Every time you call ktpass.exe to generate a keytab, the key version number increments by one, both inside Active Directory and the keytab file generated. Therefore, always use the latest keytab file.
Max On 03/30/2011 04:39 PM, Sarris Overbosch | Everett wrote: > Hi All, > > I'm trying to get single sign on working using kerberos, on my local > test environment it works like a charm but in the real environment I > cannot get it to work. The only difference I see so far is this: > (Environment: Windows 2008 Server as DC, JBoss AS with Negotiation, IE 8) > > Local: > Client Addresses Null > Private Credential: Kerberos Principal > host/[email protected] Version 3key EncryptionKey: keyType=23 > keyBytes (hex dump)= > 0000: 9C 2E 64 A4 22 2E 9C 6A 40 D8 89 FA 21 30 F5 9C ..d."..j@...!0.. > > Real: > Client Addresses Null > Private Credential: Kerberos Principal > host/[email protected] Version 4key EncryptionKey: > keyType=23 keyBytes (hex dump)= > 0000: 4F C6 44 97 D0 B8 9C 96 A9 79 5B 87 EB 44 71 33 O.D......y[..Dq3 > > As you can see the Key Version is different, does anybody know what this > means and if, why this causes the problem: > > 2011-03-30 10:22:13,171 INFO [STDOUT] (http-0.0.0.0-8888-1) Found key > for host/[email protected](23) > 2011-03-30 10:22:13,172 INFO [STDOUT] (http-0.0.0.0-8888-1) Entered > Krb5Context.acceptSecContext with state=STATE_NEW > 2011-03-30 10:22:13,174 INFO [STDOUT] (http-0.0.0.0-8888-1)>>> EType: > sun.security.krb5.internal.crypto.ArcFourHmacEType > 2011-03-30 10:22:13,175 ERROR [STDERR] (http-0.0.0.0-8888-1) Checksum > failed ! > 2011-03-30 10:22:13,175 TRACE > [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] > (http-0.0.0.0-8888-1) Result - GSSException: Failure unspecified at > GSS-API level (Mechanism level: Checksum failed) > 2011-03-30 10:22:13,175 ERROR > [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] > (http-0.0.0.0-8888-1) Unable to authenticate > GSSException: Failure unspecified at GSS-API level (Mechanism level: > Checksum failed) > at > sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741) > at > sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323) > at > sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267) > at > org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:294) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:337) > > Best regard, > > Sarris Overbosch > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
