Windows 2003 Service Tickets and Multiple SPN
Douglas E. Engert
deengert at anl.gov
Mon Dec 8 16:28:50 EST 2008
[This is really a krberos at mit.edu question not a krbdev at mit.edu question.]
> I am seeing some issues with Windows 2003 KDC.
> I create user account in windows 2003 KDC for example user = websvr. I also
> selet DES Encryption option in user account properties.
Why not use two accounts in W2k3 websrv-www and websrv-proxy , so each
principal has its own key?
(Or use rc4 which does not have a salt.)
But see below too on how to do it.
> Now i call setspn command for this user account
> 1) setspn -A HTTP/www.web.com websvr ( SPN1)
> 2) setspn -A HTTP/proxy.web.com websvr ( SPN2)
> I have registered two SPN with websvr account so that user can access my web
> application from proxy as well as direct server.
> Now i want to generate keytab file containing principal and their keys.
> ktpass - princ HTTP/www.web.com@ -out websvr.keytab -pass * -mapuser websvr
> -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 +dumpsalt
> This command export the key/principal to given file and reset the principal
> password in KDC. +dumpSalt option shows which salting KDC ktpass is usjng to
> for encryption key. It shows that servicePrincipal + realm (HTTPWWWWEBCOMis
> used to get encryption key.
> Now again i run the ktpass for second spn.
> ktpass - princ HTTP/proxy.web.com -in websvr.keytab -out websvr.keytab -pass
> * --ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 +dumpsalt
> This time i dont call ktpass with mapuser so that i does not update user key
> in KDC. i am calling ktpass with in option so that it merge the keytab file
> with both spns.
> Now my client application request service token for service
> HTTP/proxy.web.com and KDC gives the service token encrypted using key
> generated by first ktpass command.
> On Java Server side code, if i use GSSName as HTTP/www.web.com while
> accepting the context then everything works fine. Please note that i have
> requested the ticket for "HTTP/proxy.web.com" and server code is validating
> user "HTTP/www.web.com" account.
> On Java Server side code, if i use GSSName as HTTP/proxy.web.com while
> accepting the context then it fails with error "Integrity Validation Failed"
> . Please note that i have requested the ticket for "HTTP/proxy.web.com" and
> server code is validating user "HTTP/proxy.web.com" account.
> It seems that when KDC response to TGS request, it always use the current
> master key ( SPN1 + password ) to encrypt the ticket. However, keytab file
> contains the key which is generated using ( SPN2+ password ) so because of
> this mismatch, ticket encrption fails.
> Please let me know how Windows 2003 encrypt the service ticket when there
> are multiple SPN's ?
> is there a way to generate keytab file containing single encryption key for
> all SPN's ?
If you must use DES, and share the account, do the ktpass for the first
SPN, remembering the salt and kvno then use use the kerberos ktutil with
addent -password -p (SPN2) -k (kvno) -e des-cbc-md5:v4
Then for the password enter the password concatenated with the salt that
the dumpsalt would have used.
This will create the second entry in the keytab, and a klist -e -k -t -K keytab
should show the principals have the same key.
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
More information about the krbdev