Community
Kerberos Authentication Error
Links used in this discussion
Links used in this discussion
sheckandar,
User (Posts: 4)
Dec 18, 2024 4:01:28 pm EST
Support level: Free or trial
We have NTLM disabled across the entire domain. I'm trying to use kerberos Windows Authentication, but it fails.
Host error:
All Remote Utilities software is of the latest version.
Host error:
Code: #35# Event: Password is incorrect or error occurs. IP: loopbackHosts are connected to a self hosted server outside of the domain. Viewer is on another PC and connecting to hosts over Internet via the self hosted server. The PC with Viewer is domain joined to a different domain.
All Remote Utilities software is of the latest version.
Pauline,
Support (Posts: 2889)
Dec 18, 2024 5:58:42 pm EST
Hello,
Thank you for your message.
It seems that the issue might be caused by a mismatch in the Kerberos authentication process due to the following factors:
1. Different Domains: since the Viewer PC and the hosts are in separate domains, Kerberos requires proper cross-domain trust to authenticate. If there's no trust relationship between the two domains, authentication will fail. Please try verifying if the domains have a two-way trust configured. If not, set up the required trust relationship or ensure both systems are in the same domain for Kerberos to work.
2. Time Synchronization: Kerberos authentication is sensitive to time discrepancies. If the clocks between the Viewer PC, Host PC, the self-hosted RU Server, and the domain controllers are not in sync, it will fail. Please double-check to ensure all machines are synchronized to the same NTP server.
3. Password Incorrect Error: The error suggests authentication attempts with invalid credentials. Ensure:
- The correct username/password is used.
- The account has not been locked out due to failed attempts.
- The account being used has permission to authenticate against the target system.
4. Last but not least, fallback to NTLM: since NTLM is disabled, any fallback attempts by Remote Utilities will fail if Kerberos isn’t configured correctly. Ensure Kerberos is the only supported and functional authentication protocol.
Finally, double-check the Connection Properties -> Security to ensure Kerberos authentication is properly enabled and configured.
Hope this helps!
Thank you for your message.
It seems that the issue might be caused by a mismatch in the Kerberos authentication process due to the following factors:
1. Different Domains: since the Viewer PC and the hosts are in separate domains, Kerberos requires proper cross-domain trust to authenticate. If there's no trust relationship between the two domains, authentication will fail. Please try verifying if the domains have a two-way trust configured. If not, set up the required trust relationship or ensure both systems are in the same domain for Kerberos to work.
2. Time Synchronization: Kerberos authentication is sensitive to time discrepancies. If the clocks between the Viewer PC, Host PC, the self-hosted RU Server, and the domain controllers are not in sync, it will fail. Please double-check to ensure all machines are synchronized to the same NTP server.
3. Password Incorrect Error: The error suggests authentication attempts with invalid credentials. Ensure:
- The correct username/password is used.
- The account has not been locked out due to failed attempts.
- The account being used has permission to authenticate against the target system.
4. Last but not least, fallback to NTLM: since NTLM is disabled, any fallback attempts by Remote Utilities will fail if Kerberos isn’t configured correctly. Ensure Kerberos is the only supported and functional authentication protocol.
Finally, double-check the Connection Properties -> Security to ensure Kerberos authentication is properly enabled and configured.
Hope this helps!
sheckandar,
User (Posts: 4)
Dec 18, 2024 8:54:41 pm EST
Support level: Free or trial
1. Host domain and Viewer domain are unrelated and cannot have trust set up.
2. Time is correct on all computers and synced via NTP.
3. I am not being asked to enter any credentials before authentication failure is reported.
4. I think kerberos is set up correctly as I can authenticate for RDP and it works.
I set up SPN for my username as
I would like to know more about how kerberos authentication is handled.
I was under the impression that the Host would initiate kerberos authentication as it is the only endpoint inside the AD domain. All other software is outside the domain and cannot communicate with the kerberos server. Furthermore, since I'm not being asked to enter any credentials, I'm assuming that the Viewer is using logged on user's security context to request a kerberos ticket, which would fail since the domains are different.
2. Time is correct on all computers and synced via NTP.
3. I am not being asked to enter any credentials before authentication failure is reported.
4. I think kerberos is set up correctly as I can authenticate for RDP and it works.
I set up SPN for my username as
host/<username>.<fqdn>, however, the issue remained. Also, the SPN entry under Connection Properties -> Security disappears after each authentication attempt.
