second keytab for similar service (but different SPN/IP) breaks the first

Tom Yu tlyu at MIT.EDU
Wed Jun 3 12:01:04 EDT 2009


Chris <chriscorbell at gmail.com> writes:

> This is perhaps a little higher-level problem than Kerberos proper but
> I wanted to at least see if I was taking the correct approach as far
> as Kerberos is concerned.
>
> I have a service - it's a kerberized java webservice with a very
> specific function, and it does GSSAPI validation of client login
> requests, where the clients have obtained tickets to my service.  It's
> working fine with either Microsoft AD or Apple Open Directory (MIT
> Kerberos) - basically I create an account for the service, create an
> SPN in the form servicename/ip-address at REALM, and then generate a
> keytab for the SPN which gets configured for JAAS on the service host
> machine.
>
> What I can't seem to do with this approach is to generate keytabs for
> two service instances in the same realm, e.g. if two different
> departments each want their own deployment of my service.  With the
> keytab tools included in both Microsfot AD and Apple Open Directory
> (MIT), just generating an additional keytab for a different SPN (but
> the same directory service account) breaks the authentication of the
> first one.
>
> In step-by-step terms:
> - my service is called "fooservice", I create and AD or OD account
> called "fooservice"
> - I add an SPN for fooservice using this name plus the IP address and
> realm, e.g. "fooservice/ip-addr-1 at REALM"
> - I generate a keytab for this SPN and add it to fooservice running on
> ip-addr-1; everything is working, clients can authenticate
> - I add another SPN for fooservice because I want to run another
> fooservice on a different machine, "fooservice/ip-addr-2 at REALM"
> - I generate a keytab for fooservice/ip-addr-2; fooservice/ip-addr-1
> stops working (can no longer establish its own credentials based on
> keytab, & therefore can't accept client contexts). It seems to be
> actually generating the keytab file - not just adding an additional
> SPN - that does this. However I can at this point use the new keytab
> for the fooservice running on ip-addr-2.
>
> So it seems that with both Active Directory's Kerberos and Open
> Directory's (MIT) Kerberos I cannot have two instances of "fooservice"
> kerberized on different IP addresses against distinct SPN's associated
> with the same service account... but there are numerous examples on
> the web of this being done e.g. with a single "http" account and
> multiple "http/ip-addr..." SPN's for multiple web servers on your
> network.
>
> Am I right in thinking what I'm trying should be possible, and if so
> is there some nuance of generating the keytab that I'm not following
> that causes the first keytab to stop working?

The process for generating keytabs have historically taken great pains
to generate a completely new random key.  Being able to generate a
keytab containing the existing key is a security risk, as it allows
for the undetected compromise of any further authentication or
communications using that key.

It seems that AD and OD are treating the two instances of "fooservice"
as the same account, and thus making them have the same key.  If there
are two computers running different instances of a similar service,
shouldn't they have different computer accounts?



More information about the Kerberos mailing list