I try to test my in-ms-domain application. App server has deployed successful. Both, kerberos and username/password, authentication works well.
But when i add 'test' (there are some reason why it's controller) using 'KerberosRestTemplate' with generated by 'ktpass' client keytab, then 'SunJaasKerberosTicketValidator' thrown exception:
'java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))'.
I suggest the reason is generated keytab file by ktpass was broken. That's how i generate it:
"C:> ktpass /princ deniz@TESTAD.LOCAL /pass Qw1er2ty3 /ptype KRB5_NT_PRINCIPAL /out deniz.keytab
NOTE: creating a keytab but not mapping principal to any user. For the account to work within a Windows domain, the principal must be mapped to an account, either at the domain level (with /mapuser) or locally (using ksetup) If you intend to map deniz@TESTAD.LOCAL to an account through other means or don't need to map the user, this message can safely be ignored. WARNING: pType and account type do not match. This might cause problems. Key created. Output keytab to deniz.keytab: Keytab version: 0x502 keysize 52 deniz@TESTAD.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 1 etype 0x17 (RC4-HMAC) keylength 16 (0xa0eb0b1e09b8c36edc 2da4762c53283f)"
Just in case i've saved sample on my github: http://ift.tt/1mdkm7D
I think keytab my keytab broken, but can't find how to generate it for client usage (without HTTP/username@DOMAIN).
P.s. sorry for my English.
Aucun commentaire:
Enregistrer un commentaire