>PFA the latest logs. > >I'm able to enter the PIN then this log is generated. Please let us >know what is the next step? > >[...] >kinit: KDC reply did not match expectations while getting initial credentials
Huh, JUST when you think you've seen every Kerberos error, you get a new one. So, I am kinda surprised your KDC certificate doesn't contain even an id-kp-serverAuth EKU. I wonder who created the server certificate? Was this just a test realm that was deployed internally? So, I am wondering ... is your realm name blrdhcdev.com or BLRDHCDEV.COM? (Case matters). Because in the kinit command you use the lower-case form but some of the log messages that implies that it's the upper-case form. I suspect you're getting tripped up by the code in get_in_tkt.c:verify_as_reply() that compares various fields in the request against the reply, so if your request is using the lower-case realm but the reply is with an upper-case realm, that could cause this error. If you put a bunch of config file entries in your krb5.conf based on the lower-case realm, those should all be in upper case. (In general, Kerberos realms are upper-case. The only person I know who deployed a lower-case realm said that if he had to do it all over again, he wouldn't because too much code assumes an upper-case realm). --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
