"Key version number for principal in key table is incorrect" - but

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

"Key version number for principal in key table is incorrect" - but

Timo Fuchs
Hi,

I am using Apache1/mod_auth_kerb (using MIT Kerberos under Linux) to
authenticate via single-sign-on through a Windows 2003 Active Directory
Server. When authenticating, Kerberos refuses the key in the keytab:

--- Apache error_log ---
gss_accept_sec_context() failed: Miscellaneous failure
 (Key version number for principal in key table is incorrect)
--- END Apache error_log ---



Actually, the service principle's kvno in the keytab and on the ADS
server are the same (#7). I have checked that using "klist -ke" on Linux
and verifying the attribute msDS-KeyVersionNumber using asdi on Windows.
In a different thread
(http://groups.google.de/group/comp.protocols.kerberos/browse_thread/thread/7caa06f56f48fc12/4cb4b0e1458f9238)
someone was having the same problem, but they could determine the kvno
in fact being different.

I tried to update the keytab using
kinit -k -t <keytab> <service principle>
but this didn't help either.

What I found out using ethereal:
- Internet Explorer opens URL on the apache server
- Apache server sends back 401 with "WWW-Authenticate: Negotiate"
- IE sends a correct authentication Kerberos string in the HTTP header
- Apache throws error as above
- Apache sends back "WWW-Authenticate: Basic" as a fallback (as far as I
assume)
- IE shows login request, I can now login with my Windows login data and
the login was accepted (which is quite strange from my point of view)

My questions:
- Can I find out which version gss_accept_sec_context() expects and
which it finds?
- Maybe I am thinking wrong and not the service principle's key is the
issue but my Windows Login key?
- Has anyone any more ideas?

Cheers,
Timo

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: "Key version number for principal in key table is incorrect" - but

Markus Moeller
You can lok at the client <> kdc traffic (port 88) and you should see which
kvno you get for the HTTP service from the kdc. If you have several kdcs it
might be a sync problem between the kdcs.

Markus


"Timo Fuchs" <[hidden email]> wrote in message
news:[hidden email]...

> Hi,
>
> I am using Apache1/mod_auth_kerb (using MIT Kerberos under Linux) to
> authenticate via single-sign-on through a Windows 2003 Active Directory
> Server. When authenticating, Kerberos refuses the key in the keytab:
>
> --- Apache error_log ---
> gss_accept_sec_context() failed: Miscellaneous failure
> (Key version number for principal in key table is incorrect)
> --- END Apache error_log ---
>
>
>
> Actually, the service principle's kvno in the keytab and on the ADS
> server are the same (#7). I have checked that using "klist -ke" on Linux
> and verifying the attribute msDS-KeyVersionNumber using asdi on Windows.
> In a different thread
> (http://groups.google.de/group/comp.protocols.kerberos/browse_thread/thread/7caa06f56f48fc12/4cb4b0e1458f9238)
> someone was having the same problem, but they could determine the kvno
> in fact being different.
>
> I tried to update the keytab using
> kinit -k -t <keytab> <service principle>
> but this didn't help either.
>
> What I found out using ethereal:
> - Internet Explorer opens URL on the apache server
> - Apache server sends back 401 with "WWW-Authenticate: Negotiate"
> - IE sends a correct authentication Kerberos string in the HTTP header
> - Apache throws error as above
> - Apache sends back "WWW-Authenticate: Basic" as a fallback (as far as I
> assume)
> - IE shows login request, I can now login with my Windows login data and
> the login was accepted (which is quite strange from my point of view)
>
> My questions:
> - Can I find out which version gss_accept_sec_context() expects and
> which it finds?
> - Maybe I am thinking wrong and not the service principle's key is the
> issue but my Windows Login key?
> - Has anyone any more ideas?
>
> Cheers,
> Timo
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos