Discussion:
[modauthkerb] Create keytab with multiple servicePrincipalNames
Jakob Olsen
2014-01-07 19:17:43 UTC
Permalink
Hello,
this is my first post to the mailing-list, so i hope i'm doing it the right
way.

We have the following setup:

KDC = Windows 2003R2

Kerberos enabled server: Ubuntu - Apache 2.4

Clients: Windows 7 - IE 8

The solution has been up running, but today i needed to add another spn to
the AD user, used when the keytab was created.

I create my keytab with this windows command:

ktpass -princ HTTP/***@DOMAIN.TLF -mapuser
***@domain.tlf-pass password -crypto RC4-HMAC-NT -ptype
KRB5_NT_PRINCIPAL -out krb5.keytab

But after i added another SPN and created a new keytab, i see this error in
my apache error.log:

[Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid 11253]
src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API major_status:000d0000,
minor_status:96c73ae6
[Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid 11253] [client
IP:PORT] gss_accept_sec_context() failed: Unspecified GSS failure. Minor
code may provide more information (, Key version number for principal in
key table is incorrect)

So my question is:

What do i do about this error?
How do i debug any further?

Normally i dont have klist, ktutil, kadmin etc installed on the ubuntu
server.
But today i installed the krb-user package and when calling kvno
HTTP/servername.domain.tld i see the same kvno, as the ktpass is writing
when creating the keytab.

Any help is appreciated.
--
Jakob Damgaard Olsen
Tlf: 24613112
Douglas E. Engert
2014-01-07 20:14:26 UTC
Permalink
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<div class="moz-cite-prefix">On 1/7/2014 1:17 PM, Jakob Olsen wrote:<br>
</div>
<blockquote
cite="mid:CAMmJSsHAWHX6_YQBzgBtCH6J0L66nFbM8OMiMFUrpWxa4w-***@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<div dir="ltr">Hello,
<div>this is my first post to the mailing-list, so i hope i'm
doing it the right way.</div>
<div><br>
</div>
<div>We have the following setup:</div>
<div><br>
</div>
<div>KDC = Windows 2003R2</div>
<div><br>
</div>
<div>Kerberos enabled server: Ubuntu - Apache 2.4</div>
<div><br>
</div>
<div>Clients: Windows 7 - IE 8</div>
<div><br>
</div>
<div>The solution has been up running, but today i needed to add
another spn to the AD user, used when the keytab was created.</div>
</div>
</blockquote>
<br>
If this is your first attempt at using AD as the KDC for a service,
keep in mind that the MS docs talk about a "user" account<br>
but the user in not a real user but an account representing a
service.&nbsp; Some people get confused. Your use of the <br>
-mapuser <a class="moz-txt-link-abbreviated" href="mailto:***@domain.tlf">***@domain.tlf</a>&nbsp; looks like this type of confusion. <br>
<br>
Real users don't normally have SPNs. <br>
<blockquote
cite="mid:CAMmJSsHAWHX6_YQBzgBtCH6J0L66nFbM8OMiMFUrpWxa4w-***@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>I create my keytab with this windows command:</div>
<div><br>
</div>
<div>ktpass -princ <a class="moz-txt-link-abbreviated" href="mailto:HTTP/***@DOMAIN.TLF">HTTP/***@DOMAIN.TLF</a>
-mapuser <a class="moz-txt-link-abbreviated" href="mailto:***@domain.tlf">***@domain.tlf</a> -pass password -crypto RC4-HMAC-NT
-ptype KRB5_NT_PRINCIPAL -out krb5.keytab<br>
</div>
<div><br>
</div>
<div>But after i added another SPN and created a new keytab, i
see this error in my apache error.log:</div>
<div><br>
</div>
<div>
<div>[Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid
11253] src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API
major_status:000d0000, minor_status:96c73ae6</div>
<div>[Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid
11253] [client IP:PORT] gss_accept_sec_context() failed:
Unspecified GSS failure. &nbsp;Minor code may provide more
information (, Key version number for principal in key table
is incorrect)</div>
</div>
<div><br>
</div>
<div>So my question is:</div>
<div><br>
</div>
<div>What do i do about this error?</div>
<div>How do i debug any further?</div>
</div>
</blockquote>
<br>
Some thinks to keep in mind...<br>
<br>
&nbsp; &nbsp; &nbsp; An AD account has a single password used to generate&nbsp; keys on
the fly. <br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; An AD account has a single key version number.<br>
&nbsp;&nbsp;&nbsp; <br>
&nbsp;&nbsp;&nbsp; A SPN added to an account shares the password and KVNO with the
UPN for the account and all other SPNs on the account. <br>
<br>
On way to avoid this is to have separate service account with only
one SPN, and one matching keytab entry. <br>
Pick a naming convention for these AD accounts, say
&lt;service&gt;-&lt;host&gt;&nbsp; so in you example, http-servername <br>
<br>
<br>
You may also want to look at msktutil (Ubuntu has a packaged
version), or Samba utilities that allow you to update keytabs and AD
accounts <br>
rather the ktpass.&nbsp; <br>
<br>
<br>
<blockquote
cite="mid:CAMmJSsHAWHX6_YQBzgBtCH6J0L66nFbM8OMiMFUrpWxa4w-***@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Normally i dont have klist, ktutil, kadmin etc installed on
the ubuntu server.</div>
<div>But today i installed the krb-user package and when calling
kvno HTTP/servername.domain.tld i see the same kvno, as the
ktpass is writing when creating the keytab.</div>
</div>
</blockquote>
<br>
You might just be seeing that the the user has cached tickets. You
may want to kinit again. <br>
<br>
<br>
<blockquote
cite="mid:CAMmJSsHAWHX6_YQBzgBtCH6J0L66nFbM8OMiMFUrpWxa4w-***@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Any help is appreciated.</div>
<div>
<div><br>
</div>
-- <br>
Jakob Damgaard Olsen<br>
Tlf: 24613112
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, &amp; PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
<a class="moz-txt-link-freetext" href="http://pubads.g.doubleclick.net/gampad/clk?id=84349831&amp;iu=/4140/ostg.clktrk">http://pubads.g.doubleclick.net/gampad/clk?id=84349831&amp;iu=/4140/ostg.clktrk</a></pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
modauthkerb-help mailing list
<a class="moz-txt-link-abbreviated" href="mailto:modauthkerb-***@lists.sourceforge.net">modauthkerb-***@lists.sourceforge.net</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/modauthkerb-help">https://lists.sourceforge.net/lists/listinfo/modauthkerb-help</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="200">--