I would like to know more about how kerberos authentication is handled.
I was under the impression that the Host would initiate kerberos authentication as it is the only endpoint inside the AD domain. All other software is outside the domain and cannot communicate with the kerberos server. Furthermore, since I'm not being asked to enter any credentials, I'm assuming that the Viewer is using logged on user's security context to request a kerberos ticket, which would fail since the domains are different.
Conrad Sallian,
Support (Posts: 3088)
Dec 19, 2024 12:06:37 pm EST
Hello Sheckandar,
Do you use RU Server in your setup?
Do you use RU Server in your setup?
sheckandar,
User (Posts: 4)
Dec 19, 2024 6:25:43 pm EST
Support level: Free or trial
Yes, I do.Conrad Sallian wrote:
Hello Sheckandar,
Do you use RU Server in your setup?
Conrad Sallian,
Support (Posts: 3088)
Dec 20, 2024 12:02:49 pm EST
Then this might be a currently confirmed bug. It will be fixed in the next server update.
Would you mind if we send you a test server .exe for you to verify that the problem is fixed? We can prepare it within the next few days. Feel free to send us a message to support@remoteutilities.com so we can send you a download link later.
Sorry for the inconvenience.
Would you mind if we send you a test server .exe for you to verify that the problem is fixed? We can prepare it within the next few days. Feel free to send us a message to support@remoteutilities.com so we can send you a download link later.
Sorry for the inconvenience.
sheckandar,
User (Posts: 4)
Dec 22, 2024 7:53:04 pm EST
Support level: Free or trial
I tried the test files, but the issue persists. In addition, I am seeing another error on the host side.
Code: #35#
Event: Password is incorrect or error occurs.
IP: loopback
Code: #63#
Event: Exception: Error TMyOpenSSLSocket.ReadStream. (EMyOpenSSLException).
IP:
Dat a:
date/time : 2024-12-22, 17:49:35, 850ms
computer name : <redacted>
user name : SYSTEM <admin>
registered owner : Recovery
operating system : Windows 10 x64 build 19045
system language : English
system up time : 16 hours 40 minutes
program up time : 43 seconds
processors : 4x Intel® Core™ i5-6500T CPU @ 2.50GHz
physical memory : 11708/16231 MB (free/total)
free disk space : (C:) 150.18 GB
display mode : 1024x768, 32 bit
process id : $2a8c
allocated memory : 38.10 MB
largest free block : 1.63 GB
command line : "C:\Program Files (x86)\Remote Utilities - Host\rutserv.exe" -service
executable : rutserv.exe
exec. date/time : 2024-10-16 21:30
version : 7.6.2.0
callstack crc : $9f1db5de, $37061158, $37061158
exception number : 1
exception class : EMyOpenSSLException
exception message : Error TMyOpenSSLSocket.ReadStream.
thread $20d8 (TMyOpenSSLMsgTransportThread):
00ec49e3 +0b7 rutserv.exe uOpenSSLUtils 942 +34 TMyOpenSSLSocket.ReadStream
00ec49e9 +0bd rutserv.exe uOpenSSLUtils 942 +34 TMyOpenSSLSocket.ReadStream
00ec4a83 +037 rutserv.exe uOpenSSLUtils 955 +5 TMyOpenSSLSocket.ReadInt32
00ec540b +2df rutserv.exe uOpenSSLUtils 1241 +99 TMyOpenSSLMsgTransportThread.Execute
00bbc293 +02b rutserv.exe madExcept HookedTThreadExecute
00bbc2fe +096 rutserv.exe madExcept HookedTThreadExecute
00c4b625 +049 rutserv.exe System.Classes ThreadProc
00c4b688 +0ac rutserv.exe System.Classes ThreadProc
00b0b174 +028 rutserv.exe System 1267 +0 ThreadWrapper
00bbc179 +00d rutserv.exe madExcept CallThreadProcSafe
00bbc1de +032 rutserv.exe madExcept ThreadExceptFrame
00bbc254 +0a8 rutserv.exe madExcept ThreadExceptFrame
7681fcc7 +017 KERNEL32.DLL BaseThreadInitThunk
>> created by thread $269c (TIdThreadWithTask) at:
00c4b6ec +018 rutserv.exe System.Classes TThread.Create
main thread ($924):
00000000 +ff4c390c rutserv.exe madStackTrace +0 StackAddrToStr
>> stack will be calculated soon
cpu registers:
eax = 04bcc450
ebx = 00ec0f64
ecx = 00000000
edx = 027dadf8
esi = 04bcc450
edi = 00bbc1ac
eip = 00ec49e8
esp = 081ef800
ebp = 081ef854
stack dump:
081ef800 e8 49 ec 00 de fa ed 0e - 01 00 00 00 07 00 00 00 .I..............
