KVNO/Keytab Question

Douglas E. Engert deengert at anl.gov
Mon Dec 1 16:31:59 EST 2008

kevin.doran at accenture.com wrote:
> Hi, I'm hoping someone can help.
> We are having issues using SPNEGO. Our problem seems to be the one
> defined on:
> http://www-01.ibm.com/support/docview.wss?rs=638&context=SSPREK&uid=swg21259123&loc=en_US&cs=UTF-8&lang=en
> When we try to login, our browsers pass the following ticket
> information:
>                             Ticket
>                                 Tkt-vno: 5
>                                 Realm: DWPPTP.LONDONDC.COM
>                                 Server Name (Service and Instance):
> HTTP/ettloadbalancer.dwpptp.londondc.com
>                                     Name-type: Service and Instance
> (2)
>                                     Name: HTTP
>                                     Name:
> ettloadbalancer.dwpptp.londondc.com
>                                 enc-part des-cbc-md5
>                                     Encryption type: des-cbc-md5 (3)
>                                     Kvno: 4
>                                     enc-part:
> 1857B643262FFCBFF4F54F7D2D7E41F7D67DC10257C15D28...
> The Kvno is 4, yet when performing a klist on the keytab file:
> ivmgr at dptettsw02:/var/pdweb/log$ klist -k /var/pdweb/keytab-dptettsw02/
> ettloadbalancer_HTTP.keytab
> Keytab name: FILE:/var/pdweb/keytab-dptettsw02/
> ettloadbalancer_HTTP.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    3 HTTP/ettloadbalancer.dwpptp.londondc.com at DWPPTP.LONDONDC.COM
> We have followed the recommendation of recreating the keytab file and
> this has change the KVNO number in the keytab file. However the KVNO
> passed by the browser does not matched - how does this value get set?
> Any help is appreciated

(Richard Silverman suggested to clean out the client ticket cache,
but that may only be part of the problem.)

The knvo is usually increased by one each time you change the key in the KDC,
so it looks like you did not update the keytab the last time you changed
the key. The KDC and keytab need to stay in sync. The client got a ticket with
a kvno of 4, but the keytab has a kvno of 3. Do you have more then one copy
of the keytab file? I see the word load balancer in you note. Did you update both?

Whose KDC are you using, and what tool did you use to create or update the keytab?

(The reason for a kvno is that A keytab can have more then one key for a
service principal, each with a different kvno. This is done to allow tickets
issued with the older kvno to continue to work when a new key and kvno is
created in the KDC and keytab. At a later time the keytab can be cleaned up
removing the older entry.)

> Regards
> Kev
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list