Checksum failed problem

Weijun Wang weijun.wang at oracle.com
Wed Mar 30 05:14:52 EDT 2011


Every time you call ktpass.exe to generate a keytab, the key version 
number increments by one, both inside Active Directory and the keytab 
file generated. Therefore, always use the latest keytab file.

Max

On 03/30/2011 04:39 PM, Sarris Overbosch | Everett wrote:
> Hi All,
>
> I'm trying to get single sign on working using kerberos, on my local
> test environment it works like a charm but in the real environment I
> cannot get it to work. The only difference I see so far is this:
> (Environment: Windows 2008 Server as DC, JBoss AS with Negotiation, IE 8)
>
> Local:
> Client Addresses  Null
>          Private Credential: Kerberos Principal
> host/jbossserver at DOMAIN.LOCALKey Version 3key EncryptionKey: keyType=23
> keyBytes (hex dump)=
> 0000: 9C 2E 64 A4 22 2E 9C 6A   40 D8 89 FA 21 30 F5 9C  ..d."..j at ...!0..
>
> Real:
> Client Addresses  Null
>      Private Credential: Kerberos Principal
> host/jbossserver at SHIPYARD.LOCALKey Version 4key EncryptionKey:
> keyType=23 keyBytes (hex dump)=
> 0000: 4F C6 44 97 D0 B8 9C 96   A9 79 5B 87 EB 44 71 33  O.D......y[..Dq3
>
> As you can see the Key Version is different, does anybody know what this
> means and if, why this causes the problem:
>
> 2011-03-30 10:22:13,171 INFO  [STDOUT] (http-0.0.0.0-8888-1) Found key
> for host/jbossserver at SHIPYARD.LOCAL(23)
> 2011-03-30 10:22:13,172 INFO  [STDOUT] (http-0.0.0.0-8888-1) Entered
> Krb5Context.acceptSecContext with state=STATE_NEW
> 2011-03-30 10:22:13,174 INFO  [STDOUT] (http-0.0.0.0-8888-1)>>>  EType:
> sun.security.krb5.internal.crypto.ArcFourHmacEType
> 2011-03-30 10:22:13,175 ERROR [STDERR] (http-0.0.0.0-8888-1) Checksum
> failed !
> 2011-03-30 10:22:13,175 TRACE
> [org.jboss.security.negotiation.spnego.SPNEGOLoginModule]
> (http-0.0.0.0-8888-1) Result - GSSException: Failure unspecified at
> GSS-API level (Mechanism level: Checksum failed)
> 2011-03-30 10:22:13,175 ERROR
> [org.jboss.security.negotiation.spnego.SPNEGOLoginModule]
> (http-0.0.0.0-8888-1) Unable to authenticate
> GSSException: Failure unspecified at GSS-API level (Mechanism level:
> Checksum failed)
>      at
> sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
>      at
> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
>      at
> sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
>      at
> org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:294)
>      at java.security.AccessController.doPrivileged(Native Method)
>      at javax.security.auth.Subject.doAs(Subject.java:337)
>
> Best regard,
>
> Sarris Overbosch
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list