apache sso "failed to verify krb5 credentials: Bad encryption type"

Jean-Yves Avenard jyavenard at gmail.com
Thu Feb 17 17:45:44 EST 2011


On 17 February 2011 04:34, Dream Soul <dream4soul at gmail.com> wrote:

> 192.168.53.143] Trying to verify authenticity of KDC using principal
> HTTP/dispute.DOMAIN.md at MAIN.DOMAIN.MD
> [Mon Feb 14 14:18:38 2011] [debug] src/mod_auth_kerb.c(652): [client
> 192.168.53.143] krb5_rd_req() failed when verifying KDC
> [Mon Feb 14 14:18:38 2011] [error] [client 192.168.53.143] failed to
> verify krb5 credentials: Bad encryption type
> [Mon Feb 14 14:18:38 2011] [debug] src/mod_auth_kerb.c(1073): [client
> 192.168.53.143] kerb_authenticate_user_krb5pwd ret=401 user=(NULL)
> authtype=(NULL)
> [Mon Feb 14 14:18:38 2011] [debug] mod_deflate.c(615): [client
> 192.168.53.143] Zlib: Compressed 484 to 327 : URL /index.php
>
>
> I know that is encryption problem but where to fix ???

Bad encryption type in my experience can mean various things : from
incorrect password, incorrect kvno, incorrect entry etc...

First I'd check that the kvno of the principals stored on the KDC
match the one you put in the keytab used by apache.
Also check your DNS entries to make sure both forward and reverse
entry point to the same machine

With mod_auth_kerb and depending on the web browser the client used,
the principal used may also vary, especially if using virtual host ,
or if the name of the web service is different to the name of the
machine.

For example I have a machine called server4.domain.com ; it runs a web
service intranet.domain.com
I found that depending on the web browser ; sometimes it would use
HTTP/intranet.domain.com and sometimes HTTP/server4.domain.com ; so I
had to have both in the keytab as well as on the kdc.

Hope that helps
JY



More information about the Kerberos mailing list