Re: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN Help

On Thu, 13 Jan 2005 16:50:25 +0000 (UTC)
David Pattison <david.pattison@xxxxxxxxxxx> wrote:

> My question is what does the above error mean, and more importantly how to
> solve it? All I know is that it involves the Server not being found in the
> Kerberos database.

A Principal is like a user but can also refer to a machine or a service. The
name of the Principal is in the for 'primary/instance@realm'. A user
Principal name is usually just like 'me@xxxxxxxxxxxxx' whereas server and
service Principal names are like
'host/servername.mycompany.com@xxxxxxxxxxxxx'.

Kerberos is a "third party authentication" system. So if you want to talk to
a server you authenticate using your oun Principal, the server authenticates
using it's Principal, and then you ask the KDC for a ticket to talk
specifically to that server. Theres data encrypted with the target servers
session key. You can't decrypt it but the target server can in which case it
knows the ticket came from the KDC and therefore the client must be legit.

This PDF has a very nice description of Kerberos authentication of HTTP
clients:

http://bofriis.dk/portalprotect/SPNEGO%20authentication%20using%20JGSS.pdf

Ultimately what you need to do is determine what your server Principal name
is and then add it to the Kerberos database. In the above document for
example, the server Principal name is 'HTTP/www.test.net@xxxxxxxx'.

Mike

-- 
Greedo shoots first? Not in my Star Wars.