f



Problem with kerberos working correct due to 2 Domains gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, Key table entry not found)

Hi guys,

I'm working about 3 days at this problem and I can't fix it and now I have no more ideas:

Customers environment:
Windowsdomain with DC where all Users are: contoso.local

Sless11 for Webapplication is in a domain: contoso.lan (this is not a Windowsdomain - just the server is configured for this
And thats the problem. I don't know - how to manage these two domains.

URL to access to the Webapplication is:

When I now try to access from a Windowsmachine wich is in the Domain contoso.local at URL http://sless11.contoso.lan/webapp there comes a 401 from the apache with mod_auth_kerb.
In the errorlog from apache there is:
Thu Apr 03 08:42:36 2014] [debug] src/mod_auth_kerb.c(1667): [client 192.168.88.129] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Apr 03 08:42:36 2014] [debug] src/mod_auth_kerb.c(1667): [client 192.168.88.129] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Apr 03 08:42:36 2014] [debug] src/mod_auth_kerb.c(1277): [client 192.168.88.129] Acquiring creds for HTTP@sless11.contoso.lan
[Thu Apr 03 08:42:36 2014] [debug] src/mod_auth_kerb.c(1424): [client 192.168.88.129] Verifying client data using KRB5 GSS-API 
[Thu Apr 03 08:42:36 2014] [debug] src/mod_auth_kerb.c(1440): [client 192.168.88.129] Client didn't delegate us their credential
[Thu Apr 03 08:42:36 2014] [debug] src/mod_auth_kerb.c(1138): [client 192.168.88.129] GSS-API major_status:000d0000, minor_status:96c73ab5
[Thu Apr 03 08:42:36 2014] [error] [client 192.168.88.129] gss_accept_sec_context() failed: Unspecified GSS failure.  Minor code may provide more information (, Key table entry not found)

First question: 
I created a user in the domain contoso.local "aaa" and then I created the keytabfile with this syntax:

Ktpass -princ HTTP/sless11.contoso.lan@CONTOSO.LOCAL -ptype KRB5_NT_Principal -mapuser aaa@contoso.local -pass Start123 -crypto AES128-SHA1 -out c:\test.keytab

And my krb5.conf look like this:

[libdefaults]
     	default_realm = CONTOSO.LOCAL
default_keytab_name = FILE:/etc/apache2/test.keytab
default_tkt_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc
[realms]
        CONTOSO.LOCAL = {
                kdc = 192.168.88.122
                admin_server = 192.168.88.122
                default_domain = CONTOSO.LOCAL
        }

CONTOSO.LAN = {
kdc = 192.168.88.122
default_domain = CONTOSO.LOCAL
}


[domain_realm]
..contoso.local = CONTOSO.LOCAL
..contosov.lan = CONTOSO.LAN


What am I doing wrong???

Thank you!
0
komarek79
4/3/2014 7:02:33 AM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

0 Replies
1530 Views

Similar Articles

[PageSpeed] 32

Reply:

Similar Artilces:

Help: gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (Unknown code krb5 230
I have been trying to setup kerberos client on RedHat machine with Apache mod_auth_kerb. I have tested kerberos client configuration using kinit, klist etc. and its working and the Linux machine is getting tickets. But the problem is when I try to access the reousrce page from Windows (domain machine) using Internet explorer I get the following error "gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (Unknown code krb5 230)" Can somebody please help? ...

kerberos and Windows 2008R2
Hello Kerberos List, I'm trying to set a Kerberos ticket between a Unix and a Windows 2008 R2 se= rver. I've created a user on windows and used the ktpass to generate the Kerberos= keytab: C:\Windows\System32\ktpass princ host/jc1lqaldap.testdomain.com@TESTDOMAIN.= COM mapuser TESTDOMAIN\host_jc1lqaldap -crypto DES-CBC-MD5 -pass * -ptype K= RB5_NT_PRINCIPAL out c:\nis_data\host_jc1lqaldap.keytab I did make sure that "User Kerberos DES encryption types for this account" = was checked. First I was getting: root@jc1lqaldap:/etc# kinit -V -k -t /etc/krb5.keytab -c /tmp/krb5cc_...

