[24122] in Kerberos
Re: "Key version number for principal in key table is incorrect" -
daemon@ATHENA.MIT.EDU (Markus Moeller)
Tue Jun 21 14:50:02 2005
To: kerberos@mit.edu
From: "Markus Moeller" <huaraz@moeller.plus.com>
Date: Tue, 21 Jun 2005 19:46:27 +0100
Message-ID: <d99mut$b47$1@sea.gmane.org>
X-Complaints-To: usenet@sea.gmane.org
Errors-To: kerberos-bounces@mit.edu
You can lok at the client <> kdc traffic (port 88) and you should see which
kvno you get for the HTTP service from the kdc. If you have several kdcs it
might be a sync problem between the kdcs.
Markus
"Timo Fuchs" <timo@mxbf.de> wrote in message
news:3hnrgpFhvctbU1@uni-berlin.de...
> Hi,
>
> I am using Apache1/mod_auth_kerb (using MIT Kerberos under Linux) to
> authenticate via single-sign-on through a Windows 2003 Active Directory
> Server. When authenticating, Kerberos refuses the key in the keytab:
>
> --- Apache error_log ---
> gss_accept_sec_context() failed: Miscellaneous failure
> (Key version number for principal in key table is incorrect)
> --- END Apache error_log ---
>
>
>
> Actually, the service principle's kvno in the keytab and on the ADS
> server are the same (#7). I have checked that using "klist -ke" on Linux
> and verifying the attribute msDS-KeyVersionNumber using asdi on Windows.
> In a different thread
> (http://groups.google.de/group/comp.protocols.kerberos/browse_thread/thread/7caa06f56f48fc12/4cb4b0e1458f9238)
> someone was having the same problem, but they could determine the kvno
> in fact being different.
>
> I tried to update the keytab using
> kinit -k -t <keytab> <service principle>
> but this didn't help either.
>
> What I found out using ethereal:
> - Internet Explorer opens URL on the apache server
> - Apache server sends back 401 with "WWW-Authenticate: Negotiate"
> - IE sends a correct authentication Kerberos string in the HTTP header
> - Apache throws error as above
> - Apache sends back "WWW-Authenticate: Basic" as a fallback (as far as I
> assume)
> - IE shows login request, I can now login with my Windows login data and
> the login was accepted (which is quite strange from my point of view)
>
> My questions:
> - Can I find out which version gss_accept_sec_context() expects and
> which it finds?
> - Maybe I am thinking wrong and not the service principle's key is the
> issue but my Windows Login key?
> - Has anyone any more ideas?
>
> Cheers,
> Timo
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
