THE GAME HAS CHANGED

Introducing Infoblox Universal DDI ManagementTM

Watch the launch to discover the new era of management for critical network services. Watch Now

NIOS DNS DHCP IPAM

Reply

Client Fail to update DDNS using gss-tsig

[ Edited ]
aralvidra02
Superuser
Posts: 105

‎04-26-2020 01:30 AM - edited ‎04-26-2020 01:56 AM

6112     0

Hi Teams,

 

Im doing some lab about ddns. The scenario will be client (already join domain to corp.abc.net) update their IP to Infoblox that running dns.

 

here what i've done:

1. create user on domain controller (ib, password P@ssw0rd)

2. create keytab file on domain controller (ktpass -princ DNS/ib.abc.net@CORP.ABC.NET -mapuser ib@corp.abc.net -pass P@ssw0rd -out c:\ns1.keytab -ptype krb5_nt_principal -crypto AES256-SHA1)

3. Already import the keytab to Infoblox.

4. Execute command ipconfig /registerdns from the pc client

 

after the above activity, i check the logs on infoblox:

2020-04-26 21:56:01 ICT daemon ERROR named[13999] gss_accept_sec_context: continuation call to routine required
2020-04-26 21:56:01 ICT daemon INFO named[13999] GSS-TSIG verify stats: 0 ok, 0 failed (0 integrity, 0 time)
2020-04-26 21:56:01 ICT daemon INFO named[13999] GSS-TSIG accept stats: 0 ok, 1 failed (0 NTLM, 1 principal, 0 key, 0 integrity, 0 time)
2020-04-26 21:56:01 ICT daemon ERROR named[13999] 192.168.137.20#59616: GSS-TSIG authentication failed for (DNS/ib.corp.abc.net@CORP.ABC.NET, kvno 4, arcfour-hmac-md5): unknown principal
2020-04-26 21:56:01 ICT daemon ERROR named[13999] client @0x7fd5840f9000 192.168.137.20#57468: update 'corp.abc.net/IN' denied

 

any step that i miss?

 

thanks

Reply
0 Kudos

Re: Client Fail to update DDNS using gss-tsig
aralvidra02
Superuser
Posts: 105

‎05-07-2020 01:06 AM

6112     0

This issue happen because the DC adminitrator create a wrong keytab file. it's not mapped to correct user that already created.

 

Thanks

Reply
0 Kudos

Re: Client Fail to update DDNS using gss-tsig

[ Edited ]
karankathuria12
New Member
Posts: 2

‎12-01-2023 08:47 AM - edited ‎01-30-2024 02:31 AM

6113     0

I followed the same steps and mapped right username. But in infoblox syslogs i am getting below error -

 

10.239.40.254#54721: GSS-TSIG authentication failed for (DNS/ip-ib-00011-z5e.infoblox.com@domainname.net, kvno 6, arcfour-hmac-md5): unknown principal

 

Any suggestion for this ?

Reply
0 Kudos

Re: Client Fail to update DDNS using gss-tsig
MPL
Expert
Posts: 11

‎12-06-2023 02:30 AM

6113     0

I see that your Clients are asking with the wrong encryption scheme "arcfour-hmac-md5"

 

I think the Infoblox Support Documents lack a important information.

 

Fix

Please check if the Service AD Account you map to the ktpass tool has the Checkbox "This account supports Kerberos AES 256 bit encryption".

 

If not, check it, regenerate the keytab file, upload it to the appliance and reboot the dns client machine

 

Now they should query the AD Controller and choose the higher AES256 encryption for gss-tsig updates

 

 

Reply
0 Kudos
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recommended for You

Latest Annoucements