Could you help me to resolve the Kerberos error?
Zhutiemin
zhutiemin at huawei.com
Thu Jun 20 05:30:40 EDT 2013
Vipin:
Thank you very much for Reply.
I find that there are some errors in windows Application log
Could you tell me how to resolve it.
This is the error log:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server cxt23001$. The target name used was HOST/CXT23001.china.huawei.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server.
This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (CHINA.HUAWEI.COM) is different from the client domain (CHINA.HUAWEI.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
-----Original Message-----
From: Vipin Rathor [mailto:v.rathor at gmail.com]
Sent: 2013年6月20日 14:08
To: Zhutiemin
Cc: kerberos at mit.edu
Subject: Re: Could you help me to resolve the Kerberos error?
Your application is looking for such a service principal (misspelled
?) which does not exist in keytab and/or KDC database.
Also, it will be helpful for all of us if you can state the scenario
that you are trying and the setup that you have.
On Thu, Jun 20, 2013 at 10:31 AM, Zhutiemin <zhutiemin at huawei.com> wrote:
> Dear MIT Kerberos Team:
>
> My name is Tiemin Zhu, I am a software engineer of Huawei corporation .
>
> I am getting following error with Kerberos Authentication. Could you help me to resolve this error?
> But the result of LDAP Authentication is OK
>
> Is this the configuration error in AD?
>
> Do you have any document I could study?
>
> Thanks so much!
>
> This is the error:
> [2013-05-25 03:34:01,765]--[ERROR]--[pool-1-thread-39]--[AdServiceImpl.java run() 920] - search fail.
> javax.naming.AuthenticationException: GSSAPI [Root exception is javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]]
> at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source)
> at com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source)
> at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)
> at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)
> at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)
> at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)
> at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
> at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
> at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
> at javax.naming.InitialContext.init(Unknown Source)
> at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)
> at com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl$GetSidByIpForPrivilege.run(AdServiceImpl.java:892)
> at com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl$GetSidByIpForPrivilege.run(AdServiceImpl.java:854)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Unknown Source)
> at com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl.getSidByIp(AdServiceImpl.java:824)
> at com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl.getSidByDomain(AdServiceImpl.java:787)
> at com.huawei.vds.service.platform.vdesktop.service.impl.AdServiceImpl.getSidByMachineName(AdServiceImpl.java:734)
> at com.huawei.vds.service.platform.vdesktop.task.CombineCreateInstanceTask.createInstance(CombineCreateInstanceTask.java:740)
> at com.huawei.vds.service.platform.vdesktop.task.CombineCreateInstanceTask.createVm(CombineCreateInstanceTask.java:655)
> at com.huawei.vds.service.platform.vdesktop.task.CombineCreateInstanceTask.combineCreateInstance(CombineCreateInstanceTask.java:503)
> at com.huawei.vds.service.platform.vdesktop.task.CombineCreateInstanceTask.run(CombineCreateInstanceTask.java:317)
> at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
> at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
> at java.util.concurrent.FutureTask.run(Unknown Source)
> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(Unknown Source)
> at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
> at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> at com.huawei.vds.common.utils.threadpool.VDSThreadFactory$Task.run(VDSThreadFactory.java:92)
> at java.lang.Thread.run(Unknown Source)
> Caused by: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))]
> at com.sun.security.sasl.gsskerb.GssKrb5Client.evaluateChallenge(Unknown Source)
> ... 32 more
> Caused by: GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
> at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
> at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
> at sun.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
> ... 33 more
> Caused by: KrbException: Server not found in Kerberos database (7)
> at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
> at sun.security.krb5.KrbTgsReq.getReply(Unknown Source)
> at sun.security.krb5.internal.CredentialsUtil.serviceCreds(Unknown Source)
> at sun.security.krb5.internal.CredentialsUtil.acquireServiceCreds(Unknown Source)
> at sun.security.krb5.Credentials.acquireServiceCreds(Unknown Source)
> ... 36 more
> Caused by: KrbException: Identifier doesn't match expected value (906)
> at sun.security.krb5.internal.KDCRep.init(Unknown Source)
> at sun.security.krb5.internal.TGSRep.init(Unknown Source)
> at sun.security.krb5.internal.TGSRep.<init>(Unknown Source)
>
>
> Best regards!
>
> phone. +86 02989184490
> mobile. +86 15249061480
> email.zhutiemin at huawei.com<mailto:email.zhutiemin at huawei.com>
> Tiemin Zhu
>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
-Rathor
More information about the Kerberos
mailing list