Wrong principal in request error on gss_accept_sec_context()

Xie, Hugh hugh.xie at bankofamerica.com
Thu Jan 15 17:18:25 EST 2015


I upgrade the version of krb5 lib to version 1.13. Got more specific error:
Request ticket server HTTP/ host2.site123.baml.com at COMMON.BANKOFAMERICA.COM kvno 15 enctype rc4-hmac found in keytab but cannot decrypt ticket

Any idea?

-----Original Message-----
From: Xie, Hugh 
Sent: Thursday, January 15, 2015 10:38 AM
To: Greg Hudson; '<kerberos at mit.edu>'
Subject: RE: Wrong principal in request error on gss_accept_sec_context()

Kvno returns 15. I created a new entry HTTP/host2.site123.baml.com @ COMMON.BANKOFAMERICA.COM in keytab with kvno = 15. I still get the same "wrong principal error" 

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On Behalf Of Xie, Hugh
Sent: Monday, January 05, 2015 9:37 PM
To: Greg Hudson; '<kerberos at mit.edu>'
Subject: RE: Wrong principal in request error on gss_accept_sec_context()

1. /efs/dist/kerberos/mit/1.11.5/exec/bin/klist -k -t $KRB5_KTNAME Keytab name: FILE: /tmp/myacct.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   2 12/17/2014 15:30:08 myacct at COMMON.BANKOFAMERICA.COM

2. This is window client output recorded at the time:
Cached Tickets: (2)

#0>     Client: winlogin @ COMMON.BANKOFAMERICA.COM
        Server: krbtgt/COMMON.BANKOFAMERICA.COM @ COMMON.BANKOFAMERICA.COM
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authen
        Start Time: 12/18/2014 13:13:36 (local)
        End Time:   12/18/2014 22:13:36 (local)
        Renew Time: 12/28/2014 13:13:36 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)


#1>     Client: winlogin @ COMMON.BANKOFAMERICA.COM
        Server: HTTP/host2.site123.baml.com @ COMMON.BANKOFAMERICA.COM
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
        Start Time: 12/18/2014 13:13:36 (local)
        End Time:   12/18/2014 21:33:36 (local)
        Renew Time: 12/28/2014 13:13:36 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)

3. What is the window equivalent command on windows?

-----Original Message-----
From: Greg Hudson [mailto:ghudson at mit.edu]
Sent: Monday, January 05, 2015 5:12 PM
To: Xie, Hugh; '<kerberos at mit.edu>'
Subject: Re: Wrong principal in request error on gss_accept_sec_context()

On 01/05/2015 04:04 PM, Xie, Hugh wrote:
> Any follow up on this issue? Do you need any more information? Should I turn on debugger to see where this error occurred, if yes I need some pointer which files to set break points.

I'm a bit confused by the information given so far, and I think some of my questions weren't clear enough.  Let's start over.

For the non-working server only:

1. On the server, run "klist -k" (or "klist -k -t /path/to/keytab" if the server is using a special keytab location).  What is the output?

2. On the client, run kinit so that you have a fresh credential cache, then try to connect.  Then run klist.  Other than krbtgt/COMMON.BANKOFAMERICA.COM at COMMON.BANKOFAMERICA.COM, what service principal appears in the output?

3. On the client, run "kvno SPRINC", where SPRINC is the answer to question 2.  What is the output?

----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended recipient, please delete this message.
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended recipient, please delete this message.


More information about the Kerberos mailing list