[28200] in Kerberos

home help back first fref pref prev next nref lref last post

Wrong ticket encryption for W2K clients only

daemon@ATHENA.MIT.EDU (Ron Perzul)
Sun Aug 5 16:27:50 2007

Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Sun, 5 Aug 2007 22:27:32 +0200
Message-ID: <D8517328071C7A48BAA4DE1799D0DE4322B849@exch-lv05.intl.businessobjects.com>
From: "Ron Perzul" <rperzul@businessobjects.com>
To: <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Hi, 

I am facing the following problem. 

The Windows service account used for Vintela SSO is set up using "Use DES encryption for this account". The keytab is created with ktpass ... -crypto DES-CBC-MD5 encryption. 

Everything is working when I login to the web application from a Windows 2003 server machine. On the Windows 2003 server machine part of the klist tickets command is as follows (Kerberos ticket encryption of type DES-CBC-MD5 as expected): 

   Server: HTTP/server.eu.xxx.com@EU.XXX.COM 
      KerbTicket Encryption Type: Kerberos DES-CBC-MD5  
      End Time: 8/3/2007 21:38:37 
      Renew Time: 8/10/2007 11:38:37 

But on the Windows 2000 clients the ticket is encrypted with RC4-HMAC-NT: 

   Server: HTTP/server@EU.XXX.COM 
      KerbTicket Encryption Type: Kerberos RSADSI RC4-HMAC(NT) 
      End Time: 8/3/2007 21:42:55 
      Renew Time: 8/10/2007 11:42:55 

The wrong obtained ticket causes SSO to fail. 

Tomcat output is: 

HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Successfully matched service principal " HTTP/SERVER.EU.XXX.COM@EU.XXX.COM but not key type (23) + KVNO (2) in this entry: Principal: HTTP/SERVER.EU.XXX.COM@EU.XXX.COM Type: 1 TimeStamp: Wed Dec 31 19:00:00 EST 1969 KVNO: -1 Key: [3, 67 ec a8 a8 75 e0 ab 3e ] ) 

So the encryption type of the client ticket (which is of type 23=RC4-HMAC-NT) does not match the entry in the keytab (type 3=DES-CBC-MD5). 

Why does the Windows 2000 machine get a different encrypted ticket? Also, there is a difference in the SPN returned in the output of the klist tickets above. 

Any help would be greatly appreciated. 

Thanks, 

Ron 

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post