GSS-API error gss_accept_sec_context: Request ticket server HTTP/ not found in keytab

Kerberos Enthusiast kerberos.enthusiast at gmail.com
Fri Nov 11 10:33:51 EST 2022


Hello Kerberos,

It seems, if multiple servers supply separate keytabs, then the
subsequent kerberos auth request targeted for multiple kerberos servers
with separate keytabs and application keep on
updating "default_keytab_name" global variable and it causes some of the
authentication requests to fail and it throws this error


*"GSS-API error gss_accept_sec_context: Request ticket server HTTP/ not
found in keytab" *(major code - 186a5, d0000)

Using this api *krb5_gss_register_acceptor_identity() *to set the default
keytab file for kerberos authentication.

It seems to be a single global keytab file used by the krb5 library.
Can we use any other gss_api to maintain the local context of the keytab
file and send this keytab for every authentication request?

 Thanks,

On Fri, 11 Nov 2022 at 19:20, Kerberos Enthusiast <
kerberos.enthusiast at gmail.com> wrote:

> Hello Kerberos,
>
> I am trying to make a windows client authenticate with an authentication
> server(using AD machine for KDC) to access multiple services.
> There is a multiple keytab file per authentication server.
>
> But I'm facing this error below, while this does not occur every time, it
> occurred when sending multiple authentication requests (around 200
> requests) for the same service from different client machines while users
> are already domain users.
>
>
> *GSS-API error gss_accept_sec_context: Request ticket server HTTP/ not
> found in keytab*
> Probability of this issue occurring is around 20% only.
>
> Using GSS-API to acquire cred : gss_acquire_cred().
> For loading keytab file : krb5_gss_register_acceptor_idennntity().
>
> How can we resolve this?
> Can we use any other GSS-API in place of this?
>
> Thanks,
>


More information about the Kerberos mailing list