Decrypt integrity check failed

Help
Brian Deng
2006-01-18
2013-04-16
  • Brian Deng
    Brian Deng
    2006-01-18

    I believe I've setup my keytab correctly however I'm getting the following in the Apache log when I try to authenticate:

    [Wed Jan 18 15:05:49 2006] [error] [client 192.168.0.110] mod_spnego: gss_accept_sec_context failed; GSS-API: Miscellaneous failure)
    [Wed Jan 18 15:05:49 2006] [error] [client 192.168.0.110] mod_spnego: gss_accept_sec_context failed; GSS-API mechanism: Decrypt integrity check failed)

    Any ideas as to what the problem might be? I verified that kpasswd works on my Linux server (where Apache is running). I'm using Apache 2.0.52 on RedHat Linux (2.4.21-27.EL) Kerberos version 1.2.7-31

    Thanks in advance,
    -Brian

     
    • Markus Moeller
      Markus Moeller
      2006-01-19

      Can you set the Apache LogLevel to debug to get more detailed messages. I assume you didn't get a Kerberos but a NTLM token.

      Regards
      Markus

       
      • Brian Deng
        Brian Deng
        2006-01-19

        I don't think it's an NTLM token, how can I find out for sure? Here's some additional logging:
        (I added a log stmt to write out the kerberos token, or at least part of it)

        [Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: entering handleSpnegoToken
        [Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: parseSpnegoInitialToken succeeded
        [Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: entering handleKerberosToken
        [Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: KRB5 service name is HTTP
        [Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: service name HTTP selected
        [Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: gss_import_name succeeded
        [Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: KRB5 key tab file is /usr/local/nProcess/Apache/conf/aragorn.http.keytab
        [Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: set KRB5_KTNAME to /usr/local/nProcess/Apache/conf/aragorn.http.keytab
        [Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: serverName is HTTP/aragorn.nexprise.com@MYCOMPANY.LOCAL
        [Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: released server name
        [Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: gss_acquire_cred succeeded
        [Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: inputKerberosToken length: 2555
        [Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: inputKerberosToken: `\x82\t\xf7\x06\t*\x86H\x86\xf7\x12\x01\x02\x02\x01
        [Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: released credential
        [Thu Jan 19 06:35:23 2006] [error] [client 192.168.0.110] mod_spnego: gss_accept_sec_context failed; GSS-API: Miscellaneous failure)
        [Thu Jan 19 06:35:23 2006] [error] [client 192.168.0.110] mod_spnego: gss_accept_sec_context failed; GSS-API mechanism: Decrypt integrity check failed)
        [Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: released output token
        [Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: handleKerberosToken returned 500
        [Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: handleSpnegoToken returned 500
        [Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: WWW-Authenticate value is "Negotiate YB4GBisGAQUFAqEUMBKgAwoBAKELBgkqhkiG9xIBAgI="
        [Thu Jan 19 06:35:23 2006] [info] [client 192.168.0.110] mod_spnego: authenticateUser returning 500

         
    • Markus Moeller
      Markus Moeller
      2006-01-19

      Can you do the following check on the keytab ?

      kinit -k -t /usr/local/nProcess/Apache/conf/aragorn.http.keytab HTTP/aragorn.nexprise.com@MYCOMPANY.LOCAL

      to see if the keytab entry is valid. DO you use DES or RC4 ?

      Markus

       
      • Brian Deng
        Brian Deng
        2006-01-19

        That returns:
        kinit(v5): Client not found in Kerberos database while getting initial credentials

        I am using DES (at least that's what I've specified on my active directory account)
        klist -e -k -t shows:
           1 12/31/69 16:00:00 HTTP/aragorn.nexprise.com@MYCOMPANY.LOCAL (DES cbc mode with RSA-MD5)

        What have I done wrong?

        Thanks,
        -B

         
        • Brian Deng
          Brian Deng
          2006-01-26

          More information on kinit. I was able to get kinit to work with the host principal, but not the HTTP principal. For example,

          kinit -k -t /etc/krb5.keytab host/aragorn.nexprise.com works fine.

          kinit -k -t /etc/krb5.keytab HTTP/aragorn.nexprise.com fails with the message:
          kinit(v5): Client not found in Kerberos database while getting initial credentials

          klist shows:
          [root@aragorn logs]# klist -e -k
          Keytab name: FILE:/etc/krb5.keytab
          KVNO Principal
          ---- --------------------------------------------------------------------------
             1 host/aragorn.nexprise.com@MYCOMPANY.LOCAL (DES cbc mode with CRC-32)
             1 HTTP/aragorn.nexprise.com@MYCOMPANY.LOCAL (DES cbc mode with CRC-32)
          [root@aragorn logs]# klist -e
          Ticket cache: FILE:/tmp/krb5cc_0
          Default principal: host/aragorn.nexprise.com@MYCOMPANY.LOCAL

          Valid starting     Expires            Service principal
          01/26/06 07:23:55  01/26/06 17:23:55  krbtgt/MYCOMPANY.LOCAL@MYCOMPANY.LOCAL
                  Etype (skey, tkt): DES cbc mode with RSA-MD5, DES cbc mode with RSA-MD5

          Kerberos 4 ticket cache: /tmp/tkt0
          klist: You have no tickets cached
          [root@aragorn logs]#

          Any ideas as to why the host principal works OK but not the HTTP principal? On the Windows DC, I ran setspn -A for both host and HTTP and both host and HTTP principals are mapped to the same user account in the active directory.