Douglas E. Engert <a class="moz-txt-link-rfc2396E" href="mailto:***@anl.gov">&lt;***@anl.gov&gt;</a>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444</pre>
</body>
</html>
Jakob Olsen
2014-01-07 20:22:00 UTC
Permalink
Hello Douglas, thanks for your reply.
If i create 2 accounts.

One for http/servername.domain.int and one for http/servername.domain.ext
Same server should be able to serve both "spn's".
How will a do that?
Post by Jakob Olsen
Hello,
this is my first post to the mailing-list, so i hope i'm doing it the
right way.
KDC = Windows 2003R2
Kerberos enabled server: Ubuntu - Apache 2.4
Clients: Windows 7 - IE 8
The solution has been up running, but today i needed to add another spn
to the AD user, used when the keytab was created.
If this is your first attempt at using AD as the KDC for a service, keep
in mind that the MS docs talk about a "user" account
but the user in not a real user but an account representing a service.
Some people get confused. Your use of the
Real users don't normally have SPNs.
KRB5_NT_PRINCIPAL -out krb5.keytab
But after i added another SPN and created a new keytab, i see this error
[Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid 11253]
src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API major_status:000d0000,
minor_status:96c73ae6
[Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid 11253] [client
IP:PORT] gss_accept_sec_context() failed: Unspecified GSS failure. Minor
code may provide more information (, Key version number for principal in
key table is incorrect)
What do i do about this error?
How do i debug any further?
Some thinks to keep in mind...
An AD account has a single password used to generate keys on the
fly.
An AD account has a single key version number.
A SPN added to an account shares the password and KVNO with the UPN
for the account and all other SPNs on the account.
On way to avoid this is to have separate service account with only one
SPN, and one matching keytab entry.
Pick a naming convention for these AD accounts, say <service>-<host> so
in you example, http-servername
You may also want to look at msktutil (Ubuntu has a packaged version), or
Samba utilities that allow you to update keytabs and AD accounts
rather the ktpass.
Normally i dont have klist, ktutil, kadmin etc installed on the ubuntu
server.
But today i installed the krb-user package and when calling kvno
HTTP/servername.domain.tld i see the same kvno, as the ktpass is writing
when creating the keytab.
You might just be seeing that the the user has cached tickets. You may
want to kinit again.
Any help is appreciated.
--
Jakob Damgaard Olsen
Tlf: 24613112
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
--
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
modauthkerb-help mailing list
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
--
Jakob Damgaard Olsen
Tlf: 24613112
Jakob Olsen
2014-01-07 20:36:44 UTC
Permalink
Sorry to spam the list...
I just created a new user.
Created a new keytab (using the ktpass-util)
Copied keytab to apache and restarted the server.

