mod_auth_kerb: gss_accept_sec_context() failed

Michael B Allen ioplex at gmail.com
Wed Jan 21 02:16:04 EST 2009


On Tue, Jan 20, 2009 at 3:20 PM, Michael Ströder <michael at stroeder.com> wrote:
> [debug] src/mod_auth_kerb.c(1247): [client 10.1.1.5] Acquiring creds for
> HTTP/nb2.stroeder.local at DOM2.ADTEST.LOCAL
> [debug] src/mod_auth_kerb.c(1392): [client 10.1.1.5] Verifying client
> data using KRB5 GSS-API
> [debug] src/mod_auth_kerb.c(1408): [client 10.1.1.5] Client didn't
> delegate us their credential
> [debug] src/mod_auth_kerb.c(1108): [client 10.1.1.5] GSS-API
> major_status:000d0000, minor_status:96c73a1f
> [error] [client 10.1.1.5] gss_accept_sec_context() failed: Unspecified
> GSS failure.  Minor code may provide more information (, Decrypt
> integrity check failed)

The "Decrypt integrity check failed" error means that the GSS service
located an entry in the keytab file with the target SPN but the
encryption key, key version number or encryption type was not exactly
the same as that used to encrypt the service ticket.

If this error occurs while you're trying to install or update the HTTP
service account, it's a good bet that the cause is an old cached HTTP
service ticket on the client. Meaning the cached ticket was encrypted
with an old encryption key, key version number, encryption type
combination. To fix this problem, you simply need to purge your client
credential cache (such as by logging off and back on) or wait long
enough for the ticket to expire. That will force the client to
reacquire a new ticket generated with the most current encryption key,
key version number and encryption type.

One tool that is helpful with examining your client credential cache
and with purging tickets is the kerbtray.exe utility from the Resource
Kit Tools package available through MS' website. Run kerbtray.exe and
then right click on it's bright green systray icon and select "purge
tickets". Whenever you run ktpass it's usually a good idea to purge
your client's tickets.

If this does not solve your problem then you should run ktpass again
and note the encryption key and key version number (the encryption
type should be the default which is RC4). Then recopy the keytab and
verify with ktutil that the encryption key and key version number are
in fact correct.

To get delegation to work with Firefox, you must go into about:config
and add the servername or domain name to
network.negotiate-auth.delegation-uris property.

Mike

-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/




More information about the Kerberos mailing list