          Thanks,
          -B

           
          • Markus Moeller
            Markus Moeller
            2006-01-26

            It depends of how you have created the entry in AD.

            A kinit check for the userprincipalname (UPN) attribute in AD.  So if you added the HTTP/fqdn service principal name(SPN) to an account with another UPN the kinit does not work (but the keytab might still be OK to verify service tickets).

            What is the UPN in AD for the host/fqdn principal ?

            Markus

             
            • Brian Deng
              Brian Deng
              2006-01-26

              I have one UPN (host/aragorn.nexprise.com@MYCOMPANY.LOCAL)
              that has multiple servicePrincipalName(s)
              host/aragorn.nexprise.com and HTTP/aragorn.nexprise.com

              Should this work OK with mod_spnego or do I need to create separate UPNs for host and HTTP?

              Thanks,
              -B

               
              • Markus Moeller
                Markus Moeller
                2006-01-26

                Yes that should work. If the host and HTTP SPN share the same AD account their keys are the same. You can check this with klist -e -K -k keytab_file.

                You will get something like:
                  1 host/moelma.wks.mm.com@KERBTEST.COM (ArcFour with HMAC/md5)  (0xddc70674d4993a43346b3e8b578542f1)
                   1 HOST/moelma.wks.mm.com@KERBTEST.COM (ArcFour with HMAC/md5)  (0xddc70674d4993a43346b3e8b578542f1)

                The last entry is the key and they should be the same for host and HTTP. If not you can do the following:

                >ktutil
                ktutil: addent -key -p HTTP/aragorn.nexprise.com -k 1 -e arcfour-hmac
                Key for HTTP/aragorn.nexprise.com@DBG.ADS.DB.COM (hex):ddc70674d4993a43346b3e8b578542f1
                ktutil: wkt HTTP.keytab
                ktutil: quit

                This creates a keytab with the same key.

                Markus

                 
                • Brian Deng
                  Brian Deng
                  2006-01-26

                  That was it! The Hex keys were different for host and HTTP. I used ktutil as you described and I now have a working mod_spnego. Thanks for your help!

                  -B

                   
    • Markus Moeller
      Markus Moeller
      2006-01-19

      Can you do a kinit with your userid ? It looks as if the configuration is wrong. If the config is correct it might be a keytab creation problem. Do you have an ldap browser (.eg. softterra) to browser active directory ? Search for (serviceprincipalname=HTTP/*) entries. This should showa that you have a serviceprincipal for HTTP/...

      How did you extract the keytab ?

      Markus

       
      • Brian Deng
        Brian Deng
        2006-01-19

        I followed instructions from the MSDN article on SPNEGO. I used:

        setspn -A HTTP/aragorn.nexprise.com aragorn

        to create the SPN. Then used ktpass to produce the keytab:

        ktpass -princ HTTP/aragorn.nexprise.com@MYCOMPANY.LOCAL -pass * -mapuser aragorn -out c:\temp\aragorn.http.keytab

        Then I transferred the file over to my Linux server using 'scp'.

        Searching as you suggested in softterra shows CN=aragorn,CN=Users,DC=mycompany,DC=local
        which looks correct to me

        Thanks,
        -B

         
        • Markus Moeller
          Markus Moeller
          2006-01-19

          Can you capture the traffic on port 88 with ethereal when you do a kinit HTTP/aragorn.nexprise.com@MYCOMPANY.LOCAL
          Usually you should get a password prompt. Can you also check with softerra if the userprincipal in AD name is HTTP/aragorn.nexprise.com@MYCOMPANY.LOCAL

          Do you use w2k3 SP1 and the latest Windows ktpass ? For DES you need to set the account DESONLY (BTW latest MIT release have RC4 support which is better and you don't need to worry about the DESONLY flag)

          Markus

           
          • Brian Deng
            Brian Deng
            2006-01-19

            The userPrincipalName is aragorn@MYCOMPANY.LOCAL.
            Trying kinit with that principal just hung. Ethereal gave an additional hint in that it showed a PRE_AUTH_REQUIRED response being sent back.

            I'm trying this with w2k and not w2k3. Perhaps I'll try to setup a w2k3 SP1 active directory and try the latest MIT release with RC4.

            Thanks for your help.
            -B

             
            • Markus Moeller
              Markus Moeller
              2006-01-19

              If you use w2k set the account desonly, change the password once and then do the ktpass extraction.

              Markus

               
              • Brian Deng
                Brian Deng
                2006-01-19

                I've already tried that (several times) to no avail.

                 
    • Markus Moeller
      Markus Moeller
      2006-01-20

      Then I don't know what else you can do. It looks to me that you have not the right key in your keytab.

      Can you try the latest ktpass (the one for w2k3) with RC4. The w2k3 version of ktpass supports RC4-HMAC and should work with w2k too.

      Markus

       
    • Markus Moeller
      Markus Moeller
      2006-01-20

      You may want to try a tool like

      http://www.pppl.gov/~dperry/msktutil.tar.gz to create the keytab directly on your Unix box.

      Markus