gss_acquire_cred returning Key table entry not found error

Question

I have been trying to follow the guidelines in this Microsoft article to authenticate against Apache with Kerberos and AD. I have successfully tested the communication between the apache server and the AD server with kinit. However when I attempt to access a restricted page on the server with IE I get an Internal server error and the following appears in the apache error log.

[Wed Sep 24 14:18:15 2008] [debug] src/mod_auth_kerb.c(1483): [client 172.31.37.38] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Wed Sep 24 14:18:15 2008] [debug] src/mod_auth_kerb.c(1174): [client 172.31.37.38] Acquiring creds for HTTP/[email protected]
[Wed Sep 24 14:18:15 2008] [error] [client 172.31.37.38] gss_acquire_cred() failed: Miscellaneous failure (see text) (Key table entry not found)

I have run a truss on the apache process and confirmed that it is in fact loading up the keytab file ok. I am wondering if there is something wrong with the format of the keytab file...

HTTP/[email protected]

I am not sure what I am missing though. Or what other things to check.

Any suggestions?

Thanks

Peter

Answer 1

Ok. Keytabs are supposed to contain the Service principal name, in this case "HTTP/[email protected]" and the encryption key. I see where the MS docs say just to echo that to a file, but I don't think that's right.

You'll need to use the ktpass utility to create the keytab. The MS docs are here.

In particular, you'll need to specify KRB5_NT_SRV_HST, and most of the rest of the options can be default.

Sample of it on my machine:

C:\>ktpass /out test.keytab /princ HTTP/[email protected] 
           /ptype KRB5_NT_SRV_HST /pass *
Type the password for HTTP/srvnfssol1.dev.local:
Key created.

Output keytab to test.keytab:

Keytab version: 0x502
keysize 62 HTTP/[email protected] 
ptype 3 (KRB5_NT_SRV_HST) vno 1 etype 0x1 (DES-CBC-CRC) 
keylength 8 (0xa7f1fb38041c199e)

If the active directory server is the KDC, you'll need to use the /map <name> argument, where <name> is the computer account in active directory representing the server.

Some details on how all this works. When you browse to the website it should respond with a WWW-Authenticate: Negotiate header, and your browser will send a request to the KDC (active directory server) to get a kerberos ticket for the service. The AD server will look up the encryption key for the ticket using the service principal name, and send an encrypted service ticket back to the browser. Once the browser has the service ticket, it'll reissue the HTTP request with an authenticate header containing the ticket. The apache server will look up its key in the keytab, decrypt the ticket, and grant access.

The "key table entry not found" error happens because apache isn't finding itself in the keytab. Can also happen if the name resolution/realms aren't set up right.

You should be able to see all the kerberos requests AP-REQ/AP-REP/TGS-REQ/TGS-REP using wireshark on the client, tcp or udp port 88.