Hi,
I am facing the following problem.
The Windows service account used for Vintela SSO is set up using "Use DES
encryption for this account". The keytab is created with ktpass ... -crypto
DES-CBC-MD5 encryption.
Everything is working when I login to the web application from a Windows 2003
server machine. On the Windows 2003 server machine part of the klist tickets
command is as follows (Kerberos ticket encryption of type DES-CBC-MD5 as
expected):
Server: HTTP/[EMAIL PROTECTED]
KerbTicket Encryption Type: Kerberos DES-CBC-MD5
End Time: 8/3/2007 21:38:37
Renew Time: 8/10/2007 11:38:37
But on the Windows 2000 clients the ticket is encrypted with RC4-HMAC-NT:
Server: HTTP/[EMAIL PROTECTED]
KerbTicket Encryption Type: Kerberos RSADSI RC4-HMAC(NT)
End Time: 8/3/2007 21:42:55
Renew Time: 8/10/2007 11:42:55
The wrong obtained ticket causes SSO to fail.
Tomcat output is:
HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException:
com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure
unspecified at GSS-API level (Mechanism level:
com.dstc.security.kerberos.KerberosException: Successfully matched service
principal " HTTP/[EMAIL PROTECTED] but not key type (23) + KVNO (2) in this
entry: Principal: HTTP/[EMAIL PROTECTED] Type: 1 TimeStamp: Wed Dec 31 19:00:00
EST 1969 KVNO: -1 Key: [3, 67 ec a8 a8 75 e0 ab 3e ] )
So the encryption type of the client ticket (which is of type 23=RC4-HMAC-NT)
does not match the entry in the keytab (type 3=DES-CBC-MD5).
Why does the Windows 2000 machine get a different encrypted ticket? Also, there
is a difference in the SPN returned in the output of the klist tickets above.
Any help would be greatly appreciated.
Thanks,
Ron
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
