Beginner Kerberos question - problem with spnego authentication with webserver

Michael B Allen ioplex at gmail.com
Wed Jun 22 23:01:14 EDT 2016


On Wed, Jun 22, 2016 at 6:41 PM, JSoet <jordan.soet at ca.ibm.com> wrote:
> sure where to look next to solve it. When running the flask webserver I get
> this error when it tries to do the authGSSServerInit call:
> /GSSError: (('Unspecified GSS failure.  Minor code may provide more
> information', 851968), ('', 100004))/
<snip>
> /[root at TestCentOSGui testFlask]# klist -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    3 HTTP/TestCentOSGui.Test.local at TEST.LOCAL/

Hi Jordan,

That's a pretty wild principal name. I don't think the caps should
cause a problem but it is vitally important that you use the fully
principal name in the URL like:

  http://TestCentOSGui.Test.local/whatever

or this *should* work equally well:

  http://testcentosgui.test.local/whatever

But if you did just http://testcentosgui/whatever it would not work
unless the client does the right canonicalization.

Also, when you're setting up a new account, it is not uncommon to have
a stale ticket with the wrong knvo (principal version number). In this
case, you'll want to purge tickets on the client and try again. I
always liked kerbtray.exe for this but MS has been updating these
utilities so it might be difficult to locate.

Kerberos is pretty sensitive so the list of things to check is:

1) clients must be joined to the domain
2) clients must have direct access to a suitable domain controller
3) time on all 3 hosts (client, server and DC) must be synchronized
4) the user has to be actually logged into their workstation as the domain user
5) the numerous DNS records have to be exactly correct
6) services have to have good keys with principal names that make said
DNS records
7) Kerberos tickets cannot be "stale" (use kerbtray.exe to purge on clients)

But in your case it sounds like the client is initiating auth which
means it's getting a ticket so it's more likely to be 3, 5, 6 or 7.

This all assumes that this "flask" thing knows about SPNEGO (would be
useless without it).

Later,

Mike

-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/


More information about the Kerberos mailing list