second keytab for similar service (but different SPN/IP) breaks the first

Chris chriscorbell at gmail.com
Tue Jun 2 19:12:17 EDT 2009 

This is perhaps a little higher-level problem than Kerberos proper but
I wanted to at least see if I was taking the correct approach as far
as Kerberos is concerned.

I have a service - it's a kerberized java webservice with a very
specific function, and it does GSSAPI validation of client login
requests, where the clients have obtained tickets to my service.  It's
working fine with either Microsoft AD or Apple Open Directory (MIT
Kerberos) - basically I create an account for the service, create an
SPN in the form servicename/ip-address at REALM, and then generate a
keytab for the SPN which gets configured for JAAS on the service host
machine.

What I can't seem to do with this approach is to generate keytabs for
two service instances in the same realm, e.g. if two different
departments each want their own deployment of my service.  With the
keytab tools included in both Microsfot AD and Apple Open Directory
(MIT), just generating an additional keytab for a different SPN (but
the same directory service account) breaks the authentication of the
first one.

In step-by-step terms:
- my service is called "fooservice", I create and AD or OD account
called "fooservice"
- I add an SPN for fooservice using this name plus the IP address and
realm, e.g. "fooservice/ip-addr-1 at REALM"
- I generate a keytab for this SPN and add it to fooservice running on
ip-addr-1; everything is working, clients can authenticate
- I add another SPN for fooservice because I want to run another
fooservice on a different machine, "fooservice/ip-addr-2 at REALM"
- I generate a keytab for fooservice/ip-addr-2; fooservice/ip-addr-1
stops working (can no longer establish its own credentials based on
keytab, & therefore can't accept client contexts). It seems to be
actually generating the keytab file - not just adding an additional
SPN - that does this. However I can at this point use the new keytab
for the fooservice running on ip-addr-2.

So it seems that with both Active Directory's Kerberos and Open
Directory's (MIT) Kerberos I cannot have two instances of "fooservice"
kerberized on different IP addresses against distinct SPN's associated
with the same service account... but there are numerous examples on
the web of this being done e.g. with a single "http" account and
multiple "http/ip-addr..." SPN's for multiple web servers on your
network.

Am I right in thinking what I'm trying should be possible, and if so
is there some nuance of generating the keytab that I'm not following
that causes the first keytab to stop working?

Many thanks.
- Chris

More information about the Kerberos mailing list