key table entry not found #2
Hello , I have Virtual Network configured to use Kerberos authentication.The setup is as follows: Windows Server 2008 Standard SP2 (DC,DNS) (FQDN) labserver.lab.com; Debian Linux 5.0(lenny) (WebServer-Apache) (FQDN) debian.lab.com; Windows XP Prof. (client) (FQDN) zdravko.lab.com; They are in the DNS lookup zone.I create one test user account for accessing the client machine under given domain(lab.com).The user name is "achimtest1" and its password never expires,and it's not going to be prompted for changing.After that I create one "dummy" user which will be used for SP...

gss-server: Key table entry not found
Hi, I cannot get gss-server worked. I have tried adding (using addprinc and ktadd) different combinations of name/host (klist -k confirms the successful addition) but still getting the same error: key table entry not found. Can you please tell me what entry it is looking for and how to resolve the problem? If you need any information about my system in order to help, kindly let me know. Thanks in advance. Regards, David. ...

Problem with GSS-API: GSSException Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC
Hi doc!!!!: I am running the Sample with tutorial "Use of JAAS Login Utility and Java GSS-API for Secure Messages without JAAS programming" KDC is a Windows 2003 JDK 1.5 The Code are SampleClient.java y SampleServer.java without relevant modifications If anyone has any ideas I'm all ears. Don Alex SERVER: Waiting for incoming connection... Got connection from client /157.253.50.59 Will read input token of size 1272 for processing by acceptSecContext Debug is true storeKey true useTicketCache false useKeyTab false doNotPrompt false ticketCache is null KeyTab is null ref...

A problem with GSS-API (kdc = SEAM by SUN): GSSException Failure unspecified at GSS-API level (Mechanism level: Integrity check on decrypted field failed (31))
Hi doc!!!!: I am running the Sample with tutorial "Use of JAAS Login Utility and Java GSS-API for Secure Messages without JAAS programming" KDC is a SEAM in Solaris 9 JDK 1.5 The Code are SampleClient.java y SampleServer.java without relevant modifications If anyone has any ideas I'm all ears. Don Alex SERVER: Waiting for incoming connection... Got connection from client /157.253.50.59 Will read input token of size 517 for processing by acceptSecContext Debug is true storeKey true useTicketCache false useKeyTab false doNotPrompt false ticketCache is null KeyTab is null...

[Fwd: Re: A problem with GSS-API (kdc = RH A.S. R3) GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
This is a multi-part message in MIME format. --Boundary_(ID_ZPOPgV2Eyj2zKWDAp18jPg) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT --Boundary_(ID_ZPOPgV2Eyj2zKWDAp18jPg) Content-type: message/rfc822; name="failed) - GSSException: Securitycontext init/accept not yet called or context deleted (Mechanism level: Wrapcalled in invalid st" Date: Fri, 26 Nov 2004 13:35:56 -0800 From: Seema Malkani <Seema.Malkani@sun.com> Subject: Re: A problem with GSS-API (kdc = RH A.S. R3) GSSException: Failure unspecified at GSS-API level (Mechanism level: Checks...

A problem with GSS-API (kdc = RH A.S. R3) GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
Hi doc!!!!: I am running the Sample with tutorial "Use of JAAS Login Utility and Java GSS-API for Secure Messages without JAAS programming" KDC is a Red Hat Linux AS release 3 JDK 1.5 The Code are SampleClient.java y SampleServer.java without relevant modifications If anyone has any ideas I'm all ears. Don Alex SERVER: Debug is true storeKey true useTicketCache false useKeyTab false doNotPrompt false ticketCache is null KeyTab is null refreshKrb5Config is false principal is mquiroga/pele.uniandes.edu.co@UNIANDES.EDU.CO tryFirstPass is false useFirstPass is false storeP...

