Windows Kerberos Troubleshooting
- krb5:No more memory to allocate (in credentials cache code) while retieving a ticket
- krb5:Clock slew too great in reply from KDC
- krb5:Getting tickets through Credentials Manager unusually slow (10-15 seconds)
- krb5:The dynamic library libafstokens.dll could not be found in the specified path
- Telnet: "KDC can't fullfill requested option Kerberos V5: error getting forwarded creds" when trying to connect
- Telnet: "Unknown code S8952 while authorizing"
- Telnet: Takes 2 minutes to connect, then still prompted for a password
- Telnet: Authorization failed
Eudora (used by NCSA staff)
- Eudora:"ERR recvauth failed--Unknown code krbult 28" when checking mail
- Eudora:"ERR recvauth failed--Incorrect net address" when checking mail
- Eudora:"Kerberos Permission Denied" after typing in kerberos password
- Eudora:"Could not launch Kerb16.exe" when checking mail
- Eudora:"Time is out of bounds (krb_rd_req)" after typing in kerberos password
- Eudora:Fails with Bad password errors when password is known to be correct
- Eudora:"Unknown code 10053 while using sendauth" when checking mail
- Eudora:"Unknown code 10035 while using sendauth" when checking mail
- Eudora:"Kclnt32: Incorrect net address getting credentials for popper" when checking mail
If all else fails contact firstname.lastname@example.org (mailto: email@example.com)for assistance.
krb5: Preauthentication failed while logging in
krb5: No more memory to allocate (in credentials cache code) while retieving a ticket
I have seen this caused by an apparently corrupted credential cache. I don't know what causes the corruption, but I suspect simultaneous accesses of some sort.
To fix, delete the credentials cache file, called
krb5cc, which is located in the your
krb5: The dynamic library libafstokens.dll could not be found in the specified path
This is caused because you have AFS support enabled, but the DLL for AFS could not be found. Unless you have a Windows NT machine with a AFS client installed you don't want AFS support enabled.
To disable AFS support, run the Kerberos 5 Credentials Manager, and under the
File menu select
Options. In the options menu, in the area labeled
AFS Token, make sure the boxes for
Destroyare not selected.
Telnet: "KDC can't fullfill requested option Kerberos V5: error getting forwarded creds" when trying to connect
I've seen two causes for this error. The first is that when you got your kerberos 5 ticket using the credential manager you did not request a forwardable ticket, but when you requested the connection qith telnet you requested that the ticket be forwarded. To fix this either go back and rerun the crtedentials manager and under File | Options select Forwardable and then get a new ticket, or under Telnet deselect Forward Credentials. I suggest doing the first.
The other case where this arrises is when you have changed your IP address since your acquired your kerberos ticket. This can happen if you dail in, disconnect and then dail back in. Since your IP address is hardcoded into your ticket when you get it, the ticket is no longer valid when your IP address changes. You must rerun the credentials manager and get a new ticket.
Telnet: "Unknown code S8952 while authorizing"
(OLD) I've seen this caused because the user had an old
C:\Windows\Krb.con file which didn't explicitly specify port 88 for the KDC.
C:\Windows\Services contained an entry for kerberos list port 750 and the KDC was running on an AFS server which had it's authentication daemon running on port 750.
krb5: Getting tickets through Credentials Manager unusually slow (10-15 seconds)
Telnet: Takes 2 minutes to connect, then still prompted for a password
The quick fix for this is to download distribution 1.03 or later of the NCSA Kerberos distribution for windows.
These problems were caused by a combination of two things:
- The presence of the following line in krb5.ini: kdc = 184.108.40.206:88
- A need to install the "Dial-up Networking Upgrade 1.2"
So the fix is either to remove the line from krb5.ini or to install the upgrade.
Telnet: Authorization failed
I have seen this problem occur when a user creates a .k5login file in his home directory and does not add his own principal in the file. Just add the users principal to his .k5login if this is the case.
FTP: Miscellaneous Failure, Wrong principal in request, error: accepting context, ADAT failed
This error from the Windows FTP client appeared when a server had an ftp/server.ncsa.uiuc.edu principal in the KDC database, but the server no longer had the ftp service principal in it's /etc/krb5.keytab.
General: Acquired tickets are for the wrong IP address
I've seen this happen on a windows box with multiple network cards pluged in and configured, apparently causing the box to give the kerberos clients the wrong IP number to request.
Eudora: "ERR recvauth failed--Unknown code krbult 28" when checking mail
Eudora: "ERR recvauth failed--Incorrect net address" when checking mail
These errors occurs under Eudora when you have a valid kerberos ticket, but have changed your IP address since you acquired it. This can happen if you dail in, disconnect and then dail back in. Since your IP address is hardcoded into your ticket when you get it, the ticket is no longer valid when your IP address changes. Currently the only known fix is to delete your kerberos ticket and reauthenticate. Rerun the program
krb you originally ran to get your ticket and repeat the procedure to acquire a ticket.
Eudora: "Kerberos Permission Denied" after typing in kerberos password.
This error occurs because eudora is trying to authenticate to AFS instead of Kerberos 5. This usually occurs some sort of Windows networking software has been installed and the Services file has been overwritten. To fix this, quit Eudora, and reinstall the kerberos configuration files.
Eudora: "Could not launch Kerb16.exe" when checking mail
Eudora used to use an executable called kerb16.exe to do Kerberos authentication. It no longer does this, but uses kclnt32.dll instead. However, it still prints out this error message when it can't find or run kclnt32.dll or krb5_32.dll, which kclnt32.dll relies on.
Note that I have also seen Eudora display this error when I cannot find a cause for it. This is still an open bug. The workaround is to shutdown and restart Eudora.
For historical sake kerb16.exe can be found atftp://terminator.rs.itd.umich.edu/ldap/windows/kerberos/EudoraPro/kerb16.exe
Eudora: "Time is out of bounds (krb_rd_req)" after typing in kerberos password
krb5: Clock slew too great in reply from KDC
This is causes by an apparent mismatch between the time on your system and the time on the Kerberos KDC. This can be caused by one of several reasons:
- The time on your system is wrong. Check the time on your system and make sure it's accurate (within 5 minutes). See the section on Time Synchronization for fixes.
- You have the
TZenvironment variable set incorrectly. Open a command prompt and run the
setcommand. Look for a line containing
TZ=and check the value. If the value does not specify your correct timezone you need to fix this. Check
C:\autoexec.batto see if
TZis being set there and if so correct it. The other place
TZmight be set is in the
Systemcontrol panel under
- (OLD) You are running PGPMail. We're seeing some sort of conflict right now running both PGPMail and Kerberos with Eudora. (XXX need better directions here) If you quit Eudora and then quit PNDetect and then start Eudora, Kerberos should work again.
Eudora: Fails with Bad password errors when password is known to be correct
This can happen if the user's principal on the KDC doesn't have a V4 salt. The Kerberos administrator should run kadmin and check the user's principal for a V4 salt. There appears to be a bug in kadmin/kadmind under Solaris where a user will be added without a V4 salt. To correct this restart all the KDC processes, delete and readd the user. See the entry in the general troubleshooting section.
Eudora: "Unknown code 10053 while using sendauth" when checking mail
This error is apparently caused if popper is not running on the specified host.
Eudora: "Unknown code 10035 while using sendauth" when checking mail
This is caused because Eudora is using a asychronous Winsock. Under
Tools, select Options. When the options menu comes up, select
Advanced Network. Under
"Use asychronous Winsock calls for:" make sure the box next to
"All others" is NOT selected.
Eudora: "Kclnt32: Incorrect net address getting credentials for popper" when checking mail
This is caused because the Computer is connected to the network through a Network Address Translation (NAT) router typically used for sharing a cable modem connection. The problem is that the wrong IP address is being stored with the tickets. This can be fixed in the Credentials Manager.
Credentials Manager, Select
Options from the
File menu. Check the
No IP address checkbox and click
OK. Then Login again to get new copy of your kerberos credentials that don't have an IP address in them.
Questions or comments about this page may be sent to firstname.lastname@example.org