Windows 2003 Service Tickets and Multiple SPN

I am seeing some issues with Windows 2003 KDC.

I create user account in windows 2003 KDC for example user = websvr. I also selet DES Encryption option in user account properties.

Now i call setspn command for this user account

1) setspn -A HTTP/www.web.com websvr ( SPN1)

2) setspn -A HTTP/proxy.web.com websvr ( SPN2)
 
I have registered two SPN with websvr account so that user can access my web application from proxy as well as direct server.

Now i want to generate keytab file containing principal and their keys.

ktpass - princ HTTP/www.web.com@ -out websvr.keytab -pass * -mapuser websvr -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 +dumpsalt

This command export the key/principal to given file and reset the principal password in KDC. +dumpSalt option shows which salting KDC ktpass is usjng to for encryption key. It shows that servicePrincipal + realm (HTTPWWWWEBCOMis used to get encryption key.

Now again i run the ktpass for second spn.

ktpass - princ HTTP/proxy.web.com -in websvr.keytab -out websvr.keytab -pass * --ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 +dumpsalt

This time i dont call ktpass with mapuser so that i does not update user key in KDC. i am calling ktpass with in option so that it merge the keytab file with both spns.

Now my client application request service token for service HTTP/proxy.web.com and KDC gives the service token encrypted using key generated by first ktpass command.

On Java Server side code, if i use GSSName as HTTP/www.web.com while accepting the context then everything works fine. Please note that i have requested the ticket for "HTTP/proxy.web.com" and server code is validating user "HTTP/www.web.com" account.

On Java Server side code, if i use GSSName as HTTP/proxy.web.com while accepting the context then it fails with error "Integrity Validation Failed" . Please note that i have requested the ticket for "HTTP/proxy.web.com" and server code is validating user "HTTP/proxy.web.com" account.

It seems that when KDC response to TGS request, it always use the current master key ( SPN1 + password ) to encrypt the ticket. However, keytab file contains the key which is generated using ( SPN2+ password ) so because of this mismatch, ticket encrption fails.

Please let me know how Windows 2003 encrypt the service ticket when there are multiple SPN's  ?
 
is there a way to generate keytab file containing single encryption key for all SPN's ?

[This is really a krberos@... question not a krbdev@... question.]

Anuraggwl wrote:
> I am seeing some issues with Windows 2003 KDC.
>
> I create user account in windows 2003 KDC for example user = websvr. I also
> selet DES Encryption option in user account properties.

Why not use two accounts in W2k3 websrv-www and websrv-proxy , so each
principal has its own key?

(Or use rc4 which does not have a salt.)

But see below too on how to do it.


If you must use DES, and share the account, do the ktpass for the first
SPN, remembering the salt and kvno then use use the kerberos ktutil with
addent -password -p (SPN2) -k (kvno) -e des-cbc-md5:v4
Then for the password enter the password concatenated with the salt that
the dumpsalt would have used.

This will create the second entry in the keytab, and a klist -e -k -t -K keytab
should show the principals have the same key.



--

  Douglas E. Engert  <DEEngert@...>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
krbdev mailing list             krbdev@...
https://mailman.mit.edu/mailman/listinfo/krbdev