Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Kerberos and Windows 2003 KDC

Hi,

I'm trying to configure kerberos authentication for local users on Cisco. KDC is running under Windows 2003, but I got folowing error from debugging:

AAA/BIND(000002D4): Bind i/f

AAA/AUTHEN/LOGIN (000002D4): Pick method list 'default'

Kerberos: All dialogue with KDC will now use default interface as source

Kerberos: Sent TGT request to KDC 192.168.11.14

Kerberos: Received TGT reply from KDC 192.168.11.14

Kerberos: KRB_ERROR (code=52) returned

Kerberos(000002D4): Received invalid credential.

Where I can find those cisco KRB_ERROR codes?

Best regards,

Vladimir

  • AAA Identity and NAC
5 REPLIES

Re: Kerberos and Windows 2003 KDC

Hi Vladmir,

It's caused by AD needing to return a particularly large number of groups that a user belongs to, and trying to switch to TCP instead of UDP because of UDP packet size limits

Older versions of Kerberos don't support TCP, and thus don't know what to do.

Hope that helps !

Regards,

~JG

New Member

Re: Kerberos and Windows 2003 KDC

Thanks a lot for a quick answer. However, I am still confused how to solve this problem between Cisco and Windows AD.

I would like to use Kerberos to authenticate local Cisco users instead of radius authentication.

Under Windows 2003, I have created the user: cisco1, to be able to create keytab:

C:\Documents and Settings\admin>ktpass /crypto des-cbc-crc /desonly /ptype KRB5_NT_PRINCIPAL /pass PaSsWoRd123 /out cisco.keytab /princ host/cisco1.company.domain@COMPANY.LOCAL /mapuser cisco1@COMPANY.LOCAL

Targeting domain controller: ad01.company.local

Successfully mapped host/cisco1.company.domain to cisco1.

Key created.

Output keytab to cisco.keytab:

Keytab version: 0x502

keysize 68 host/cisco1.company.domain@COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL)

vno 4 etype 0x1 (DES-CBC-CRC) keylength 8 (0x233d1f4c91341029)

Account cisco1 has been set for DES-only encryption.

Cisco configuration:

aaa authentication login default krb5 local

username ciscoadmin password 7 ********

username joe password 7 ********

Comment: ciscoadmin and joe users under AD are members of 7 groups and they have different password than local users ciscoadmin and joe under cisco router.

kerberos local-realm COMPANY.LOCAL

kerberos srvtab entry host/cisco1.company.domain@COMPANY.LOCAL

kerberos server COMPANY.LOCAL 192.168.11.14

kerberos preauth encrypted-kerberos-timestamp

kerberos credentials forward

Does Cisco kerberos client under IOS Version 12.4(12) using TCP or it's using UDP protocol only?

Regards,

Vladimir

Re: Kerberos and Windows 2003 KDC

Hi,

What kind of users we are trying to authenticate, like VPN or wireless etc ?

Regards,

~JG

New Member

Re: Kerberos and Windows 2003 KDC

Hi,

Just a local cisco user that should has access to router and run some set of show commands.

The same username is active in AD.

With radius it's working but swithing to kerberos is making this problem above.

Regards,

Vladimir

Re: Kerberos and Windows 2003 KDC

Keeping the thread live for inputs.

464
Views
0
Helpful
5
Replies
This widget could not be displayed.