FAQ: How do I fix Unknown Kerberos protocol version errors in OS X
| If you try to log into Kerberos on an OS X machine and the login window says "Kerberos Login Failed: Unknown Kerberos protocol version", try the following: -- Check your time and your time zone, and make sure they are set correctly. To do this, go to Apple Menu -> System Preferences and open "Date & Time". Click on the "Time Zone" tab and set the time zone to your current time zone. Click on the "Date & Time" tab and make sure the date and the time are set correctly. To see the current time on the ISU servers, go to http://www.iastate.edu/cgi-bin/tod/. If you are in the central time zone, make the time on that page match the time in your Date & Time control panel. If you are in another time zone, adjust the hours accordingly. -- See if your Internet Service Provider is blocking port 4444 traffic. Port 4444/udp is necessary for Kerberos to work but port 4444/tcp is used by the Blaster worm. Many ISPs blocked all 4444 traffic to help stop the spread of Blaster, which breaks Kerberos. If your ISP can block only 4444/tcp traffic, it will still block Blaster traffic, but will allow Kerberos to go through. If your ISP is unable or unwilling to unblock port 4444/udp traffic, you can use the Iowa State Virtual Private Network (VPN) service, which will create an encrypted tunnel for all traffic between your machine and the Iowa State network. Information on installing the VPN client is online at http://www.it.iastate.edu/vpn. -- If you are running OS X 10.2 and are using a router, connection sharing device, Airport Base Station, or the VPN client, you must do the following: 1. Open Hard Drive -> Applications -> TextEdit. 2. Go to File->Open and open your Hard Drive -> Library -> Preferences -> edu.mit.Kerberos. 3. Add the following to the [libdefaults]section: noaddresses = true 4. The top of the file should now look like this: [libdefaults] default_realm = IASTATE.EDU ticket_lifetime = 600 default_tkt_enctypes = des-cbc-crc default_tgs_enctypes = des-cbc-crc noaddresses = true (The last five lines should be indented) | |
| Was this information helpful? | ||