081ef810 14 f8 1e 08 e8 49 ec 00 - 50 c4 bc 04 64 0f ec 00 .....I..P...d...
081ef820 50 c4 bc 04 ac c1 bb 00 - 54 f8 1e 08 30 f8 1e 08 P.......T...0...
081ef830 72 aa b0 00 89 49 ec 00 - 5c f8 1e 08 eb 49 ec 00 r....I..\....I..
081ef840 54 f8 1e 08 08 4a 03 00 - 30 c1 bc 04 04 00 00 00 T....J..0.......
081ef850 08 4a 03 03 74 f8 1e 08 - 86 4a ec 00 7c f8 1e 08 .J..t....J..|...
081ef860 48 a8 b0 00 74 f8 1e 08 - 00 00 00 00 00 00 00 00 H...t...........
081ef870 00 00 00 00 ec f8 1e 08 - 0e 54 ec 00 f4 f8 1e 08 .........T......
081ef880 48 a8 b0 00 ec f8 1e 08 - 00 15 ff 02 2c 51 ec 00 H...........,Q..
081ef890 40 c8 40 06 f0 fb 3e 06 - f0 fb 3e 06 40 c8 40 06 @.@...>...>.@.@.
081ef8a0 68 c8 40 06 00 00 00 00 - d0 c1 bc 04 80 ff 3e 06 h.@...........>.
081ef8b0 68 c8 40 06 01 00 00 00 - 01 00 00 00 00 00 00 00 h.@.............
081ef8c0 00 00 00 00 3d a9 93 03 - 00 00 00 00 47 90 93 03 ....=.......G...
081ef8d0 00 00 00 00 14 00 00 00 - 00 00 00 00 00 00 00 00 ................
081ef8e0 00 00 00 00 00 00 00 01 - 50 14 1d 06 1c f9 1e 08 ........P.......
081ef8f0 95 c2 bb 00 00 f9 1e 08 - 18 a6 b0 00 1c f9 1e 08 ................
081ef900 24 f9 1e 08 00 c3 bb 00 - 1c f9 1e 08 ac c1 bb 00 $...............
081ef910 00 15 ff 02 6c f9 1e 08 - 50 14 1d 06 4c f9 1e 08 ....l...P...L...
081ef920 28 b6 c4 00 30 f9 1e 08 - 32 b6 c4 00 4c f9 1e 08 (...0...2...L...
081ef930 54 f9 1e 08 8a b6 c4 00 - 4c f9 1e 08 ac c1 bb 00 T.......L.......
disassembling:
[...]
00ec49cb mov dword ptr [eax+$24], $a
00ec49d2 942 mov ecx, $ec4a08
00ec49d7 mov dl, 1
00ec49d9 mov eax, [$ec08f0]
00ec49de call -$360f93 ($b63a50) ; System.SysUtils.Exception.Create
00ec49e3 > call -$3ba07c ($b0a96c) ; System.@RaiseExcept
00ec49e8 pop eax
00ec49e9 jmp eax
00ec49eb jmp -$3ba228 ($b0a7c8) ; System.@HandleFinally
00ec49f0 jmp loc_ec49b7
00ec49f2 945 movzx eax, byte ptr [ebp-$d]
[...]
Conrad Sallian,
Support (Posts: 3088)
Dec 30, 2024 4:12:07 am EST
Hello,
Unfortunately, we couldn’t reproduce the issue. Please allow us some time to investigate further.
Unfortunately, we couldn’t reproduce the issue. Please allow us some time to investigate further.
* Website time zone: America/New_York (UTC -5)