the same error message!

I'm going to make an assumption here - the error is on your domain
controller where you're trying to run ktpass to create the service
principal and export the keytab, right? If so, read on, if not - ignore
me :)

> DsCrackNames returned 0x2 in the name entry for cgatepro.
> ktpass:failed getting target domain for specified user.

Make sure you specify the AD user you want to have the SPN for
imap/domain as user@domain - where domain is your AD domain. You may
need to put it in quotes.

Graeme
--
Graeme Fowler
Team Manager (ISSS), Computing Services
Loughborough University
T: 01509 228226


#############################################################
This message is sent to you because you are subscribed to
the mailing list <CGat...@mail.stalker.com>.
To unsubscribe, E-mail to: <CGateP...@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePr...@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePr...@mail.stalker.com>
Send administrative queries to <CGatePro...@mail.stalker.com>


Darren Sundborg

unread,
Apr 12, 2007, 12:55:20 PM4/12/07
to
Hi Graeme

This is what I have been trying..

ktpass -princ imap/mycommunigatedomain@myADdomain -mapuser cgatepro
-pass cgate -out keytab.data -crypto DES-CBC-MD5 -ptype KRB5_T_SRV_HST

--
Darren Sundborg
Head Of IT & Telecommunications


UKIP Media & Events Ltd.

Abinger House, Church St.
Dorking, Surrey
RH4 1DF
United Kingdom

Tel: +44 (0) 1306 743744
Fax: +44 (0) 1306 887546

http://www.ukintpress.com



Disclaimer

================================================================
This email (which includes any files transmitted with it) is
confidential and may also be legally privileged.
It is intended solely for the use of the individual to whom it is
addressed. Any views or opinions presented are solely those of the
author and do not necessarily represent those of UKIP Media & Events
Ltd.

If you are not the intended recipient, be advised that any use,
dissemination, forwarding, printing, or copying of this email is
strictly prohibited. If you have received this message in error, do not
open any attachment but please notify the sender (above) deleting this
message from your system. Please rely on your own anti-virus system, no
responsibility is taken by the sender for any damage rising out of virus
infection.

UKIP Media & Events Ltd.

Registered Address: 82 St John Street, London EC1M 4JN VAT No. GB879


4451 71 Registration Number: 5893940 Company registered in England and
Wales

Graeme Fowler

unread,
Apr 12, 2007, 1:01:46 PM4/12/07
to
On Thu, 2007-04-12 at 17:55 +0100, Darren Sundborg wrote:
> This is what I have been trying..
>
> ktpass -princ imap/mycommunigatedomain@myADdomain -mapuser cgatepro
> -pass cgate -out keytab.data -crypto DES-CBC-MD5 -ptype KRB5_T_SRV_HST

Aha!

What you probably need, therefore, is:

ktpass -princ imap/mycommunigatedomain@myADdomain -mapuser
cgatepro@myADdomain -pass cgate -out keytab.data -crypto DES-CBC-MD5
-ptype KRB5_NT_SRV_HST

Your mapuser is missing its' domain attribute.

Graeme

Darren Sundborg

unread,
Apr 13, 2007, 7:45:53 AM4/13/07
to
Hi Graeme

Thanks for that.

I followed your instructions and there were a few errors
(I think?)

WARNING: realm "ukipmediaevents.local" has lowercase
charachters in it.
We only currently support realms in
UPPERCASE.
assuming you mean
"UKIPMEDIAEVENTS.LOCAL"...
Succesfuly mapped imap/ukintpress.com to cgatepro.
WARNING: pType and account type do not match. This might
cause problems.
Key created.

Any ideas would be really appreciated.

--
Darren Sundborg

http://www.ukintpress.com

Disclaimer

#############################################################

Graeme Fowler

unread,
Apr 13, 2007, 8:06:51 AM4/13/07
to
Hi

On Friday, April 13, 2007 12:46 PM, CommuniGate Pro Discussions wrote:
> I followed your instructions and there were a few errors (I think?)
>
> WARNING: realm "ukipmediaevents.local" has lowercase
> charachters in it.
> We only currently support realms in
> UPPERCASE.
> assuming you mean
> "UKIPMEDIAEVENTS.LOCAL"...
> Succesfuly mapped imap/ukintpress.com to cgatepro.
> WARNING: pType and account type do not match. This might
> cause problems.
> Key created.
>
> Any ideas would be really appreciated.

Well, it looks on the face of it that the key was created successfully.
Unfortunately I have no real idea what the pType and account type
mismatch means, so I'd go ahead and try to imort the keytab and see what
happens.

Darren Sundborg

unread,
Apr 13, 2007, 6:04:34 PM4/13/07
to
Thanks for the help so far Graeme.

If anyone has any suggestions It would be really appreciated.

I have created Kerberos keys and imported them into CommuniGatePro.
Everything seems to be saying it is all ok.
But when I try and use a users Kerberos (AD) password there is no
response?


