"Key version number for principal in key table is incorrect" - butkvno is in fact identical - Kerberos

This is a discussion on "Key version number for principal in key table is incorrect" - butkvno is in fact identical - Kerberos ; Hi, I am using Apache1/mod_auth_kerb (using MIT Kerberos under Linux) to authenticate via single-sign-on through a Windows 2003 Active Directory Server. When authenticating, Kerberos refuses the key in the keytab: --- Apache error_log --- gss_accept_sec_context() failed: Miscellaneous failure (Key version ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: "Key version number for principal in key table is incorrect" - butkvno is in fact identical

  1. "Key version number for principal in key table is incorrect" - butkvno is in fact identical

    Hi,

    I am using Apache1/mod_auth_kerb (using MIT Kerberos under Linux) to
    authenticate via single-sign-on through a Windows 2003 Active Directory
    Server. When authenticating, Kerberos refuses the key in the keytab:

    --- Apache error_log ---
    gss_accept_sec_context() failed: Miscellaneous failure
    (Key version number for principal in key table is incorrect)
    --- END Apache error_log ---



    Actually, the service principle's kvno in the keytab and on the ADS
    server are the same (#7). I have checked that using "klist -ke" on Linux
    and verifying the attribute msDS-KeyVersionNumber using asdi on Windows.
    In a different thread
    (http://groups.google.de/group/comp.p...b4b0e1458f9238)
    someone was having the same problem, but they could determine the kvno
    in fact being different.

    I tried to update the keytab using
    kinit -k -t
    but this didn't help either.

    What I found out using ethereal:
    - Internet Explorer opens URL on the apache server
    - Apache server sends back 401 with "WWW-Authenticate: Negotiate"
    - IE sends a correct authentication Kerberos string in the HTTP header
    - Apache throws error as above
    - Apache sends back "WWW-Authenticate: Basic" as a fallback (as far as I
    assume)
    - IE shows login request, I can now login with my Windows login data and
    the login was accepted (which is quite strange from my point of view)

    My questions:
    - Can I find out which version gss_accept_sec_context() expects and
    which it finds?
    - Maybe I am thinking wrong and not the service principle's key is the
    issue but my Windows Login key?
    - Has anyone any more ideas?

    Cheers,
    Timo


  2. Re: "Key version number for principal in key table is incorrect" -but

    You can lok at the client <> kdc traffic (port 88) and you should see which
    kvno you get for the HTTP service from the kdc. If you have several kdcs it
    might be a sync problem between the kdcs.

    Markus


    "Timo Fuchs" wrote in message
    news:3hnrgpFhvctbU1@uni-berlin.de...
    > Hi,
    >
    > I am using Apache1/mod_auth_kerb (using MIT Kerberos under Linux) to
    > authenticate via single-sign-on through a Windows 2003 Active Directory
    > Server. When authenticating, Kerberos refuses the key in the keytab:
    >
    > --- Apache error_log ---
    > gss_accept_sec_context() failed: Miscellaneous failure
    > (Key version number for principal in key table is incorrect)
    > --- END Apache error_log ---
    >
    >
    >
    > Actually, the service principle's kvno in the keytab and on the ADS
    > server are the same (#7). I have checked that using "klist -ke" on Linux
    > and verifying the attribute msDS-KeyVersionNumber using asdi on Windows.
    > In a different thread
    > (http://groups.google.de/group/comp.p...b4b0e1458f9238)
    > someone was having the same problem, but they could determine the kvno
    > in fact being different.
    >
    > I tried to update the keytab using
    > kinit -k -t
    > but this didn't help either.
    >
    > What I found out using ethereal:
    > - Internet Explorer opens URL on the apache server
    > - Apache server sends back 401 with "WWW-Authenticate: Negotiate"
    > - IE sends a correct authentication Kerberos string in the HTTP header
    > - Apache throws error as above
    > - Apache sends back "WWW-Authenticate: Basic" as a fallback (as far as I
    > assume)
    > - IE shows login request, I can now login with my Windows login data and
    > the login was accepted (which is quite strange from my point of view)
    >
    > My questions:
    > - Can I find out which version gss_accept_sec_context() expects and
    > which it finds?
    > - Maybe I am thinking wrong and not the service principle's key is the
    > issue but my Windows Login key?
    > - Has anyone any more ideas?
    >
    > Cheers,
    > Timo
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >




    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread