"Key version number for principal in key table is incorrect" - but
Timo Fuchs
timo at mxbf.de
Mon Jun 20 08:36:04 EDT 2005
Hi,
I am using Apache1/mod_auth_kerb (using MIT Kerberos under Linux) to
authenticate via single-sign-on through a Windows 2003 Active Directory
Server. When authenticating, Kerberos refuses the key in the keytab:
--- Apache error_log ---
gss_accept_sec_context() failed: Miscellaneous failure
(Key version number for principal in key table is incorrect)
--- END Apache error_log ---
Actually, the service principle's kvno in the keytab and on the ADS
server are the same (#7). I have checked that using "klist -ke" on Linux
and verifying the attribute msDS-KeyVersionNumber using asdi on Windows.
In a different thread
(http://groups.google.de/group/comp.protocols.kerberos/browse_thread/thread/7caa06f56f48fc12/4cb4b0e1458f9238)
someone was having the same problem, but they could determine the kvno
in fact being different.
I tried to update the keytab using
kinit -k -t <keytab> <service principle>
but this didn't help either.
What I found out using ethereal:
- Internet Explorer opens URL on the apache server
- Apache server sends back 401 with "WWW-Authenticate: Negotiate"
- IE sends a correct authentication Kerberos string in the HTTP header
- Apache throws error as above
- Apache sends back "WWW-Authenticate: Basic" as a fallback (as far as I
assume)
- IE shows login request, I can now login with my Windows login data and
the login was accepted (which is quite strange from my point of view)
My questions:
- Can I find out which version gss_accept_sec_context() expects and
which it finds?
- Maybe I am thinking wrong and not the service principle's key is the
issue but my Windows Login key?
- Has anyone any more ideas?
Cheers,
Timo
More information about the Kerberos
mailing list