Fedora2/Apache2 and Key Version Error
Nebergall, Christopher
cneberg at sandia.gov
Wed Aug 25 16:51:31 EDT 2004
You can use ethereal a packet sniffer.
http://www.ethereal.com/
But that is not your problem, from your error messages Apache it is sending
the header fine. The problem occurs later when the web server is trying to
process the token sent from the browser.
gss_accept_sec_context() failed: Miscellaneous failure
> (Key version number for principal in key table is incorrect)
The key in your keytab file does not match the key that the Active Directory
has for the server principal or you have changed the key multiple times
recently IE is using an older version of the key which it will cache till it
expires.
But that is confusing when looking at the next message, which makes it
appear as if the browser was not able to get a service ticket all.
>>Warning: received token seems to be NTLM, which isn't supported...
>>gss_accept_sec_context() failed: A token was invalid (Token header is
>>malformed or corrupt)
Run the kerbtray utility from Microsoft to make sure that IE is actually
getting a service ticket. Then right click the tray icon and purge the
tickets, in case your windows box has cached an old ticket. If that doesn't
fix any thing, recreate your keytab using ktutil.
Kerbtray link
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/kerbtray
-o.asp
-Christopher
-----Original Message-----
From: Scott Moseman [mailto:smoseman at novolink.net]
Sent: Wednesday, August 25, 2004 1:39 PM
To: kerberos at MIT.EDU
Subject: Re: Fedora2/Apache2 and Key Version Error
As of right now, this is what our Apache server is saying in the logs...
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
Acquiring creds for HTTP/fqdn.domain.com at REALM
Verifying client data using KRB5 GSS-API
Verification returned code 589824
Warning: received token seems to be NTLM, which isn't supported...
gss_accept_sec_context() failed: A token was invalid (Token header is
malformed or corrupt)
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
kerb_authenticate_user_krb5pwd ret=0 user=username at REALM authtype=Basic
We are assuming that our browser (IE60) is not sending Apache2 our username
and password credentials via Kerberos. Is there any way that we could
validate
that Apache2 is properly requesting "WWW-Authentication: Negotiate" from the
web browser? I did a telnet to port 80 and used "GET /" but that did not
tell me
anything about Negotiate, although I am not sure if I used the right syntax
though.
Thanks,
Scott Moseman
"Scott Moseman" <smoseman at novolink.net> wrote:
>
> Fedora Core 2 running Apache 2.0.50 using mod_auth_kerb-rc6.
> Setup Kerberos and made principals for the system and for Apache.
>
> Login (pam) access using Kerberos is working great. No problem.
> kinit works and authenticates against the ADS. No problem there.
>
> When my browser hits the Apache server, I get this error message:
>
> gss_accept_sec_context() failed: Miscellaneous failure
> (Key version number for principal in key table is incorrect)
>
> The website pops up the user/pass prompt (which we want to stop)
> and I am able to login with my ADS credentials okay. No problem.
>
> Any idea what is causing the above error message in Apache's logs?
> I have a feeling this is what is stopping us from having SSO working.
> (The website is in my Intranet Sites and I do have IWA configured.)
>
> Thanks,
> Scott Moseman
>
________________________________________________
Kerberos mailing list Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list