You can lok at the client <> kdc traffic (port 88) and you should see which kvno you get for the HTTP service from the kdc. If you have several kdcs it might be a sync problem between the kdcs.
Markus "Timo Fuchs" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hi, > > I am using Apache1/mod_auth_kerb (using MIT Kerberos under Linux) to > authenticate via single-sign-on through a Windows 2003 Active Directory > Server. When authenticating, Kerberos refuses the key in the keytab: > > --- Apache error_log --- > gss_accept_sec_context() failed: Miscellaneous failure > (Key version number for principal in key table is incorrect) > --- END Apache error_log --- > > > > Actually, the service principle's kvno in the keytab and on the ADS > server are the same (#7). I have checked that using "klist -ke" on Linux > and verifying the attribute msDS-KeyVersionNumber using asdi on Windows. > In a different thread > (http://groups.google.de/group/comp.protocols.kerberos/browse_thread/thread/7caa06f56f48fc12/4cb4b0e1458f9238) > someone was having the same problem, but they could determine the kvno > in fact being different. > > I tried to update the keytab using > kinit -k -t <keytab> <service principle> > but this didn't help either. > > What I found out using ethereal: > - Internet Explorer opens URL on the apache server > - Apache server sends back 401 with "WWW-Authenticate: Negotiate" > - IE sends a correct authentication Kerberos string in the HTTP header > - Apache throws error as above > - Apache sends back "WWW-Authenticate: Basic" as a fallback (as far as I > assume) > - IE shows login request, I can now login with my Windows login data and > the login was accepted (which is quite strange from my point of view) > > My questions: > - Can I find out which version gss_accept_sec_context() expects and > which it finds? > - Maybe I am thinking wrong and not the service principle's key is the > issue but my Windows Login key? > - Has anyone any more ideas? > > Cheers, > Timo > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
