RC4-HMAC-MD5 with Apache2/mod_auth_kerb and ActiveDirectory -Problem

Markus Moeller huaraz at moeller.plus.com
Thu Aug 25 15:11:12 EDT 2005 

Jakob,

if I understand right you have created a new HTTP/server principal with RC4 
encryption and merged it with  DES only principals. Are the DES only 
principals also for HTTP/server ? Do you have the DES only flag set on the 
account ?

Did you use a password with the keytab tool, which would make any prviously 
extracted key invalid.

I would need some answers to the above question to understand better what 
you did. In principal you can use RC4-hmac.

Regards
Markus


""Jellbauer Jakob"" <jakob.jellbauer at interhyp.de> wrote in message 
news:67303F7C52F03642A25DF2F8C43177C4011D86E1 at DEMUC-CLU2-EX1.interhyp-intern.de...
> hello list,
>
> i´ve problems getting this combination , RC4-HMAC-MD5 with 
> Apache2/mod_auth_kerb and ActiveDirectory, to work.
>
> my way:
>
> - i´ve created a new user on a 2003 Domaincontroller
> - used the (2003) ktpass tool to create the usermapping
> - merged it with the existing keytab file with only "DES cbc mode with 
> RSA-MD5" Principals
>
> now i can get a ticket trough:
>
>
>
>
>
>>kinit -S  HTTP/myserver.mydomain-websrvdmz.de
>
>>klist -e
> Ticket cache: FILE:/tmp/krb5cc_6024
> Default principal: HTTP/myserver.mydomain-websrvdmz.de at INTERHYP.DE
>
> Valid starting     Expires            Service principal
> 08/25/05 13:13:46  08/25/05 23:13:50  krbtgt/INTERHYP.DE at INTERHYP.DE
>        renew until 08/26/05 13:13:46, Etype (skey, tkt): ArcFour with 
> HMAC/md5, ArcFour with HMAC/md5
>
>
>
>
>
>
>
> but when i try to make a SSO via Internet Explorer i get this in the 
> apache errorlog:
>
> ... gss_accept_sec_context() failed: Miscellaneous failure (Decrypt 
> integrity check failed) ...
> ... failed to verify krb5 credentials: Decrypt integrity check failed  ...
>
>
>
> i have purged my tickets already and i dont have any enctypes specified in 
> my krb5.conf
>
>
>
> in general , is it possible to get this combination to work?
>
>
>
> greetings and thanks
>
> jakob
>
>
>
> -
> Jakob Jellbauer
> Network & System Engineer
> Information Technology
> Interhyp AG | Parkstadt Schwabing  Marcel-Breuer-Str. 18  80807 München
> Telefon: 089-76 77 21 47 | Telefax: 089-76 77 251 47  | Mobil: 0151-16 70 
> 19 16
> mailto:jakob.jellbauer at interhyp.de | www.interhyp.de
>
>
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list