[33289] in Kerberos
Re: Checksum failed problem
daemon@ATHENA.MIT.EDU (Weijun Wang)
Wed Mar 30 06:12:02 2011
Message-ID: <4D92F48C.3090702@oracle.com>
Date: Wed, 30 Mar 2011 17:14:52 +0800
From: Weijun Wang <weijun.wang@oracle.com>
MIME-Version: 1.0
To: sarris.overbosch@everett.nl
In-Reply-To: <4D92EC38.8040905@everett.nl>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Every time you call ktpass.exe to generate a keytab, the key version
number increments by one, both inside Active Directory and the keytab
file generated. Therefore, always use the latest keytab file.
Max
On 03/30/2011 04:39 PM, Sarris Overbosch | Everett wrote:
> Hi All,
>
> I'm trying to get single sign on working using kerberos, on my local
> test environment it works like a charm but in the real environment I
> cannot get it to work. The only difference I see so far is this:
> (Environment: Windows 2008 Server as DC, JBoss AS with Negotiation, IE 8)
>
> Local:
> Client Addresses Null
> Private Credential: Kerberos Principal
> host/jbossserver@DOMAIN.LOCALKey Version 3key EncryptionKey: keyType=23
> keyBytes (hex dump)=
> 0000: 9C 2E 64 A4 22 2E 9C 6A 40 D8 89 FA 21 30 F5 9C ..d."..j@...!0..
>
> Real:
> Client Addresses Null
> Private Credential: Kerberos Principal
> host/jbossserver@SHIPYARD.LOCALKey Version 4key EncryptionKey:
> keyType=23 keyBytes (hex dump)=
> 0000: 4F C6 44 97 D0 B8 9C 96 A9 79 5B 87 EB 44 71 33 O.D......y[..Dq3
>
> As you can see the Key Version is different, does anybody know what this
> means and if, why this causes the problem:
>
> 2011-03-30 10:22:13,171 INFO [STDOUT] (http-0.0.0.0-8888-1) Found key
> for host/jbossserver@SHIPYARD.LOCAL(23)
> 2011-03-30 10:22:13,172 INFO [STDOUT] (http-0.0.0.0-8888-1) Entered
> Krb5Context.acceptSecContext with state=STATE_NEW
> 2011-03-30 10:22:13,174 INFO [STDOUT] (http-0.0.0.0-8888-1)>>> EType:
> sun.security.krb5.internal.crypto.ArcFourHmacEType
> 2011-03-30 10:22:13,175 ERROR [STDERR] (http-0.0.0.0-8888-1) Checksum
> failed !
> 2011-03-30 10:22:13,175 TRACE
> [org.jboss.security.negotiation.spnego.SPNEGOLoginModule]
> (http-0.0.0.0-8888-1) Result - GSSException: Failure unspecified at
> GSS-API level (Mechanism level: Checksum failed)
> 2011-03-30 10:22:13,175 ERROR
> [org.jboss.security.negotiation.spnego.SPNEGOLoginModule]
> (http-0.0.0.0-8888-1) Unable to authenticate
> GSSException: Failure unspecified at GSS-API level (Mechanism level:
> Checksum failed)
> at
> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
> at
> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
> at
> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
> at
> org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:294)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:337)
>
> Best regard,
>
> Sarris Overbosch
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
