Skip to Main Content
Forums

Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Windows 2003 Service Tickets and Multiple SPN

843810Dec 8 2008
I am seeing some issues with Windows 2003 KDC.

I create user account in windows 2003 KDC for example user = websvr. I also selet DES Encryption option in user account properties.

Now i call setspn command for this user account

1) setspn -A HTTP/www.web.com websvr ( SPN1)

2) setspn -A HTTP/proxy.web.com websvr ( SPN2)

I have registered two SPN with websvr account so that user can access my web application from proxy as well as direct server.

Now i want to generate keytab file containing principal and their keys.

ktpass - princ HTTP/www.web.com@ -out websvr.keytab -pass * -mapuser websvr -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 +dumpsalt

This command export the key/principal to given file and reset the principal password in KDC. dumpSalt option shows which salting KDC ktpass is usjng to for encryption key. It shows that servicePrincipal realm (HTTPWWWWEBCOMis used to get encryption key.

Now again i run the ktpass for second spn.

ktpass - princ HTTP/proxy.web.com -in websvr.keytab -out websvr.keytab -pass * --ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 +dumpsalt

This time i dont call ktpass with mapuser so that i does not update user key in KDC. i am calling ktpass with in option so that it merge the keytab file with both spns.

Now my client application request service token for service HTTP/proxy.web.com and KDC gives the service token encrypted using key generated by first ktpass command.

On Java Server side code, if i use GSSName as HTTP/www.web.com while accepting the context then everything works fine. Please note that i have requested the ticket for "HTTP/proxy.web.com" and server code is validating user "HTTP/www.web.com" account.

On Java Server side code, if i use GSSName as HTTP/proxy.web.com while accepting the context then it fails with error "Integrity Validation Failed" . Please note that i have requested the ticket for "HTTP/proxy.web.com" and server code is validating user "HTTP/proxy.web.com" account.

It seems that when KDC response to TGS request, it always use the current master key ( SPN1 + password ) to encrypt the ticket. However, keytab file contains the key which is generated using ( SPN2+ password ) so because of this mismatch, ticket encrption fails.

Please let me know how Windows 2003 encrypt the service ticket when there are multiple SPN's ?

is there a way to generate keytab file containing single encryption key for all SPN's ?
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Jan 5 2009
Added on Dec 8 2008
#kerberos-java-gss-jgss
0 comments
356 views