kerberos authentication for apache on windows
Frank Balluffi
frank.balluffi at db.com
Mon Jun 6 13:00:45 EDT 2005
jas at aql.fr wrote on 06/06/2005 10:21:12 AM:
> As I said, I've created a new keytab with the
> HTTP/adcassard.jas.aql.fr at ADCASSARD.JAS.AQL.FR service name (using
ktpass).
> klist now shows the correct principal:
>
> > klist -k c:\WINDOWS\krb5kt
> Keytab name: FILE:c:\WINDOWS\krb5kt
> KVNO Principal
> ----
>
--------------------------------------------------------------------------
> 4 HTTP/adcassard.jas.aql.fr at ADCASSARD.JAS.AQL.FR
>
> I've restarted Apache, restarted Firefox on the client session and
> requested the
> URL again. I got the same error: no principal match.
I am not sure why it is failing. For the sake of thoroughness, you might
want to check what encryption types are being used. To check the keytab
pass -e to klist:
klist -e -k c:\WINDOWS\krb5kt
to check the token, requires decoding. If you send me the token (out of
band), I will check it. Because I have seen problems with key version
numbers (kvno) and Windows Server 2003, you might want to also try
deleting and recreating the service account and recreate the keytab. You
should then see kvno equal to 1.
Frank
More information about the Kerberos
mailing list