cancel
Showing results for 
Search instead for 
Did you mean: 
ztamas
Level 9

Kerberos authentication problem

Hello,

I have a two web gateway appliances (with v7.4) with the same configuration in management cluster.

On the second appliance the Kerberos authentication is working but on the first appliance Kerberos authentication is failed with 'Wrong principal in request' error message.

I generated two different keytab files to the two appliances. The hostname and DNS record is unique on both of the appliances.

I used the same synatx when I generated the two keytab files to the two appliances with the unique FQDN name.

>ktpass -princ HTTP/webgateway1.domain.local@DOMAIN.LOCAL -mapuser mwg-kerb-user1 -pass password -ptype KRB5_NT_PRINCIPAL -out webgateway1.domain.local.keytab

>ktpass -princ HTTP/webgateway2.domain.local@DOMAIN.LOCAL -mapuser mwg-kerb-user2 -pass password -ptype KRB5_NT_PRINCIPAL -out webgateway2.domain.local.keytab

Someone has any idea how can I debug the issue?

Error logs:

#tail /opt/mwg/log/mwg-errors/mwg-core.errors.log

[2015-02-05 17:33:21.761 +01:00] [Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_API' error : 'Unspecified GSS failure.  Minor code may provide more information'

[2015-02-05 17:33:21.761 +01:00] [Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_MECH' error : 'Wrong principal in request'

#tail /opt/mwg/log/debug/mwg-core__Auth.debug.log

[2015-02-05 17:37:07.653 +01:00] [5675] Kerberos (4, 10.0.4.5) URL: http://www.google.com/

[2015-02-05 17:37:07.653 +01:00] [5675] Kerberos (4, 10.0.4.5) Configuration: Kerberos Connection: 0x7f727cbf9550 RR: 0x7f727c3d5150

[2015-02-05 17:37:07.653 +01:00] [5675] Kerberos (4, 10.0.4.5) Incoming credentials: Negotiate YIIGJQYGKwYBBQUCoIIGGTCCBhWgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBd8EggXbYIIF1wYJKoZIhvcSAQICAQBuggXGMIIFwqADAgEFoQMCAQ6iBwMFACAAAACjggRbYYIEVzCCBFOgAwIBBaEIGwZNS1UuSFWiJTAjoAMCAQKhHDAaGwRIVFRQGxJ3ZWJnYXRld2F5MS5ta3UuaHWjggQZMIIEFaADAgESoQMCAQaiggQHBIIEA1TKy1l02YznxysgNu6gSg635rPnaCU0B1ta+u5KtV56MkiV5hT+x9aSdXtqpoeiufh3wri7t3hzSmw9I0C8v6MH7OQuLnt8DdAdBbIqPDIgUP5ZnBbY2hRv+P2K49Xo6kxvA9I139qqn+TY9vc2tQL0GVPfnM3EQ2yn9U5rip6Gvheqe0YhFRiALnKxgNClb2GuFM6L1eG/I27SulXQxxa07pEvxC34NAEacCrU643Cz8Ns7zse8Z8ZB+6/AlmTppowskrzQa45BQu/a/9jsHkR4z2MakTAYLzi1xhe2tPqsJw2bIX53nQ8wTraMJ954QsrO8p7SpOgszi46TZ9P0urqFFkOF2SlWiW7ZJxPM6w7tOJGE2ElA/iUIe0Hoh/+GNme5zXQ05gB82NtV2gjCH1wvd5Xc3Q6RlK/p0AEDqW6et4oSyxN8wjeMAdpRUcmDMwW/gsVnsuMt7WLnuLzMzDmzoaKioUjYvmNl4Sr6Xr2jbGtGUbyoYa8y8C6JMYKss98TSla0U3RDpOiNDKrfulBwpYhd8K/YOpd5QsPFu9WepTo847yn9Vl+rScBV9piXdqliquefhworizfgouwrzgf1qgCA67+tvp7lLHG3CiZKcv7ivXLnTu5zW9PC8j7+ZhYDk9R26Q5dGr22dZd6abqi8CTJSv4Q3A2W5Ha/sn3DSdNItypGOMFNZlFsULpbcK9WJcmwxrGMwPDbjKrOeuCwVAHFTVfsnewEQPlbr4H2XZuqFgF/cYHeBMgDa9WhmOhemZH7EBGdDK01KQaKwKq8nLOgrRWHqlFnWrwc5F73//FJ30IlCk0Sx7R9lMYbZxxB+P4qnmmw3fbzpWXSYy33j8t5GNEp4mwbHbztqFDTK51063NpYK8NG36D5ckxbkaZb9sLeb+PcnXmUs947ARfq8bTbKSesAOPgqGfQX4OIjkS5+b080qwT/ZIvXNSFMwUG+BFUNkSwKXBJwLc6waCeqT6JzN/BL//mwfVQZEvyZU0SO9RYnbGfPn6JGMVgqIdhsZlAYAHm+sIFcGC7npFrrW0ibUP00jsgOXEA/Xz6BTh9sdDtyI5EiMU+Nh2YDypAEpzN7JZpU5uZHYIO8A21nNjKE0/J3aTHinUoBkQEiXY5X5zACp2U9YURvVJ0w35DRXoXKybBPPfgcMoYYUsDoHf3G/I6bFj1sDxEpIfxjFfRmuJcVX7010Njl2CrhM+vWeZ9bVaCeoX7OcYhu6RQ7i/f9/n9G28aUkwH81msiBaOAq6YRRD4sy6Gba0oJ/XF6b7MbtR1E216TTXI9Q/+wMhKHIpx4Bl9Z+kggFMMIIBSKADAgESooIBPwSCATsKjNvIaoNGK+rrOMn2SguMqZQX+1rRnovpJpsCRPkxjrluhX8Cs0Uy9KqyysB0Stz9A98vMQ5uC2eOB3nLuSj4/9sSua30L/07SvpUbGnjbasOVTgCGYu/GoILfEuSh2H3bRzCQmgKJe4f+3VIX2iEycO6PtZvMv7sTONmGGwyYo5hX3QcLTgB51+3U6lN1TMe/huylWnLhdmQlHsMEoKXfPZQnyUJDQn35flZ4y6XFZETtoSE47FWkSEEZZ17KUBLN3AmWX/5ZnO8MGVicYjI1l19K805CQOr9y5yoAKJ8zSTPkToWTX1jtY4N3jdAlyT8MbI1afguJcKHFgi1KOJ2rFiaJ3jLsbWrjaQIW0XJYDCbV6iYj1nISMeV8ttr8TmZZoaHCaTNV2mQQmDDpTRsOIfumMuli9bONM=

[2015-02-05 17:37:07.654 +01:00] [5675] Kerberos: Authentication failed 'Wrong principal in request'

[2015-02-05 17:37:07.654 +01:00] [5675] Kerberos (4, 10.0.4.5) Added authentication method: Negotiate

[2015-02-05 17:37:07.654 +01:00] [5675] Kerberos (4, 10.0.4.5) Authentication didn't return values, failure ID: 0, authentication failed: 1

Thanks,

Zoltan

0 Kudos
1 Reply
McAfee Employee

Re: Kerberos authentication problem

Hi Zoltan!

You really only need one keytab, having two just makes things harder.

The error indicates that MWG received a ticket for something, but it does not have the keys to open it.

Did you install the keytab for mwg2, on mwg2? The output indicates the client got a ticket just fine, but MWG couldnt read it.

If you continue to have issues, open a support case with the information in this guide:

Don't post it here as it is sensitive information.

Best Regards,

Jon

0 Kudos