SSPI/GSS-API : mech_dh: Invalid or unknown error

Jacques Lebastard jacques.lebastard at evidian.com
Fri Apr 8 06:05:54 EDT 2005 

Jeffrey Altman a écrit :
> Jacques Lebastard wrote:
> 
> 
>>Hi folks,
>>
>>I wrote a SSPI Client / GSS-API Server application that works fine in a
>>tree of ActiveDirectory domains / Solaris realm environment where the
>>KDC are the AD domain controlers.
>>
>>Server application is located in mytree.dom and users in child.mytree.dom.
>>
>>However, I sometimes get an error for some users. These users can
>>establish a context from W2K workstations but cannot from WinXP
>>workstations (both workstations are located in child.mytree.dom).
>>
>>The Solaris GSS-API server shows the following error message for
>>connections established on WinXP ws:
>>
>>MAJOR(gss_accept_sec_context) : Unspecified GSS failure.  Minor code may
>>provide more information
>>MINOR(gss_accept_sec_context) : mech_dh: Invalid or unknown error
>>
>>
>>What does 'mech_dh' mean ? Diffie-Hellman mechanism ???
>>
>>What differences between Kerberos SSP W2K SP4 and WinXP SP 1 ?
>>
>>
>>Thanks for any hint,
>>-- 
>>Jacques
> 
> 
> I suggest you obtain a network trace for the exchange.

I dumpasn1'd both GSS-API tokens and they are quite similar: they only 
differ in the contents of encrypted parts.

What bothers me with both tokens is that the kvno (optional parameter of 
an EncryptedData) is omitted. A GSS-API token emitted from a WinXP SP2 
workstation includes the kvno.

If the WinXP SP1 workstations (or its closest domain controler ?) uses 
an old key, the GSS server application cannot detect that an might just 
fails decrypting tickets and authenticators.

Could this be the reason of the above error ?
Would a Kerberos tickets cache clean-up on the workstation solve that 
problem ?

What other "network trace" should be analyzed apart from RFC 1964 token 
contents ?

What is the meaning of the 'mech_dh' in the minor_status error message ?

Thanks for your help,
-- 
Mr. Jacques LEBASTARD            mailto:jacques.lebastard at evidian.com
EVIDIAN S.A.                     www.evidian.com
Rue Jean Jaurès                  Tel: +33 1 30 80 77 86
F-78340 LES CLAYES SOUS BOIS     Fax: +33 1 30 80 77 99

More information about the Kerberos mailing list