ncsa

User Information Home
Compute Resources
Software
Data
Security
Allocations
Consulting
Training

Windows Kerberos Troubleshooting

Credentials Manager

• krb5: Preauthentication failed while logging in
• krb5: No more memory to allocate (in credentials cache code) while retieving a ticket
• krb5: Clock slew too great in reply from KDC
• krb5: Getting tickets through Credentials Manager unusually slow (10-15 seconds)
• krb5: The dynamic library libafstokens.dll could not be found in the specified path

Telnet

• Telnet: "KDC can't fullfill requested option Kerberos V5: error getting forwarded creds" when trying to connect
• Telnet: "Unknown code S8952 while authorizing"
• Telnet: Takes 2 minutes to connect, then still prompted for a password
• Telnet: Authorization failed

FTP

• FTP: Miscellaneous Failure, Wrong principal in request, error: accepting context, ADAT failed

General

• General: Acquired tickets are for the wrong IP address

Eudora (used by NCSA staff)

• Eudora: "ERR recvauth failed--Unknown code krbult 28" when checking mail
• Eudora: "ERR recvauth failed--Incorrect net address" when checking mail
• Eudora: "Kerberos Permission Denied" after typing in kerberos password
• Eudora: "Could not launch Kerb16.exe" when checking mail
• Eudora: "Time is out of bounds (krb_rd_req)" after typing in kerberos password
• Eudora: Fails with Bad password errors when password is known to be correct
• Eudora: "Unknown code 10053 while using sendauth" when checking mail
• Eudora: "Unknown code 10035 while using sendauth" when checking mail
• Eudora: "Kclnt32: Incorrect net address getting credentials for popper" when checking mail

If all else fails contact kerberos@ncsa.uiuc.edu for assistance.

---

krb5: Preauthentication failed while logging in

See the description of failed preauthentication with kinit in the Unix Troubleshooting page.

krb5: No more memory to allocate (in credentials cache code) while retieving a ticket

I have seen this caused by an apparently corrupted credential cache. I don't know what causes the corruption, but I suspect simultaneous accesses of some sort.

To fix, delete the credentials cache file, called krb5cc, which is located in the your WINNT or WINDOWS directory (e.g. C:\WINDOWS).

krb5: The dynamic library libafstokens.dll could not be found in the specified path

This is caused because you have AFS support enabled, but the DLL for AFS could not be found. Unless you have a Windows NT machine with a AFS client installed you don't want AFS support enabled.

To disable AFS support, run the Kerberos 5 Credentials Manager, and under the File menu select Options. In the options menu, in the area labeled AFS Token, make sure the boxes for Get and Destroy are not selected.

Telnet: "KDC can't fullfill requested option Kerberos V5: error getting forwarded creds" when trying to connect

I've seen two causes for this error. The first is that when you got your kerberos 5 ticket using the credential manager you did not request a forwardable ticket, but when you requested the connection qith telnet you requested that the ticket be forwarded. To fix this either go back and rerun the crtedentials manager and under File | Options select Forwardable and then get a new ticket, or under Telnet deselect Forward Credentials. I suggest doing the first.

The other case where this arrises is when you have changed your IP address since your acquired your kerberos ticket. This can happen if you dail in, disconnect and then dail back in. Since your IP address is hardcoded into your ticket when you get it, the ticket is no longer valid when your IP address changes. You must rerun the credentials manager and get a new ticket.

Telnet: "Unknown code S8952 while authorizing"

(OLD) I've seen this caused because the user had an old C:\Windows\Krb.con file which didn't explicitly specify port 88 for the KDC. C:\Windows\Services contained an entry for kerberos list port 750 and the KDC was running on an AFS server which had it's authentication daemon running on port 750.

krb5: Getting tickets through Credentials Manager unusually slow (10-15 seconds)
Telnet: Takes 2 minutes to connect, then still prompted for a password

The quick fix for this is to download distribution 1.03 or later of the NCSA Kerberos distribution for windows.

These problems were caused by a combination of two things:

1. The presence of the following line in krb5.ini:

                   kdc = 141.142.3.8:88
   

2. A need to install the "Dial-up Networking Upgrade 1.2"

So the fix is either to remove the line from krb5.ini or to install the upgrade.

Telnet: Authorization failed

I have seen this problem occur when a user creates a .k5login file in his home directory and does not add his own principal in the file. Just add the users principal to his .k5login if this is the case.

FTP: Miscellaneous Failure, Wrong principal in request, error: accepting context, ADAT failed

This error from the Windows FTP client appeared when a server had an ftp/server.ncsa.uiuc.edu principal in the KDC database, but the server no longer had the ftp service principal in it's /etc/krb5.keytab.

General: Acquired tickets are for the wrong IP address

I've seen this happen on a windows box with multiple network cards pluged in and configured, apparently causing the box to give the kerberos clients the wrong IP number to request.

Eudora: "ERR recvauth failed--Unknown code krbult 28" when checking mail

Eudora: "ERR recvauth failed--Incorrect net address" when checking mail

These errors occurs under Eudora when you have a valid kerberos ticket, but have changed your IP address since you acquired it. This can happen if you dail in, disconnect and then dail back in. Since your IP address is hardcoded into your ticket when you get it, the ticket is no longer valid when your IP address changes. Currently the only known fix is to delete your kerberos ticket and reauthenticate. Rerun the program krb you originally ran to get your ticket and repeat the procedure to acquire a ticket.

Eudora: "Kerberos Permission Denied" after typing in kerberos password.

This error occurs because eudora is trying to authenticate to AFS instead of Kerberos 5. This usually occurs some sort of Windows networking software has been installed and the Services file has been overwritten. To fix this, quit Eudora, and reinstall the kerberos configuration files.

Eudora: "Could not launch Kerb16.exe" when checking mail

Eudora used to use an executable called kerb16.exe to do Kerberos authentication. It no longer does this, but uses kclnt32.dll instead. However, it still prints out this error message when it can't find or run kclnt32.dll or krb5_32.dll, which kclnt32.dll relies on.

Note that I have also seen Eudora display this error when I cannot find a cause for it. This is still an open bug. The workaround is to shutdown and restart Eudora.

For historical sake kerb16.exe can be found at ftp://terminator.rs.itd.umich.edu/ldap/windows/kerberos/EudoraPro/kerb16.exe

Eudora: "Time is out of bounds (krb_rd_req)" after typing in kerberos password

krb5: Clock slew too great in reply from KDC

This is causes by an apparent mismatch between the time on your system and the time on the Kerberos KDC. This can be caused by one of several reasons:

1. The time on your system is wrong. Check the time on your system and make sure it's accurate (within 5 minutes). See the section on Time Synchronization for fixes.
2. You have the TZ environment variable set incorrectly. Open a command prompt and run the set command. Look for a line containing TZ= and check the value. If the value does not specify your correct timezone you need to fix this. Check C:\autoexec.bat to see if TZ is being set there and if so correct it. The other place TZ might be set is in the System control panel under Environment
3. (OLD) You are running PGPMail. We're seeing some sort of conflict right now running both PGPMail and Kerberos with Eudora. (XXX need better directions here) If you quit Eudora and then quit PNDetect and then start Eudora, Kerberos should work again.

Eudora: Fails with Bad password errors when password is known to be correct

This can happen if the user's principal on the KDC doesn't have a V4 salt. The Kerberos administrator should run kadmin and check the user's principal for a V4 salt. There appears to be a bug in kadmin/kadmind under Solaris where a user will be added without a V4 salt. To correct this restart all the KDC processes, delete and readd the user. See the entry in the general troubleshooting section.

Eudora: "Unknown code 10053 while using sendauth" when checking mail

This error is apparently caused if popper is not running on the specified host.

Eudora: "Unknown code 10035 while using sendauth" when checking mail

This is caused because Eudora is using a asychronous Winsock. Under Tools, select Options. When the options menu comes up, select Advanced Network. Under "Use asychronous Winsock calls for:" make sure the box next to "All others" is NOT selected.

Eudora: "Kclnt32: Incorrect net address getting credentials for popper" when checking mail

This is caused because the Computer is connected to the network through a Network Address Translation (NAT) router typically used for sharing a cable modem connection. The problem is that the wrong IP address is being stored with the tickets. This can be fixed in the Credentials Manager.

Run the Credentials Manager, Select Options from the File menu. Check the No IP address checkbox and click OK. Then Login again to get new copy of your kerberos credentials that don't have an IP address in them.

---

Back to NCSA Kerberos Information

Questions or comments about this page may be sent to kerberos@ncsa.uiuc.edu