kerberos authentication for apache on windows

Frank Balluffi frank.balluffi at db.com
Mon Jun 6 13:00:45 EDT 2005


jas at aql.fr wrote on 06/06/2005 10:21:12 AM:

> As I said, I've created a new keytab with the
> HTTP/adcassard.jas.aql.fr at ADCASSARD.JAS.AQL.FR service name (using 
ktpass).
> klist now shows the correct principal:
> 
> > klist -k c:\WINDOWS\krb5kt
> Keytab name: FILE:c:\WINDOWS\krb5kt
> KVNO Principal
> ---- 
> 
--------------------------------------------------------------------------
>    4 HTTP/adcassard.jas.aql.fr at ADCASSARD.JAS.AQL.FR
> 
> I've restarted Apache, restarted Firefox on the client session and 
> requested the
> URL again. I got the same error: no principal match.

I am not sure why it is failing. For the sake of thoroughness, you might 
want to check what encryption types are being used. To check the keytab 
pass -e to klist:

klist -e -k c:\WINDOWS\krb5kt

to check the token, requires decoding. If you send me the token (out of 
band), I will check it. Because I have seen problems with key version 
numbers (kvno) and Windows Server 2003, you might want to also try 
deleting and recreating the service account and recreate the keytab. You 
should then see kvno equal to 1.

Frank


More information about the Kerberos mailing list