On Tue, Jan 20, 2009 at 3:20 PM, Michael Ströder <mich...@stroeder.com> wrote: > [debug] src/mod_auth_kerb.c(1247): [client 10.1.1.5] Acquiring creds for > HTTP/nb2.stroeder.lo...@dom2.adtest.local > [debug] src/mod_auth_kerb.c(1392): [client 10.1.1.5] Verifying client > data using KRB5 GSS-API > [debug] src/mod_auth_kerb.c(1408): [client 10.1.1.5] Client didn't > delegate us their credential > [debug] src/mod_auth_kerb.c(1108): [client 10.1.1.5] GSS-API > major_status:000d0000, minor_status:96c73a1f > [error] [client 10.1.1.5] gss_accept_sec_context() failed: Unspecified > GSS failure. Minor code may provide more information (, Decrypt > integrity check failed)
The "Decrypt integrity check failed" error means that the GSS service located an entry in the keytab file with the target SPN but the encryption key, key version number or encryption type was not exactly the same as that used to encrypt the service ticket. If this error occurs while you're trying to install or update the HTTP service account, it's a good bet that the cause is an old cached HTTP service ticket on the client. Meaning the cached ticket was encrypted with an old encryption key, key version number, encryption type combination. To fix this problem, you simply need to purge your client credential cache (such as by logging off and back on) or wait long enough for the ticket to expire. That will force the client to reacquire a new ticket generated with the most current encryption key, key version number and encryption type. One tool that is helpful with examining your client credential cache and with purging tickets is the kerbtray.exe utility from the Resource Kit Tools package available through MS' website. Run kerbtray.exe and then right click on it's bright green systray icon and select "purge tickets". Whenever you run ktpass it's usually a good idea to purge your client's tickets. If this does not solve your problem then you should run ktpass again and note the encryption key and key version number (the encryption type should be the default which is RC4). Then recopy the keytab and verify with ktutil that the encryption key and key version number are in fact correct. To get delegation to work with Firefox, you must go into about:config and add the servername or domain name to network.negotiate-auth.delegation-uris property. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos