[30485] in Kerberos
Re: KVNO/Keytab Question
daemon@ATHENA.MIT.EDU (Richard E. Silverman)
Mon Dec 1 14:20:13 2008
From: "Richard E. Silverman" <res@qoxp.net>
Date: Sun, 30 Nov 2008 12:30:57 -0500
Message-ID: <m2vdu5qfxq.fsf@darwin.oankali.net>
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
>>>>> "KD" == kevin doran <kevin.doran@accenture.com> writes:
KD> On 29 Nov, 03:21, "Richard E. Silverman" <r...@qoxp.net> wrote: >> >>>>> "KD" == kevin doran <kevin.do...@accenture.com> writes: >> >> KD> Hi, I'm hoping someone can help. We are having issues >> using KD> SPNEGO. Our problem seems to be the one defined on: >> >> KD>http://www-01.ibm.com/support/docview.wss?rs=638&context=SSPREK&uid=s... >> >> KD> When we try to login, our browsers pass the following >> ticket KD> information: >> >> KD> Ticket Tkt-vno: 5 Realm: >> KD> DWPPTP.LONDONDC.COM Server Name (Service and Instance): KD> >> HTTP/ettloadbalancer.dwpptp.londondc.com Name-type: Service and >> KD> Instance (2) Name: HTTP Name: >> ettloadbalancer.dwpptp.londondc.com KD> enc-part des-cbc-md5 >> Encryption type: des-cbc-md5 (3) Kvno: 4 KD> enc-part: >> 1857B643262FFCBFF4F54F7D2D7E41F7D67DC10257C15D28... >> >> KD> The Kvno is 4, yet when performing a klist on the keytab >> file: >> >> KD> ivmgr@dptettsw02:/var/pdweb/log$ klist -k KD> >> /var/pdweb/keytab-dptettsw02/ ettloadbalancer_HTTP.keytab Keytab >> KD> name: FILE:/var/pdweb/keytab-dptettsw02/ KD> >> ettloadbalancer_HTTP.keytab KVNO Principal ---- KD> >> -------------------------------------------------------------------------- >> KD> 3 >> HTTP/ettloadbalancer.dwpptp.londondc....@DWPPTP.LONDONDC.COM >> >> KD> We have followed the recommendation of recreating the >> keytab file KD> and this has change the KVNO number in the >> keytab file. However KD> the KVNO passed by the browser does >> not matched - how does this KD> value get set? >> >> You need to purge the ccache on the client machine so that it >> obtains a new, matching ticket from the KDC. >> >> KD> Any help is appreciated >> >> KD> Regards >> >> KD> Kev >> >> -- Richard Silverman r...@qoxp.net
KD> Thanks Richard, is that done using the "C:\Program Files\Resource KD> Kit \KLIST.EXE" purge" command? If so, I have tried this but it KD> still isn't working
Do all of the following match?
* kvno reported by "getprinc" in kadmin* kvno in the keytab file* kvno in the ticket supplied by the browser
What are you using on the server side, Apache + mod_auth_kerb? If so,what are the log messages emitted by mod_auth_kerb?
-- Richard Silverman res@qoxp.net
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