I still get this error in apache error.log:
[Tue Jan 07 21:31:41.785661 2014] [auth_kerb:error] [pid 15740] [client
192.168.128.68:51686] gss_accept_sec_context() failed: Unspecified GSS
failure. Minor code may provide more information (, Key version number for
principal in key table is incorrect)

How can the kvno be wrong, when user is just created and same with keytab?
Post by Jakob Olsen
Hello Douglas, thanks for your reply.
If i create 2 accounts.
One for http/servername.domain.int and one for http/servername.domain.ext
Same server should be able to serve both "spn's".
How will a do that?
Post by Jakob Olsen
Hello,
this is my first post to the mailing-list, so i hope i'm doing it the
right way.
KDC = Windows 2003R2
Kerberos enabled server: Ubuntu - Apache 2.4
Clients: Windows 7 - IE 8
The solution has been up running, but today i needed to add another spn
to the AD user, used when the keytab was created.
If this is your first attempt at using AD as the KDC for a service, keep
in mind that the MS docs talk about a "user" account
but the user in not a real user but an account representing a service.
Some people get confused. Your use of the
Real users don't normally have SPNs.
KRB5_NT_PRINCIPAL -out krb5.keytab
But after i added another SPN and created a new keytab, i see this
[Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid 11253]
src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API major_status:000d0000,
minor_status:96c73ae6
[Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid 11253] [client
IP:PORT] gss_accept_sec_context() failed: Unspecified GSS failure. Minor
code may provide more information (, Key version number for principal in
key table is incorrect)
What do i do about this error?
How do i debug any further?
Some thinks to keep in mind...
An AD account has a single password used to generate keys on the
fly.
An AD account has a single key version number.
A SPN added to an account shares the password and KVNO with the UPN
for the account and all other SPNs on the account.
On way to avoid this is to have separate service account with only one
SPN, and one matching keytab entry.
Pick a naming convention for these AD accounts, say <service>-<host> so
in you example, http-servername
You may also want to look at msktutil (Ubuntu has a packaged version), or
Samba utilities that allow you to update keytabs and AD accounts
rather the ktpass.
Normally i dont have klist, ktutil, kadmin etc installed on the ubuntu
server.
But today i installed the krb-user package and when calling kvno
HTTP/servername.domain.tld i see the same kvno, as the ktpass is writing
when creating the keytab.
You might just be seeing that the the user has cached tickets. You may
want to kinit again.
Any help is appreciated.
--
Jakob Damgaard Olsen
Tlf: 24613112
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
--
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
modauthkerb-help mailing list
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
--
Jakob Damgaard Olsen
Tlf: 24613112
--
Jakob Damgaard Olsen
Tlf: 24613112
Jakob Olsen
2014-01-07 20:58:19 UTC
Permalink
Hello all,
can this be the problem?

http://support.microsoft.com/kb/870987

If i open adsiedit.msc and find the user, there is no: msDS-KeyVersionNumber
But then i created the keytab, i get this information:

