Windows 2003 Service Tickets and Multiple SPN

Douglas E. Engert deengert at anl.gov
Mon Dec 8 16:28:50 EST 2008 

[This is really a krberos at mit.edu question not a krbdev at mit.edu question.]

Anuraggwl wrote:
> I am seeing some issues with Windows 2003 KDC. 
> 
> I create user account in windows 2003 KDC for example user = websvr. I also
> selet DES Encryption option in user account properties.

Why not use two accounts in W2k3 websrv-www and websrv-proxy , so each
principal has its own key?

(Or use rc4 which does not have a salt.)

But see below too on how to do it.


> 
> Now i call setspn command for this user account 
> 
> 1) setspn -A HTTP/www.web.com websvr ( SPN1) 
> 
> 2) setspn -A HTTP/proxy.web.com websvr ( SPN2) 
>  
> I have registered two SPN with websvr account so that user can access my web
> application from proxy as well as direct server.
> 
> Now i want to generate keytab file containing principal and their keys.
> 
> ktpass - princ HTTP/www.web.com@ -out websvr.keytab -pass * -mapuser websvr
> -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 +dumpsalt
> 
> This command export the key/principal to given file and reset the principal
> password in KDC. +dumpSalt option shows which salting KDC ktpass is usjng to
> for encryption key. It shows that servicePrincipal + realm (HTTPWWWWEBCOMis
> used to get encryption key.
> 
> Now again i run the ktpass for second spn.
> 
> ktpass - princ HTTP/proxy.web.com -in websvr.keytab -out websvr.keytab -pass
> * --ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 +dumpsalt
> 
> This time i dont call ktpass with mapuser so that i does not update user key
> in KDC. i am calling ktpass with in option so that it merge the keytab file
> with both spns.
> 
> Now my client application request service token for service
> HTTP/proxy.web.com and KDC gives the service token encrypted using key
> generated by first ktpass command. 
> 
> On Java Server side code, if i use GSSName as HTTP/www.web.com while
> accepting the context then everything works fine. Please note that i have
> requested the ticket for "HTTP/proxy.web.com" and server code is validating
> user "HTTP/www.web.com" account. 
> 
> On Java Server side code, if i use GSSName as HTTP/proxy.web.com while
> accepting the context then it fails with error "Integrity Validation Failed"
> . Please note that i have requested the ticket for "HTTP/proxy.web.com" and
> server code is validating user "HTTP/proxy.web.com" account.
> 
> It seems that when KDC response to TGS request, it always use the current
> master key ( SPN1 + password ) to encrypt the ticket. However, keytab file
> contains the key which is generated using ( SPN2+ password ) so because of
> this mismatch, ticket encrption fails.
> 
> Please let me know how Windows 2003 encrypt the service ticket when there
> are multiple SPN's  ?
>  
> is there a way to generate keytab file containing single encryption key for
> all SPN's ? 

If you must use DES, and share the account, do the ktpass for the first
SPN, remembering the salt and kvno then use use the kerberos ktutil with
addent -password -p (SPN2) -k (kvno) -e des-cbc-md5:v4
Then for the password enter the password concatenated with the salt that
the dumpsalt would have used.

This will create the second entry in the keytab, and a klist -e -k -t -K keytab
should show the principals have the same key.



-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list