Win2003 KDC -- Apache/mod_spnego on Solaris: "Decrypt integrity c heck failed"

BERG Dietmar dietmar.berg at alcatel.at
Thu Jul 1 20:16:24 EDT 2004


Hi all,

I got stuck trying to get Apache 1.3.31 with mod_spnego to work with a Windows 2003 Server-based AD.

The SPNEGO token received from the client (IE 6.0SP1) is passed to krb5, but it can't be properly decoded by it.
I've hacked the krb5 libs to produce some more debug output, but I simply don't see what might be wrong.

The same error also occurs with mod_gss_auth_krb5

My environment:
- OS is Solaris 8 on Sparc
- MIT krb5 is version 1.3.4
- Apache is 1.3.31, mod_perl-enabled
- mod_spnego is 0.0.4, mod_gss_auth_krb5 is 0.0.3

- the user-account in AD has a simple name, with an SPN of HTTP/some.where at REALM;
  account options have the DES-flag set (is there a need for a password-change *after* this?)

- KTPASS on Windows has been used to extract keytabs for both the plain user-name and the service principal name

- I can successfully log on from Solaris with MIT kinit with both the user name and the SPN,
  but I can *only* log on through the keytab for the user account, *not* for the service principal
  (same phenomenon as someone else on this list had with Samba)

- the Ticket encoding is DES-CBC-MD5 (at least this is what KERBTRAY on the Windows side says)

Logging output:
mod_spnego: gss_acquire_cred succeeded
	krb5_kt_get_entry(req->ticket->server=HTTP/some.where at REALM, vno=0, enc=3)
	krb5_kt_get_entry OK
	krb5_c_decrypt() FAILED with -1765328353
	krb5_rd_req FAILED
mod_spnego: released credential
mod_spnego: gss_accept_sec_context failed; GSS-API: Miscellaneous failure
mod_spnego: gss_accept_sec_context failed; GSS-API mechanism: Decrypt integrity check failed


What has gone wrong???

Best regards,
 Dietmar


More information about the Kerberos mailing list