C:\>ktpass -princ HTTP/***@DOMAIN.TLD -mapuser
http-servername-***@domain.tld -pass abc12345 -crypto RC4-HMAC-NT -ptype
KRB5
_NT_PRINCIPAL -out krb5.keytab
Targeting domain controller: RKDC01.domain.tld
Successfully mapped HTTP/servername.domain.tld to http-servername-tld.
Password succesfully set!
Key created.
Output keytab to krb5.keytab:
Keytab version: 0x502
keysize 76 HTTP/***@DOMAIN.TLD ptype 1 (KRB5_NT_PRINCIPAL)
vno 3 etype 0x17 (RC4-HMAC) keylength 16
(0xea847b34167fd797cac465a00a2d88b3)

Why is the vno 3 from start ?
Post by Jakob Olsen
Sorry to spam the list...
I just created a new user.
Created a new keytab (using the ktpass-util)
Copied keytab to apache and restarted the server.
[Tue Jan 07 21:31:41.785661 2014] [auth_kerb:error] [pid 15740] [client
192.168.128.68:51686] gss_accept_sec_context() failed: Unspecified GSS
failure. Minor code may provide more information (, Key version number for
principal in key table is incorrect)
How can the kvno be wrong, when user is just created and same with keytab?
Post by Jakob Olsen
Hello Douglas, thanks for your reply.
If i create 2 accounts.
One for http/servername.domain.int and one for http/servername.domain.ext
Same server should be able to serve both "spn's".
How will a do that?
Post by Jakob Olsen
Hello,
this is my first post to the mailing-list, so i hope i'm doing it the
right way.
KDC = Windows 2003R2
Kerberos enabled server: Ubuntu - Apache 2.4
Clients: Windows 7 - IE 8
The solution has been up running, but today i needed to add another
spn to the AD user, used when the keytab was created.
If this is your first attempt at using AD as the KDC for a service, keep
in mind that the MS docs talk about a "user" account
but the user in not a real user but an account representing a service.
Some people get confused. Your use of the
Real users don't normally have SPNs.
KRB5_NT_PRINCIPAL -out krb5.keytab
But after i added another SPN and created a new keytab, i see this
[Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid 11253]
src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API major_status:000d0000,
minor_status:96c73ae6
[Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid 11253] [client
IP:PORT] gss_accept_sec_context() failed: Unspecified GSS failure. Minor
code may provide more information (, Key version number for principal in
key table is incorrect)
What do i do about this error?
How do i debug any further?
Some thinks to keep in mind...
An AD account has a single password used to generate keys on the
fly.
An AD account has a single key version number.
A SPN added to an account shares the password and KVNO with the UPN
for the account and all other SPNs on the account.
On way to avoid this is to have separate service account with only one
SPN, and one matching keytab entry.
Pick a naming convention for these AD accounts, say <service>-<host> so
in you example, http-servername
You may also want to look at msktutil (Ubuntu has a packaged version),
or Samba utilities that allow you to update keytabs and AD accounts
rather the ktpass.
Normally i dont have klist, ktutil, kadmin etc installed on the ubuntu
server.
But today i installed the krb-user package and when calling kvno
HTTP/servername.domain.tld i see the same kvno, as the ktpass is writing
when creating the keytab.
You might just be seeing that the the user has cached tickets. You may
want to kinit again.
Any help is appreciated.
--
Jakob Damgaard Olsen
Tlf: 24613112
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
--
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
modauthkerb-help mailing list
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
--
Jakob Damgaard Olsen
Tlf: 24613112
--
Jakob Damgaard Olsen
Tlf: 24613112
--
Jakob Damgaard Olsen
Tlf: 24613112
Douglas E. Engert
2014-01-07 22:06:02 UTC
Permalink
Post by Jakob Olsen
Hello all,
can this be the problem?
http://support.microsoft.com/kb/870987
If i open adsiedit.msc and find the user, there is no: msDS-KeyVersionNumber
_NT_PRINCIPAL -out krb5.keytab
Targeting domain controller: RKDC01.domain.tld
Successfully mapped HTTP/servername.domain.tld to http-servername-tld.
Password succesfully set!
Key created.
Keytab version: 0x502
vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0xea847b34167fd797cac465a00a2d88b3)
Why is the vno 3 from start ?
Not sure, but that is common with AD. I suspect:
1 when created,
2 when the account password was changed (It should be set to not expire)
3 when you did the ktpass.
Post by Jakob Olsen
Sorry to spam the list...
I just created a new user.
Created a new keytab (using the ktpass-util)
Copied keytab to apache and restarted the server.
[Tue Jan 07 21:31:41.785661 2014 <tel:785661%202014>] [auth_kerb:error] [pid 15740] [client 192.168.128.68:51686 <http://192.168.128.68:51686>] gss_accept_sec_context() failed: Unspecified GSS
failure. Minor code may provide more information (, Key version number for principal in key table is incorrect)
How can the kvno be wrong, when user is just created and same with keytab?
Did the client have cached tickets with an older kvno?
W7 has a klist tickets
command, but does not show the kvno, but does show the time the ticket was obtained.
Make sure the time is after the time you ran the last ktpass for the SPN.
Post by Jakob Olsen
Hello Douglas, thanks for your reply.
If i create 2 accounts.
One for http/servername.domain.int <http://servername.domain.int> and one for http/servername.domain.ext
Same server should be able to serve both "spn's".
How will a do that?
Post by Jakob Olsen
Hello,
this is my first post to the mailing-list, so i hope i'm doing it the right way.
KDC = Windows 2003R2
Kerberos enabled server: Ubuntu - Apache 2.4
Clients: Windows 7 - IE 8
The solution has been up running, but today i needed to add another spn to the AD user, used when the keytab was created.
If this is your first attempt at using AD as the KDC for a service, keep in mind that the MS docs talk about a "user" account
but the user in not a real user but an account representing a service. Some people get confused. Your use of the
Real users don't normally have SPNs.
Post by Jakob Olsen
-ptype KRB5_NT_PRINCIPAL -out krb5.keytab
[Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid 11253] src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API major_status:000d0000, minor_status:96c73ae6
[Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid 11253] [client IP:PORT] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, Key
version number for principal in key table is incorrect)
What do i do about this error?
How do i debug any further?
Some thinks to keep in mind...
An AD account has a single password used to generate keys on the fly.
An AD account has a single key version number.
A SPN added to an account shares the password and KVNO with the UPN for the account and all other SPNs on the account.
On way to avoid this is to have separate service account with only one SPN, and one matching keytab entry.
Pick a naming convention for these AD accounts, say <service>-<host> so in you example, http-servername
You may also want to look at msktutil (Ubuntu has a packaged version), or Samba utilities that allow you to update keytabs and AD accounts
rather the ktpass.
Post by Jakob Olsen
Normally i dont have klist, ktutil, kadmin etc installed on the ubuntu server.
But today i installed the krb-user package and when calling kvno HTTP/servername.domain.tld i see the same kvno, as the ktpass is writing when creating the keytab.
You might just be seeing that the the user has cached tickets. You may want to kinit again.
Post by Jakob Olsen
Any help is appreciated.
--
Jakob Damgaard Olsen
Tlf: 24613112
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
modauthkerb-help mailing list
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
--
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444 <tel:%28630%29%20252-5444>
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
modauthkerb-help mailing list
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
--
Jakob Damgaard Olsen
Tlf: 24613112
--
Jakob Damgaard Olsen
Tlf: 24613112
--
Jakob Damgaard Olsen
Tlf: 24613112
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
modauthkerb-help mailing list
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
--
Douglas E. Engert <***@anl.gov> <***@gmail.com>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
Jakob Olsen
2014-01-08 06:56:39 UTC
Permalink
Thanks Douglas, i was "that" easy... :)
Have seen the error message so many times: Key version number for principal
in key table is incorrect
And everytime i throught the keytab was the problem.
When i removed the old ticket, the kerberos was working again.

Thanks.
Post by Jakob Olsen
Post by Jakob Olsen
Hello all,
can this be the problem?
http://support.microsoft.com/kb/870987
msDS-KeyVersionNumber
KRB5
Post by Jakob Olsen
_NT_PRINCIPAL -out krb5.keytab
Targeting domain controller: RKDC01.domain.tld
Successfully mapped HTTP/servername.domain.tld to http-servername-tld.
Password succesfully set!
Key created.
Keytab version: 0x502
(KRB5_NT_PRINCIPAL)
Post by Jakob Olsen
vno 3 etype 0x17 (RC4-HMAC) keylength 16
(0xea847b34167fd797cac465a00a2d88b3)
Post by Jakob Olsen
Why is the vno 3 from start ?
1 when created,
2 when the account password was changed (It should be set to not expire)
3 when you did the ktpass.
Post by Jakob Olsen
Sorry to spam the list...
I just created a new user.
Created a new keytab (using the ktpass-util)
Copied keytab to apache and restarted the server.
[Tue Jan 07 21:31:41.785661 2014 <tel:785661%202014>]
[auth_kerb:error] [pid 15740] [client 192.168.128.68:51686 <
Unspecified GSS
Post by Jakob Olsen
failure. Minor code may provide more information (, Key version
number for principal in key table is incorrect)
Post by Jakob Olsen
How can the kvno be wrong, when user is just created and same with
keytab?
Did the client have cached tickets with an older kvno?
W7 has a klist tickets
command, but does not show the kvno, but does show the time the ticket was obtained.
Make sure the time is after the time you ran the last ktpass for the SPN.
Post by Jakob Olsen
Hello Douglas, thanks for your reply.
If i create 2 accounts.
One for http/servername.domain.int <http://servername.domain.int>
and one for http/servername.domain.ext
Post by Jakob Olsen
Same server should be able to serve both "spn's".
How will a do that?
On Tue, Jan 7, 2014 at 9:14 PM, Douglas E. Engert <
Post by Jakob Olsen
Hello,
this is my first post to the mailing-list, so i hope i'm
doing it the right way.
Post by Jakob Olsen
Post by Jakob Olsen
KDC = Windows 2003R2
Kerberos enabled server: Ubuntu - Apache 2.4
Clients: Windows 7 - IE 8
The solution has been up running, but today i needed to add
another spn to the AD user, used when the keytab was created.
Post by Jakob Olsen
If this is your first attempt at using AD as the KDC for a
service, keep in mind that the MS docs talk about a "user" account
Post by Jakob Olsen
but the user in not a real user but an account representing
a service. Some people get confused. Your use of the
like this type of confusion.
Post by Jakob Olsen
Real users don't normally have SPNs.
Post by Jakob Olsen
-ptype KRB5_NT_PRINCIPAL -out krb5.keytab
But after i added another SPN and created a new keytab, i
[Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid
11253] src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API
major_status:000d0000, minor_status:96c73ae6
Post by Jakob Olsen
Post by Jakob Olsen
[Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid
11253] [client IP:PORT] gss_accept_sec_context() failed: Unspecified GSS
failure. Minor code may provide more information (, Key
Post by Jakob Olsen
Post by Jakob Olsen
version number for principal in key table is incorrect)
What do i do about this error?
How do i debug any further?
Some thinks to keep in mind...
An AD account has a single password used to generate
keys on the fly.
Post by Jakob Olsen
An AD account has a single key version number.
A SPN added to an account shares the password and KVNO
with the UPN for the account and all other SPNs on the account.
Post by Jakob Olsen
On way to avoid this is to have separate service account
