Checksum failed problem

Sarris Overbosch | Everett sarris.overbosch at everett.nl
Wed Mar 30 05:23:15 EDT 2011


Hi,

So I just got this keytab from the administrator so it should be the
latest (he made it based on my documentation) and thus this version
issue is not the cause of the checksum failed, but what is the cause
then :'(

Thanx for your reply Max.

Br,

Sarris

On 30-03-11 11:14, Weijun Wang wrote:
> Every time you call ktpass.exe to generate a keytab, the key version
> number increments by one, both inside Active Directory and the keytab
> file generated. Therefore, always use the latest keytab file.
>
> Max
>
> On 03/30/2011 04:39 PM, Sarris Overbosch | Everett wrote:
>> Hi All,
>>
>> I'm trying to get single sign on working using kerberos, on my local
>> test environment it works like a charm but in the real environment I
>> cannot get it to work. The only difference I see so far is this:
>> (Environment: Windows 2008 Server as DC, JBoss AS with Negotiation,
>> IE 8)
>>
>> Local:
>> Client Addresses  Null
>>          Private Credential: Kerberos Principal
>> host/jbossserver at DOMAIN.LOCALKey Version 3key EncryptionKey: keyType=23
>> keyBytes (hex dump)=
>> 0000: 9C 2E 64 A4 22 2E 9C 6A   40 D8 89 FA 21 30 F5 9C 
>> ..d."..j at ...!0..
>>
>> Real:
>> Client Addresses  Null
>>      Private Credential: Kerberos Principal
>> host/jbossserver at SHIPYARD.LOCALKey Version 4key EncryptionKey:
>> keyType=23 keyBytes (hex dump)=
>> 0000: 4F C6 44 97 D0 B8 9C 96   A9 79 5B 87 EB 44 71 33 
>> O.D......y[..Dq3
>>
>> As you can see the Key Version is different, does anybody know what this
>> means and if, why this causes the problem:
>>
>> 2011-03-30 10:22:13,171 INFO  [STDOUT] (http-0.0.0.0-8888-1) Found key
>> for host/jbossserver at SHIPYARD.LOCAL(23)
>> 2011-03-30 10:22:13,172 INFO  [STDOUT] (http-0.0.0.0-8888-1) Entered
>> Krb5Context.acceptSecContext with state=STATE_NEW
>> 2011-03-30 10:22:13,174 INFO  [STDOUT] (http-0.0.0.0-8888-1)>>>  EType:
>> sun.security.krb5.internal.crypto.ArcFourHmacEType
>> 2011-03-30 10:22:13,175 ERROR [STDERR] (http-0.0.0.0-8888-1) Checksum
>> failed !
>> 2011-03-30 10:22:13,175 TRACE
>> [org.jboss.security.negotiation.spnego.SPNEGOLoginModule]
>> (http-0.0.0.0-8888-1) Result - GSSException: Failure unspecified at
>> GSS-API level (Mechanism level: Checksum failed)
>> 2011-03-30 10:22:13,175 ERROR
>> [org.jboss.security.negotiation.spnego.SPNEGOLoginModule]
>> (http-0.0.0.0-8888-1) Unable to authenticate
>> GSSException: Failure unspecified at GSS-API level (Mechanism level:
>> Checksum failed)
>>      at
>> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
>>
>>      at
>> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
>>
>>      at
>> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
>>
>>      at
>> org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:294)
>>
>>      at java.security.AccessController.doPrivileged(Native Method)
>>      at javax.security.auth.Subject.doAs(Subject.java:337)
>>
>> Best regard,
>>
>> Sarris Overbosch
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list