Has anyone had any experience getting Kerberos authentication to work from the Windows ThinLinc client?
The Kerberos setup on the server side is fine — I’ve verified that by connecting successfully from WSL using:
ssh -K user@server
It works like a charm there. I know that WSL uses MIT/Berkeley Kerberos, while Windows uses its own native implementation (which feels like some proprietary piece of *@#!).
The ThinLinc client on Windows won’t authenticate using Kerberos at all, and to make matters worse, even trying ssh from PowerShell or Command Prompt doesn’t seem to recognize that it should use the existing Kerberos ticket — even though I’ve verified that the ticket is valid and present.
What do you mean? I AM using the windows native Kerberos methot and trying to authenticate trough thinlink with it? But the Windows nativ kerberos isn’t working.
on the server side i get this
Jun 27 07:44:48 xxxxxxxxxxxxx sshd[12947]: debug1: kex_server_update_ext_info: Sending SSH2_MSG_EXT_INFO [preauth]
Jun 27 07:44:48 xxxxxxxxxxxxx sshd[12947]: debug1: userauth-request for user eric service ssh-connection method gssapi-with-mic [preauth]
Jun 27 07:44:48 xxxxxxxxxxxxx sshd[12947]: debug1: attempt 1 failures 0 [preauth]
Jun 27 07:44:48 xxxxxxxxxxxxx sshd[12947]: Postponed gssapi-with-mic for eric from 192.168.8.233 port 57460 ssh2 [preauth]
Jun 27 07:44:48 xxxxxxxxxxxxx sshd[12947]: debug1: Got no client credentials
Jun 27 07:44:48 xxxxxxxxxxxxx sshd[12947]: Failed gssapi-with-mic for eric from 192.168.8.233 port 57460 ssh2
Jun 27 07:44:48 xxxxxxxxxxxxx sshd[12947]: Connection reset by authenticating user eric 192.168.8.233 port 57460 [preauth]
Jun 27 07:44:48 xxxxxxxxxxxxx sshd[12947]: debug1: do_cleanup [preauth]
Jun 27 07:44:48 xxxxxxxxxxxxx sshd[12947]: debug1: monitor_read_log: child log fd closed
The thinink client fails to pick up or send the windows kerberos ticket
So i would say that funktion in the klient is broken?
Sorry, I misread your initial post. As far as I know Kerberos should work on Windows 11, but let me check with the devs to see if they know something I don’t.
@eric_sandgren apparently Kerberos has been tested with the ThinLinc client on Windows 11 successfully, so it should work. You could try starting the client from the commandline using the -d5 switch to enable verbose debugging, and check the resulting log file to see if there are any clues there as to what is going on. Let us know.
Hi back after a long vacation. Have now spent a few days on the problem with the thinlik kerberos issue. Tested, analyzed logs etc
Here is a summary of what we came up with:
Summary of ThinLinc Kerberos Troubleshooting
We are attempting to configure ThinLinc to use Kerberos authentication for a seamless sign-on experience. The environment consists of Windows clients, a ThinLinc master server (bvut01-tltst-01), and a ThinLinc agent (bvut01-tltst-05), all joined to an Active Directory domain ([AD.xxxx.SE](http://AD.xxxx.SE)). Kerberos constrained delegation is not enabled or desired.
Problem: Kerberos authentication fails when the ThinLinc client attempts to connect to the agent.
Did you manage to find any useful information in the client-side logs?
I’m guessing based on the .se domain that you’re based in Sweden? Our head office is in Linköping, so if you’d like to have a chat regarding your installation then we are happy to arrange this. Just flick us an email to support@cendio.com if so.