Re: Wrong ticket encryption for W2K clients only

Mon, 06 Aug 2007 07:25:24 -0700 

Looks like two different principals, and accounts in AD. Can you search AD
for the servicePrincipalNames of HTTP/server.eu.xxx.com and HTTP/server
and then look at the accounts.

Ron Perzul wrote:
> Hi, 
> 
> I am facing the following problem. 
> 
> The Windows service account used for Vintela SSO is set up using "Use DES 
> encryption for this account". The keytab is created with ktpass ... -crypto 
> DES-CBC-MD5 encryption. 
> 
> Everything is working when I login to the web application from a Windows 2003 
> server machine. On the Windows 2003 server machine part of the klist tickets 
> command is as follows (Kerberos ticket encryption of type DES-CBC-MD5 as 
> expected): 
> 
>    Server: HTTP/[EMAIL PROTECTED] 
>       KerbTicket Encryption Type: Kerberos DES-CBC-MD5  
>       End Time: 8/3/2007 21:38:37 
>       Renew Time: 8/10/2007 11:38:37 
> 
> But on the Windows 2000 clients the ticket is encrypted with RC4-HMAC-NT: 
> 
>    Server: HTTP/[EMAIL PROTECTED] 
>       KerbTicket Encryption Type: Kerberos RSADSI RC4-HMAC(NT) 
>       End Time: 8/3/2007 21:42:55 
>       Renew Time: 8/10/2007 11:42:55 
> 
> The wrong obtained ticket causes SSO to fail. 
> 
> Tomcat output is: 
> 
> HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException: 
> com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure 
> unspecified at GSS-API level (Mechanism level: 
> com.dstc.security.kerberos.KerberosException: Successfully matched service 
> principal " HTTP/[EMAIL PROTECTED] but not key type (23) + KVNO (2) in this 
> entry: Principal: HTTP/[EMAIL PROTECTED] Type: 1 TimeStamp: Wed Dec 31 
> 19:00:00 EST 1969 KVNO: -1 Key: [3, 67 ec a8 a8 75 e0 ab 3e ] ) 
> 
> So the encryption type of the client ticket (which is of type 23=RC4-HMAC-NT) 
> does not match the entry in the keytab (type 3=DES-CBC-MD5). 
> 
> Why does the Windows 2000 machine get a different encrypted ticket? Also, 
> there is a difference in the SPN returned in the output of the klist tickets 
> above. 
> 
> Any help would be greatly appreciated. 
> 
> Thanks, 
> 
> Ron 
> 
> ________________________________________________
> Kerberos mailing list           [email protected]
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <[EMAIL PROTECTED]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to