--
Darren Sundborg
Head Of IT & Telecommunications

-----Original Message-----
From: CommuniGate Pro Discussions [mailto:CGat...@mail.stalker.com] On
Behalf Of Darren Sundborg
Sent: 13 April 2007 12:46
To: CommuniGate Pro Discussions
Subject: Re: Kerberos

Hi Graeme

Thanks for that.

I followed your instructions and there were a few errors
(I think?)

WARNING: realm "ukipmediaevents.local" has lowercase
charachters in it.
We only currently support realms in
UPPERCASE.
assuming you mean
"UKIPMEDIAEVENTS.LOCAL"...
Succesfuly mapped imap/ukintpress.com to cgatepro.
WARNING: pType and account type do not match. This might
cause problems.
Key created.

Any ideas would be really appreciated.

On Thu, 12 Apr 2007 17:32:11 +0100


"Graeme Fowler" <G.E.F...@lboro.ac.uk> wrote:
> Hi
>

> On Thursday, April 12, 2007 5:24 PM, CommuniGate Pro

>Discussions wrote:
>> I have been trying to set up Kerberos for my
>>Authentication.
>> I keep getting the same error message!
>
> I'm going to make an assumption here - the error is on
>your domain
> controller where you're trying to run ktpass to create
>the service
> principal and export the keytab, right? If so, read on,
>if not - ignore
> me :)
>
>> DsCrackNames returned 0x2 in the name entry for
>>cgatepro.
>> ktpass:failed getting target domain for specified user.
>
> Make sure you specify the AD user you want to have the
>SPN for
> imap/domain as user@domain - where domain is your AD
>domain. You may
> need to put it in quotes.
>

> Graeme
> --
> Graeme Fowler
> Team Manager (ISSS), Computing Services
> Loughborough University
> T: 01509 228226
>
>
>
>
> #############################################################
> This message is sent to you because you are subscribed
>to
> the mailing list <CGat...@mail.stalker.com>.
> To unsubscribe, E-mail to:
><CGateP...@mail.stalker.com>
> To switch to the DIGEST mode, E-mail to
> <CGatePr...@mail.stalker.com>
> To switch to the INDEX mode, E-mail to
><CGatePr...@mail.stalker.com>
> Send administrative queries to
> <CGatePro...@mail.stalker.com>
>

--

http://www.ukintpress.com

Disclaimer

#############################################################

Darren Sundborg

unread,
Apr 14, 2007, 6:12:47 AM4/14/07
to
Any help would be greatly appreciated!!

I have created Kerberos Keys.
I get a warning message:

WARNING: pType and account type do not match. This might cause
problems.
Key created.

When I import the keys the Kerberos password does not work.
Is there any logs I can look at?
Anything I should allow on the CommuniGate server or the AD server?
Anything on the user account I should allow?


Thanks in advance.

Graeme Fowler

unread,
Apr 14, 2007, 8:41:13 AM4/14/07
to
On Sat, 2007-04-14 at 11:12 +0100, Darren Sundborg wrote:
> Any help would be greatly appreciated!!
>
> I have created Kerberos Keys.
> I get a warning message:
>
> WARNING: pType and account type do not match. This might cause
> problems.
> Key created.

As I explained, I have no idea what this means - you probably need to
ask on an AD group or mailing list about rather than here.

> When I import the keys the Kerberos password does not work.

The point of Kerberos is that you don't *need* a password.

> Is there any logs I can look at?

Turn up the IMAP logging to "All Info".

> Anything I should allow on the CommuniGate server or the AD server?

On the CGP server, make sure that both the domain and the users are
permitted to use Kerberos.

> Anything on the user account I should allow?

Not to my knowledge.

The Kerberos authentication works as follows when Outlook is configured
to "Use Windows Integrated Authentication (Kerberos)" - the terminology
may be slightly incorrect, but still:

- User opens Outlook
- Outlook (via OS subsystems) requests a TGT (ticket Granting Ticket)
for the Service Principal Name "imap/your.cgp.domain" according to the
name of the server you have set Outlook to connect to. If you have (for
example) ukintpress.com as your CGP domain, but Outlook is configured to
talk to mail.ukintpress.com, then the SPN requested will be
"imap/mail.ukintpress.com".

NOTE: this has direct implications on what you use as the service domain
in your ktpass keytab export: if your users connect to
mail.ukintpress.com, then that's the name you should have used in the
ktpass command, so in this exmaple you'd have "-princ
imap/mail.ukintpress.com@myADdomain".

- Outlook receives the ticket and then creates a user ticket by
combining your credentials with the TGT, and passes that to CGPro.
Because CGPro has the server part of the SPN ticket, the relevant parts
are matched and the session authenticates correctly.


So: make sure your users are connecting to the same servername as the
domain part you put in the SPN creation using ktpass.

Graeme

0 new messages