Windows 2003 Service Tickets and Multiple SPN

Anuraggwl anuraggwl at yahoo.com
Mon Dec 8 07:51:44 EST 2008 

I am seeing some issues with Windows 2003 KDC. 

I create user account in windows 2003 KDC for example user = websvr. I also
selet DES Encryption option in user account properties.

Now i call setspn command for this user account 

1) setspn -A HTTP/www.web.com websvr ( SPN1) 

2) setspn -A HTTP/proxy.web.com websvr ( SPN2) 
 
I have registered two SPN with websvr account so that user can access my web
application from proxy as well as direct server.

Now i want to generate keytab file containing principal and their keys.

ktpass - princ HTTP/www.web.com@ -out websvr.keytab -pass * -mapuser websvr
-ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 +dumpsalt

This command export the key/principal to given file and reset the principal
password in KDC. +dumpSalt option shows which salting KDC ktpass is usjng to
for encryption key. It shows that servicePrincipal + realm (HTTPWWWWEBCOMis
used to get encryption key.

Now again i run the ktpass for second spn.

ktpass - princ HTTP/proxy.web.com -in websvr.keytab -out websvr.keytab -pass
* --ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 +dumpsalt

This time i dont call ktpass with mapuser so that i does not update user key
in KDC. i am calling ktpass with in option so that it merge the keytab file
with both spns.

Now my client application request service token for service
HTTP/proxy.web.com and KDC gives the service token encrypted using key
generated by first ktpass command. 

On Java Server side code, if i use GSSName as HTTP/www.web.com while
accepting the context then everything works fine. Please note that i have
requested the ticket for "HTTP/proxy.web.com" and server code is validating
user "HTTP/www.web.com" account. 

On Java Server side code, if i use GSSName as HTTP/proxy.web.com while
accepting the context then it fails with error "Integrity Validation Failed"
. Please note that i have requested the ticket for "HTTP/proxy.web.com" and
server code is validating user "HTTP/proxy.web.com" account.

It seems that when KDC response to TGS request, it always use the current
master key ( SPN1 + password ) to encrypt the ticket. However, keytab file
contains the key which is generated using ( SPN2+ password ) so because of
this mismatch, ticket encrption fails.

Please let me know how Windows 2003 encrypt the service ticket when there
are multiple SPN's  ?
 
is there a way to generate keytab file containing single encryption key for
all SPN's ?

-- 
View this message in context: http://www.nabble.com/Windows-2003-Service-Tickets-and-Multiple-SPN-tp20894740p20894740.html
Sent from the Kerberos - Dev mailing list archive at Nabble.com.

More information about the krbdev mailing list