Return-Path: Delivered-To: apmail-directory-users-archive@www.apache.org Received: (qmail 51246 invoked from network); 13 May 2009 12:57:29 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 13 May 2009 12:57:29 -0000 Received: (qmail 24385 invoked by uid 500); 13 May 2009 12:57:28 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 24363 invoked by uid 500); 13 May 2009 12:57:28 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 24353 invoked by uid 99); 13 May 2009 12:57:28 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 13 May 2009 12:57:28 +0000 X-ASF-Spam-Status: No, hits=2.2 required=10.0 tests=HTML_MESSAGE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [194.115.214.187] (HELO gate1.psi.de) (194.115.214.187) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 13 May 2009 12:57:18 +0000 Received: from INFRA-BLN-EX.psi.de (infra-bln-ex02.psi.de [172.18.1.54]) by gate1.psi.de (8.12.8/8.11.3) with ESMTP id n4DCuuQZ004927 for ; Wed, 13 May 2009 14:56:57 +0200 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C9D3CA.4C2810F3" Subject: Exporting kerberos keys from service principal Date: Wed, 13 May 2009 14:56:55 +0200 Message-ID: <96B58CE679D9514B87F3149C1036B1B3248C02@INFRA-BLN-EX.psi.de> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Exporting kerberos keys from service principal Thread-Index: AcnTykriND7qMBXfTqOkwPY3V9+gSw== From: "Rippich, Andrej" To: X-Virus-Checked: Checked by ClamAV on apache.org ------_=_NextPart_001_01C9D3CA.4C2810F3 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Hi all, I'm trying to set up a simple (and sample) web application which uses Kerberos as authentication protocol. I'm using Apache DS 1.5.1 as KDC. I've created two service principals (krbtgt and a principal which belongs to my target service) and a user principal. I'm using JGSS with Sun's Krb5LoginModule with Java 6. =20 Because I don't now how to export the generated keys for the service principal I've set a plain text password for my service principal. I've further created a Keytab using the Java Tool ktab (ktab -a server/hostname@EXAMPLE.COM plaintext password) using the same password as I used when creating the service principal. When I'm trying to run my application the client is able to get the TGT and TGS ticket but on the server side the JGSS context acceptSecContext call fails. The JGSS debug output is: (Mechanism level: Integrity check on decrypted field failed (31)). It seems to me there is something wrong with the keys of the service principal but as I'm starting with Kerberos I'm not sure what exactly causes the problem. =20 My question, is there a way (without writing my own Tool using Ldap/JNDI) to export generated keys of a service principal from Apache DS to a keytab?=20 Or is there another solution and my approach is wrong? Thanks in advance Andrej ------_=_NextPart_001_01C9D3CA.4C2810F3--