[32954] in Kerberos
Re: Specified version of key is not available
daemon@ATHENA.MIT.EDU (Weijun Wang)
Thu Dec 9 23:12:52 2010
Message-ID: <4D019B38.1050107@oracle.com>
Date: Fri, 10 Dec 2010 11:15:04 +0800
From: Weijun Wang <weijun.wang@oracle.com>
MIME-Version: 1.0
To: michal <kleczek.michal@gmail.com>
In-Reply-To: <2ab99fe5-a97e-4881-94ab-1c16f0166731@j3g2000vbi.googlegroups.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Java fixed a bug on key version check in 6u21.
The error message looks like the keytab is not the latest one. Each time
ktpass.exe is called, it increments the key version number for the
service, so you must always use the last generated keytab file on the
server.
Thanks
Weijun
On 12/10/2010 06:10 AM, michal wrote:
> Hi,
> Have a problem with setting up Tomcat (Java servlet container) for
> SPNEGO authentication in Active Directory domain. The implementation
> is based on JGSS available in Oracle JDK 1.6.0_22
> 1. Keytab is generated using ktpass utility.
> 2. Server (Tomcat) obtains a service ticket from the keytab.
> 3. Server sends Negotiate header to the browser
> 4. The browser sends an encoded kerberos ticket to the server
> 5. Ooops... The server prints out exception message "Specified version
> of key is not available" and refuses to establish GSS context.
> All is setup exactly as described here:
> http://blog.springsource.com/2009/09/28/spring-security-kerberos
> and works perfectly with MIT Kerberos (even with Windows clients
> configured using ksetup tool).
> I've googled around and could not find anything. Anybody has any idea
> what is wrong?
> Thanks for any suggestions.
> Michal
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
