Hello. I'm trying to get a stand-alone Windows 2003 R2 system to authenticate users against an MIT Kerberos V5 (v1.10) server. I've set up the host principal on the KDC, used ksetup on the Windows machine to set the realm, KDC location, machine password, and user mapping, and rebooted. When I try to authenticate using a Kerberos user principal, Windows replies that the username or password is bad, yet the KDC shows that it issued a ticket. (If I deliberately enter an incorrect password, the KDC instead shows that the PREAUTH_FAILED.) So I enabled Kerberos logging in the registry and discovered that the ctime being reported is random:
Testing with 'runas /user:username@REALM.COM cmd.exe' while logged in as a local administrative user, here is an example of what I see at the command prompt:
C:\>runas /user:username@REALM.COM cmd.exe Enter the password for username@REALM.COM: Attempting to start cmd.exe as user "username@REALM.COM" ... RUNAS ERROR: Unable to run - cmd.exe 1326: Logon failure: unknown user name or bad password. C:\>
I ran that command twice, two seconds apart and the ctime on the first is 7:35:13 10/5/2019 Z, and on the second it's 8:42:26 2/14/2020 Z! (Both times the server time was correct at 21:15:5 2/5/2013 Z and21:15:6 2/5/2013 Z respectively.) According to WireShark running on the Windows system in question, the bogus ctime is indeed what's in the packet, pointing to the Windows client as being the problem. (It looks like the client
is reading an internal timestamp backwards or an uninitialized variable or something.) Since Kerberos depends on the server and client times being very close, I suspect this is the reason I can't authenticate. (Nothing is logged for the reception of Kerberos
tickets, but WireShark shows that it did arrive.)
I also tested with MIT's Kerberos for Windows v4.0.1 on the same machine and that works perfectly. I have also been successful in getting a Windows Server 2008 R2 machine to authenticate against the same KDC without issue.
So all of this points to a flaw in the integrated Kerberos client shipped with Windows Server 2003.
Please let me know what I should do next as I need this resolved.