AcceptSecurityContext (SSPI) fails with SEC_E_LOGON_DENIED anda GSS-API Linux client

Paul Moore paul.moore at
Wed Jun 24 14:35:07 EDT 2009

lets get a few basics

a) the gss app runs as some account as far as windows is concerned. 
This has to be an account that exists in AD (since that where all MS
kerberosness flows from)

b) the machine itself has an account in AD
Its called <machinename>$ and is created when the machine joins the

c) Service principal names are associated with AD accounts
you can have several SPNs associated with one account. If you look at
the machine's account you will see
it has several SPNs (host/<machine>, host/<machine>, ...)

SO what does this mean

well you could create an account called foo, add an SPN to it called
bar/wizbang, logon as foo and run the server at a command prompt. This
works fine (if you tell the client to target the bar/wizbang spn), but
lacks a little in convenience

{Note - you cannot target an account the does not have an SPN set on it.
Even if the client was to set the target to 'foo' it would fail - AD
wont let you do it}

You really need to run the server as a service. When you run as a
service you have to say what account it runs under. You have 2 choices
1) run as the machine
2) run as somebody else

1 is very convenient because you don't have to create a special account,
nor do you have to enter its password. 
But it is suggested by many that this breaks the least privilege
concept; you are running as Windows version of 'root', this lays you
open to all sorts of potential hacks if your code isnt 100% safe.
Also you dont have to add SPNs to the machine account - its already got

2 is safe. Run as account with the bare minimum of rights. But you have
to enter the password in the service UI and either
- stop the password from being forcibly changed (not secure)
- change the password regularly and remember to update the service
And you must add SPNs

-----Original Message-----
From: Matthew M. DeLoera [mailto:mdeloera at] 
Sent: Wednesday, June 24, 2009 11:19 AM
To: krbdev at
Subject: Re: AcceptSecurityContext (SSPI) fails with SEC_E_LOGON_DENIED
anda GSS-API Linux client


(hopefully my last list posting didn't pop up twice....)

Ah, I see. I'll experiment with those notes. They leave me with 2 
offhand questions:

- Are there any conventions surrounding using a host principal versus a 
more custom user principal? Would it be preferable to run as the system 
account so that I can use the host principal, or preferable to create 
some service accounts in order to specify something custom like 
"myservice/<machine name>"? Or is it just whatever I feel like?

- Is the reverse question true? If I want to specify a custom service 
class, must I have a corresponding account? If so, could I just use the 
same class name on each server that run my service?

FYI, I don't intend to run my service on domain controllers. I intend 
for the kdc to be external to all systems running my service.

- Matthew

Paul Moore wrote:
> a service has access to the 'keytab' for its own account. SO the
> running under kerbsvr account has no access to the 'keytab' that
> to the system account (the one that belongs to the machine); you were
> trying to authenticate to the system account (host/<machine name>)
> Also another thing to remeber is that you need to have the right
> access from the network ' right set for the on the server machine.
> For regular server and client machines this is OK, but for Domain
> Controllers it is not; DC have this set to a restricted list of
> accounts.

More information about the krbdev mailing list