KVNO/Keytab Question

kevin.doran@accenture.com kevin.doran at accenture.com
Sat Nov 29 03:32:35 EST 2008


On 29 Nov, 03:21, "Richard E. Silverman" <r... at qoxp.net> wrote:
> >>>>> "KD" == kevin doran <kevin.do... at accenture.com> writes:
>
>     KD> Hi, I'm hoping someone can help.  We are having issues using
>     KD> SPNEGO. Our problem seems to be the one defined on:
>     KD>http://www-01.ibm.com/support/docview.wss?rs=638&context=SSPREK&uid=s...
>
>     KD> When we try to login, our browsers pass the following ticket
>     KD> information:
>
>     KD>                             Ticket Tkt-vno: 5 Realm:
>     KD> DWPPTP.LONDONDC.COM Server Name (Service and Instance):
>     KD> HTTP/ettloadbalancer.dwpptp.londondc.com Name-type: Service and
>     KD> Instance (2) Name: HTTP Name: ettloadbalancer.dwpptp.londondc.com
>     KD> enc-part des-cbc-md5 Encryption type: des-cbc-md5 (3) Kvno: 4
>     KD> enc-part: 1857B643262FFCBFF4F54F7D2D7E41F7D67DC10257C15D28...
>
>     KD> The Kvno is 4, yet when performing a klist on the keytab file:
>
>     KD> ivmgr at dptettsw02:/var/pdweb/log$ klist -k
>     KD> /var/pdweb/keytab-dptettsw02/ ettloadbalancer_HTTP.keytab Keytab
>     KD> name: FILE:/var/pdweb/keytab-dptettsw02/
>     KD> ettloadbalancer_HTTP.keytab KVNO Principal ----
>     KD> --------------------------------------------------------------------------
>     KD> 3 HTTP/ettloadbalancer.dwpptp.londondc.... at DWPPTP.LONDONDC.COM
>
>     KD> We have followed the recommendation of recreating the keytab file
>     KD> and this has change the KVNO number in the keytab file. However
>     KD> the KVNO passed by the browser does not matched - how does this
>     KD> value get set?
>
> You need to purge the ccache on the client machine so that it obtains a
> new, matching ticket from the KDC.
>
>     KD> Any help is appreciated
>
>     KD> Regards
>
>     KD> Kev
>
> --
>   Richard Silverman
>   r... at qoxp.net

Thanks Richard, is that done using the "C:\Program Files\Resource Kit
\KLIST.EXE" purge" command? If so, I have tried this but it still
isn't working



More information about the Kerberos mailing list