kinit: Key table entry not found while getting initial credentials #2
Hello newsgroup, We followed the instructions on http://grolmsnet.de/kerbtut/ kinit -k -t /etc/apache2/httpotrskeytab OTRS/ server.test.local@TEST.LOCAL produces the following error: kinit: Key table entry not found while getting initial credentials we are using mit kerberos 1.9.1 on sles10 we created the keytabfile on windows 2008 r2 server with the following command: ktpass -princ OTRS/server.test.local@TEST.LOCAL -mapuser httpotrs@TEST.LOCAL -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass secretpassword -out c:\temp\httpotrskeytab we copied the file to the linux server to /etc/ap...

dlsym problem on MacOSX (code works in Linux, fails on MacOSX) #2
Amazingly enough, on 7/30/2010, I wrote: --- Cut Here --- I have an app that uses dlsym() to lookup functions and then executes them. Usually, the function being lookedup is in the system libraries (i.e., libc) - i.e., it is a normal function, like read() or write(), etc. However, sometimes, the function being lookedup is actually in the app itself - i.e., we use the dlsym mechanism to invoke a "local" function. The former case works fine in all 3 OSs, but... The later case (where the function is in the app itself) works fine in Linux and Solaris, but fails (the dls...

Kerberos Decrypted
http://www.digg.com/security/Kerberos_Decrypted ...

Kerberos Decrypted
http://www.digg.com/security/Kerberos_Decrypted ...

MAPI mail failure codes??? Where can I find out what failure error code 2 is? How about the rest of the codes?
I cut a mail function off the m'soft site. Has always worked. However, I would like to include error codes returned by the sendmail Fn and be able to understand what they mean. I had my first occasion to experience a failure and got a code of 2??? Would like to know just what that means. Here's how I call the fn... Result = SendMail((F!Subject), (F!To), (F!CC), (F!Attach), (F!Message)) And here's the fn..... Function SendMail (sSubject As String, sTo As String, sCC As String, sAttach As String, sMessage As String) Dim i, cTo, cCC, cAttach ' variables holding c...

Kerberos init problem #2
Hello, I am using a freeBSD 5.4. and am trying to authenticate using "pam_krb5.so" against an OS X server REALM. I have couple of problems that seems a bit tough to handle for a "novice" of kerberos as I am. For the picture here is my config : ----------------------------------- - A KDC server located in my private Lan (internal zone). - A client located on the DMZ (external zone). - A DNS server configured using zones (external - internal). Now my problem : ---------------- I have a POP server located on the DMZ that can't resolv the "default_realm&...

Web resources about - Problem with kerberos working correct due to 2 Domains gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, Key table entry not found) - comp.protocols.kerberos

rfc2478
Network Working Group E. BaizeRequest for Comments: 2478 D. PinkasCategory: Standards Track Bull December 1998 The Simple and Protected GSS-API ...

RFC 1731 - IMAP4 Authentication Mechanisms
Network Working Group J. MyersRequest for Comments: 1731 Carnegie MellonCategory: Standards Track December 1994 IMAP4 Authentication Mechanisms ...

RFC 2743 - Generic Security Service Application Program Interface Version 2, Update 1
Network Working Group J. LinnRequest for Comments: 2743 RSA LaboratoriesObsoletes: 2078 January 2000Category: Standards Track Generic Security ...

RFC 2478 - The Simple and Protected GSS-API Negotiation Mechanism
Network Working Group E. BaizeRequest for Comments: 2478 D. PinkasCategory: Standards Track Bull December 1998 The Simple and Protected GSS-API ...

RFC 2744 - Generic Security Service API Version 2 : C-bindings
Network Working Group J. WrayRequest for Comments: 2744 Iris AssociatesObsoletes: 1509 January 2000Category: Standards Track Generic Security ...

Resources last updated: 1/27/2016 2:22:48 AM