with only one SPN, and one matching keytab entry.
Post by Jakob Olsen
Pick a naming convention for these AD accounts, say
<service>-<host> so in you example, http-servername
Post by Jakob Olsen
You may also want to look at msktutil (Ubuntu has a packaged
version), or Samba utilities that allow you to update keytabs and AD
accounts
Post by Jakob Olsen
rather the ktpass.
Post by Jakob Olsen
Normally i dont have klist, ktutil, kadmin etc installed on
the ubuntu server.
Post by Jakob Olsen
Post by Jakob Olsen
But today i installed the krb-user package and when calling
kvno HTTP/servername.domain.tld i see the same kvno, as the ktpass is
writing when creating the keytab.
Post by Jakob Olsen
You might just be seeing that the the user has cached
tickets. You may want to kinit again.
Post by Jakob Olsen
Post by Jakob Olsen
Any help is appreciated.
--
Jakob Damgaard Olsen
Tlf: 24613112
------------------------------------------------------------------------------
Post by Jakob Olsen
Post by Jakob Olsen
Rapidly troubleshoot problems before they affect your
business. Most IT
Post by Jakob Olsen
Post by Jakob Olsen
organizations don't have a clear picture of how application
performance
Post by Jakob Olsen
Post by Jakob Olsen
affects their revenue. With AppDynamics, you get 100%
visibility into your
Post by Jakob Olsen
Post by Jakob Olsen
Java,.NET, & PHP application. Start your 15-day FREE TRIAL
of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
Post by Jakob Olsen
Post by Jakob Olsen
_______________________________________________
modauthkerb-help mailing list
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
Post by Jakob Olsen
--
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444 <tel:%28630%29%20252-5444>
------------------------------------------------------------------------------
Post by Jakob Olsen
Rapidly troubleshoot problems before they affect your
business. Most IT
Post by Jakob Olsen
organizations don't have a clear picture of how application
performance
Post by Jakob Olsen
affects their revenue. With AppDynamics, you get 100%
visibility into your
Post by Jakob Olsen
Java,.NET, & PHP application. Start your 15-day FREE TRIAL
of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
Post by Jakob Olsen
_______________________________________________
modauthkerb-help mailing list
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
Post by Jakob Olsen
--
Jakob Damgaard Olsen
Tlf: 24613112
--
Jakob Damgaard Olsen
Tlf: 24613112
--
Jakob Damgaard Olsen
Tlf: 24613112
------------------------------------------------------------------------------
Post by Jakob Olsen
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into
your
Post by Jakob Olsen
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of
AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
Post by Jakob Olsen
_______________________________________________
modauthkerb-help mailing list
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
--
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
modauthkerb-help mailing list
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
--
Jakob Damgaard Olsen
Tlf: 24613112
Douglas E. Engert
2014-01-14 21:40:04 UTC
Permalink
Post by Jakob Olsen
Hello Douglas, thanks for your reply.
If i create 2 accounts.
One for http/servername.domain.int <http://servername.domain.int> and one for http/servername.domain.ext
Same server should be able to serve both "spn's".
How will a do that?
Sorry abont the late reply.

