On Wed, Jun 22, 2016 at 6:41 PM, JSoet <jordan.s...@ca.ibm.com> wrote: > sure where to look next to solve it. When running the flask webserver I get > this error when it tries to do the authGSSServerInit call: > /GSSError: (('Unspecified GSS failure. Minor code may provide more > information', 851968), ('', 100004))/ <snip> > /[root@TestCentOSGui testFlask]# klist -k > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 3 HTTP/TestCentOSGui.Test.local@TEST.LOCAL/
Hi Jordan, That's a pretty wild principal name. I don't think the caps should cause a problem but it is vitally important that you use the fully principal name in the URL like: http://TestCentOSGui.Test.local/whatever or this *should* work equally well: http://testcentosgui.test.local/whatever But if you did just http://testcentosgui/whatever it would not work unless the client does the right canonicalization. Also, when you're setting up a new account, it is not uncommon to have a stale ticket with the wrong knvo (principal version number). In this case, you'll want to purge tickets on the client and try again. I always liked kerbtray.exe for this but MS has been updating these utilities so it might be difficult to locate. Kerberos is pretty sensitive so the list of things to check is: 1) clients must be joined to the domain 2) clients must have direct access to a suitable domain controller 3) time on all 3 hosts (client, server and DC) must be synchronized 4) the user has to be actually logged into their workstation as the domain user 5) the numerous DNS records have to be exactly correct 6) services have to have good keys with principal names that make said DNS records 7) Kerberos tickets cannot be "stale" (use kerbtray.exe to purge on clients) But in your case it sounds like the client is initiating auth which means it's getting a ticket so it's more likely to be 3, 5, 6 or 7. This all assumes that this "flask" thing knows about SPNEGO (would be useless without it). Later, Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos