Wrong principal in request error on gss_accept_sec_context()

[Xie, Hugh]

It has nothing to do with keytabs. The problem seems to go away once we use setspn to create the SPN under the same unix account in AD. The spn mapping does exists from host->HTTP, so in theory we should not have to create SPN. Anyway, I need to raise this question to Microsoft unless you know other resource for looking at AD/Mit KRB5.

-----Original Message-----
From: Greg Hudson [mailto:ghudson at mit.edu] 
Sent: Thursday, January 15, 2015 11:49 PM
To: Xie, Hugh; '<kerberos at mit.edu>'
Subject: Re: Wrong principal in request error on gss_accept_sec_context()

On 01/15/2015 05:18 PM, Xie, Hugh wrote:
> I upgrade the version of krb5 lib to version 1.13. Got more specific error:
> Request ticket server HTTP/ 
> host2.site123.baml.com at COMMON.BANKOFAMERICA.COM kvno 15 enctype 
> rc4-hmac found in keytab but cannot decrypt ticket
>
> Any idea?

Whatever procedure you are using to generate the keytab entry is not generating the same key as the one present on the KDC.

I am not personally very familiar with creating keytabs for use with Active Directory KDCs, but I know a lot of people use msktutil for that purpose, rather than ktutil.

----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended recipient, please delete this message.