[28209] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Wrong ticket encryption for W2K clients only

daemon@ATHENA.MIT.EDU (Markus Moeller)
Mon Aug 6 14:52:17 2007

To: kerberos@mit.edu
From: "Markus Moeller" <huaraz@moeller.plus.com>
Date: Mon, 6 Aug 2007 19:51:40 +0100
Message-ID: <f97qk6$27s$1@sea.gmane.org>
X-Complaints-To: usenet@sea.gmane.org
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Is there a reason that you still use DES ?  As far as I know 
Vintella/Wedgetail supports RC4.

Markus

"Ron Perzul" <rperzul@businessobjects.com> wrote in message 
news:D8517328071C7A48BAA4DE1799D0DE4322B849@exch-lv05.intl.businessobjects.com...
> Hi,
>
> I am facing the following problem.
>
> The Windows service account used for Vintela SSO is set up using "Use DES 
> encryption for this account". The keytab is created with ktpass 
> ... -crypto DES-CBC-MD5 encryption.
>
> Everything is working when I login to the web application from a Windows 
> 2003 server machine. On the Windows 2003 server machine part of the klist 
> tickets command is as follows (Kerberos ticket encryption of type 
> DES-CBC-MD5 as expected):
>
>   Server: HTTP/server.eu.xxx.com@EU.XXX.COM
>      KerbTicket Encryption Type: Kerberos DES-CBC-MD5
>      End Time: 8/3/2007 21:38:37
>      Renew Time: 8/10/2007 11:38:37
>
> But on the Windows 2000 clients the ticket is encrypted with RC4-HMAC-NT:
>
>   Server: HTTP/server@EU.XXX.COM
>      KerbTicket Encryption Type: Kerberos RSADSI RC4-HMAC(NT)
>      End Time: 8/3/2007 21:42:55
>      Renew Time: 8/10/2007 11:42:55
>
> The wrong obtained ticket causes SSO to fail.
>
> Tomcat output is:
>
> HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException: 
> com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure 
> unspecified at GSS-API level (Mechanism level: 
> com.dstc.security.kerberos.KerberosException: Successfully matched service 
> principal " HTTP/SERVER.EU.XXX.COM@EU.XXX.COM but not key type (23) + KVNO 
> (2) in this entry: Principal: HTTP/SERVER.EU.XXX.COM@EU.XXX.COM Type: 1 
> TimeStamp: Wed Dec 31 19:00:00 EST 1969 KVNO: -1 Key: [3, 67 ec a8 a8 75 
> e0 ab 3e ] )
>
> So the encryption type of the client ticket (which is of type 
> 23=RC4-HMAC-NT) does not match the entry in the keytab (type 
> 3=DES-CBC-MD5).
>
> Why does the Windows 2000 machine get a different encrypted ticket? Also, 
> there is a difference in the SPN returned in the output of the klist 
> tickets above.
>
> Any help would be greatly appreciated.
>
> Thanks,
>
> Ron
>
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 



________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post