Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
969
Views
0
Helpful
5
Replies

Kerberos and Windows 2003 KDC

vnovakov
Level 1
Level 1

‎07-03-2007 10:32 AM - edited ‎03-10-2019 03:15 PM

Hi,

I'm trying to configure kerberos authentication for local users on Cisco. KDC is running under Windows 2003, but I got folowing error from debugging:

AAA/BIND(000002D4): Bind i/f

AAA/AUTHEN/LOGIN (000002D4): Pick method list 'default'

Kerberos: All dialogue with KDC will now use default interface as source

Kerberos: Sent TGT request to KDC 192.168.11.14

Kerberos: Received TGT reply from KDC 192.168.11.14

Kerberos: KRB_ERROR (code=52) returned

Kerberos(000002D4): Received invalid credential.

Where I can find those cisco KRB_ERROR codes?

Best regards,

Vladimir

Labels:
0 Helpful
5 Replies 5

Jagdeep Gambhir
Level 10
Level 10

‎07-03-2007 11:19 AM

Hi Vladmir,

It's caused by AD needing to return a particularly large number of groups that a user belongs to, and trying to switch to TCP instead of UDP because of UDP packet size limits

Older versions of Kerberos don't support TCP, and thus don't know what to do.

Hope that helps !

Regards,

~JG

0 Helpful

vnovakov
Level 1
Level 1
In response to Jagdeep Gambhir

‎07-04-2007 12:55 AM

Thanks a lot for a quick answer. However, I am still confused how to solve this problem between Cisco and Windows AD.

I would like to use Kerberos to authenticate local Cisco users instead of radius authentication.

Under Windows 2003, I have created the user: cisco1, to be able to create keytab:

C:\Documents and Settings\admin>ktpass /crypto des-cbc-crc /desonly /ptype KRB5_NT_PRINCIPAL /pass PaSsWoRd123 /out cisco.keytab /princ host/cisco1.company.domain@COMPANY.LOCAL /mapuser cisco1@COMPANY.LOCAL

Targeting domain controller: ad01.company.local

Successfully mapped host/cisco1.company.domain to cisco1.

Key created.

Output keytab to cisco.keytab:

Keytab version: 0x502

keysize 68 host/cisco1.company.domain@COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL)

vno 4 etype 0x1 (DES-CBC-CRC) keylength 8 (0x233d1f4c91341029)

Account cisco1 has been set for DES-only encryption.

Cisco configuration:

aaa authentication login default krb5 local

username ciscoadmin password 7 ********

username joe password 7 ********

Comment: ciscoadmin and joe users under AD are members of 7 groups and they have different password than local users ciscoadmin and joe under cisco router.

kerberos local-realm COMPANY.LOCAL

kerberos srvtab entry host/cisco1.company.domain@COMPANY.LOCAL

kerberos server COMPANY.LOCAL 192.168.11.14

kerberos preauth encrypted-kerberos-timestamp

kerberos credentials forward

Does Cisco kerberos client under IOS Version 12.4(12) using TCP or it's using UDP protocol only?

Regards,

Vladimir

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to vnovakov

‎07-05-2007 10:08 AM

Hi,

What kind of users we are trying to authenticate, like VPN or wireless etc ?

Regards,

~JG

0 Helpful

vnovakov
Level 1
Level 1
In response to Jagdeep Gambhir

‎07-05-2007 11:15 AM

Hi,

Just a local cisco user that should has access to router and run some set of show commands.

The same username is active in AD.

With radius it's working but swithing to kerberos is making this problem above.

Regards,

Vladimir

0 Helpful

Jagdeep Gambhir
Level 10
Level 10
In response to vnovakov

‎07-09-2007 06:17 AM

Keeping the thread live for inputs.

0 Helpful
Customers Also Viewed These Support Documents