But yes it could, if you combine the two keytab files. MIT's ktutil can do that.

You would also have to look closely at how the calls to gss_accept_sec_context
handles the acceptor_cred_handle parameter. Its been a long time, but IIRC it can
be null and the lower level kerberos may be able to use any keytab entry.
Post by Jakob Olsen
Post by Jakob Olsen
Hello,
this is my first post to the mailing-list, so i hope i'm doing it the right way.
KDC = Windows 2003R2
Kerberos enabled server: Ubuntu - Apache 2.4
Clients: Windows 7 - IE 8
The solution has been up running, but today i needed to add another spn to the AD user, used when the keytab was created.
If this is your first attempt at using AD as the KDC for a service, keep in mind that the MS docs talk about a "user" account
but the user in not a real user but an account representing a service. Some people get confused. Your use of the
Real users don't normally have SPNs.
Post by Jakob Olsen
KRB5_NT_PRINCIPAL -out krb5.keytab
[Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid 11253] src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API major_status:000d0000, minor_status:96c73ae6
[Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid 11253] [client IP:PORT] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, Key version
number for principal in key table is incorrect)
What do i do about this error?
How do i debug any further?
Some thinks to keep in mind...
An AD account has a single password used to generate keys on the fly.
An AD account has a single key version number.
A SPN added to an account shares the password and KVNO with the UPN for the account and all other SPNs on the account.
On way to avoid this is to have separate service account with only one SPN, and one matching keytab entry.
Pick a naming convention for these AD accounts, say <service>-<host> so in you example, http-servername
You may also want to look at msktutil (Ubuntu has a packaged version), or Samba utilities that allow you to update keytabs and AD accounts
rather the ktpass.
Post by Jakob Olsen
Normally i dont have klist, ktutil, kadmin etc installed on the ubuntu server.
But today i installed the krb-user package and when calling kvno HTTP/servername.domain.tld i see the same kvno, as the ktpass is writing when creating the keytab.
You might just be seeing that the the user has cached tickets. You may want to kinit again.
Post by Jakob Olsen
Any help is appreciated.
--
Jakob Damgaard Olsen
Tlf: 24613112
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
modauthkerb-help mailing list
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
--
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444 <tel:%28630%29%20252-5444>
------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
modauthkerb-help mailing list
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
--
Jakob Damgaard Olsen
Tlf: 24613112
--
Douglas E. Engert <***@anl.gov> <***@gmail.com>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
Jakob Olsen
2014-01-15 08:17:29 UTC
Permalink
Hello Douglas,
so fare it looks like the problem is solved.
And it works with two spn's.
Thanks man...
Post by Douglas E. Engert
Post by Jakob Olsen
Hello Douglas, thanks for your reply.
If i create 2 accounts.
One for http/servername.domain.int <http://servername.domain.int> and
one for http/servername.domain.ext
Same server should be able to serve both "spn's".
How will a do that?
Sorry abont the late reply.
But yes it could, if you combine the two keytab files. MIT's ktutil can do that.
You would also have to look closely at how the calls to
gss_accept_sec_context
handles the acceptor_cred_handle parameter. Its been a long time, but IIRC it can
be null and the lower level kerberos may be able to use any keytab entry.
Post by Jakob Olsen
Post by Jakob Olsen
Hello,
this is my first post to the mailing-list, so i hope i'm doing it the right way.
KDC = Windows 2003R2
Kerberos enabled server: Ubuntu - Apache 2.4
Clients: Windows 7 - IE 8
The solution has been up running, but today i needed to add another
spn to the AD user, used when the keytab was created.
If this is your first attempt at using AD as the KDC for a service,
keep in mind that the MS docs talk about a "user" account
but the user in not a real user but an account representing a
service. Some people get confused. Your use of the
Real users don't normally have SPNs.
Post by Jakob Olsen
KRB5_NT_PRINCIPAL -out krb5.keytab
But after i added another SPN and created a new keytab, i see this
[Tue Jan 07 16:53:24.378749 2014] [auth_kerb:debug] [pid 11253]
src/mod_auth_kerb.c(1121): [client IP:PORT] GSS-API major_status:000d0000,
minor_status:96c73ae6
[Tue Jan 07 16:53:24.378809 2014] [auth_kerb:error] [pid 11253]
[client IP:PORT] gss_accept_sec_context() failed: Unspecified GSS failure.
Minor code may provide more information (, Key version
number for principal in key table is incorrect)
What do i do about this error?
How do i debug any further?
Some thinks to keep in mind...
An AD account has a single password used to generate keys on the fly.
An AD account has a single key version number.
A SPN added to an account shares the password and KVNO with the
UPN for the account and all other SPNs on the account.
On way to avoid this is to have separate service account with only
one SPN, and one matching keytab entry.
Pick a naming convention for these AD accounts, say <service>-<host>
so in you example, http-servername
You may also want to look at msktutil (Ubuntu has a packaged
version), or Samba utilities that allow you to update keytabs and AD
accounts
rather the ktpass.
Post by Jakob Olsen
Normally i dont have klist, ktutil, kadmin etc installed on the ubuntu server.
But today i installed the krb-user package and when calling kvno
HTTP/servername.domain.tld i see the same kvno, as the ktpass is writing
when creating the keytab.
You might just be seeing that the the user has cached tickets. You
may want to kinit again.
Post by Jakob Olsen
Any help is appreciated.
--
Jakob Damgaard Olsen
Tlf: 24613112
------------------------------------------------------------
------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=
/4140/ostg.clktrk
_______________________________________________
modauthkerb-help mailing list
lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
--
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444 <tel:%28630%29%20252-5444>
------------------------------------------------------------
------------------
Rapidly troubleshoot problems before they affect your business. Most IT
organizations don't have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=
/4140/ostg.clktrk
_______________________________________________
modauthkerb-help mailing list
lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/modauthkerb-help
--
Jakob Damgaard Olsen
Tlf: 24613112
--
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
--
Jakob Damgaard Olsen
Tlf: 24613112
Loading...