Windows 2003 Service Tickets and Multiple SPN
anuraggwl at yahoo.com
Mon Dec 8 07:51:44 EST 2008
I am seeing some issues with Windows 2003 KDC.
I create user account in windows 2003 KDC for example user = websvr. I also
selet DES Encryption option in user account properties.
Now i call setspn command for this user account
1) setspn -A HTTP/www.web.com websvr ( SPN1)
2) setspn -A HTTP/proxy.web.com websvr ( SPN2)
I have registered two SPN with websvr account so that user can access my web
application from proxy as well as direct server.
Now i want to generate keytab file containing principal and their keys.
ktpass - princ HTTP/www.web.com@ -out websvr.keytab -pass * -mapuser websvr
-ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 +dumpsalt
This command export the key/principal to given file and reset the principal
password in KDC. +dumpSalt option shows which salting KDC ktpass is usjng to
for encryption key. It shows that servicePrincipal + realm (HTTPWWWWEBCOMis
used to get encryption key.
Now again i run the ktpass for second spn.
ktpass - princ HTTP/proxy.web.com -in websvr.keytab -out websvr.keytab -pass
* --ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 +dumpsalt
This time i dont call ktpass with mapuser so that i does not update user key
in KDC. i am calling ktpass with in option so that it merge the keytab file
with both spns.
Now my client application request service token for service
HTTP/proxy.web.com and KDC gives the service token encrypted using key
generated by first ktpass command.
On Java Server side code, if i use GSSName as HTTP/www.web.com while
accepting the context then everything works fine. Please note that i have
requested the ticket for "HTTP/proxy.web.com" and server code is validating
user "HTTP/www.web.com" account.
On Java Server side code, if i use GSSName as HTTP/proxy.web.com while
accepting the context then it fails with error "Integrity Validation Failed"
. Please note that i have requested the ticket for "HTTP/proxy.web.com" and
server code is validating user "HTTP/proxy.web.com" account.
It seems that when KDC response to TGS request, it always use the current
master key ( SPN1 + password ) to encrypt the ticket. However, keytab file
contains the key which is generated using ( SPN2+ password ) so because of
this mismatch, ticket encrption fails.
Please let me know how Windows 2003 encrypt the service ticket when there
are multiple SPN's ?
is there a way to generate keytab file containing single encryption key for
all SPN's ?
View this message in context: http://www.nabble.com/Windows-2003-Service-Tickets-and-Multiple-SPN-tp20894740p20894740.html
Sent from the Kerberos - Dev mailing list archive at Nabble.com.
More information about the krbdev