second keytab for similar service (but different SPN/IP) breaks the first

Douglas E. Engert deengert at anl.gov
Wed Jun 3 13:58:41 EDT 2009 


Chris wrote:
> This is perhaps a little higher-level problem than Kerberos proper but
> I wanted to at least see if I was taking the correct approach as far
> as Kerberos is concerned.
> 
> I have a service - it's a kerberized java webservice with a very
> specific function, and it does GSSAPI validation of client login
> requests, where the clients have obtained tickets to my service.  It's
> working fine with either Microsoft AD or Apple Open Directory (MIT
> Kerberos) - basically I create an account for the service, create an
> SPN in the form servicename/ip-address at REALM, and then generate a
> keytab for the SPN which gets configured for JAAS on the service host
> machine.

ip-address? or hostname? Kerberos normally uses hostnames.

> 
> What I can't seem to do with this approach is to generate keytabs for
> two service instances in the same realm, e.g. if two different
> departments each want their own deployment of my service.  With the
> keytab tools included in both Microsfot AD and Apple Open Directory
> (MIT), just generating an additional keytab for a different SPN (but
> the same directory service account) breaks the authentication of the
> first one.

Use two different directory service accounts, one for each instance.
Follow some pattern for the account name like foo-host.

There is only one password on the account and it is used to generate
the key for all SPNs on the account.


> 
> In step-by-step terms:
> - my service is called "fooservice", I create and AD or OD account
> called "fooservice"
> - I add an SPN for fooservice using this name plus the IP address and
> realm, e.g. "fooservice/ip-addr-1 at REALM"
> - I generate a keytab for this SPN and add it to fooservice running on
> ip-addr-1; everything is working, clients can authenticate
> - I add another SPN for fooservice because I want to run another
> fooservice on a different machine, "fooservice/ip-addr-2 at REALM"
> - I generate a keytab for fooservice/ip-addr-2; fooservice/ip-addr-1
> stops working (can no longer establish its own credentials based on
> keytab, & therefore can't accept client contexts). It seems to be
> actually generating the keytab file - not just adding an additional
> SPN - that does this. However I can at this point use the new keytab
> for the fooservice running on ip-addr-2.
> 
> So it seems that with both Active Directory's Kerberos and Open
> Directory's (MIT) Kerberos I cannot have two instances of "fooservice"
> kerberized on different IP addresses against distinct SPN's associated
> with the same service account... but there are numerous examples on
> the web of this being done e.g. with a single "http" account and
> multiple "http/ip-addr..." SPN's for multiple web servers on your
> network.
> 
> Am I right in thinking what I'm trying should be possible, and if so
> is there some nuance of generating the keytab that I'm not following
> that causes the first keytab to stop working?
> 
> Many thanks.
> - Chris
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list