1 Reply Latest reply on Feb 6, 2015 4:35 PM by Jon Scholten

    Kerberos authentication problem

    ztamas

      Hello,

       

      I have a two web gateway appliances (with v7.4) with the same configuration in management cluster.

      On the second appliance the Kerberos authentication is working but on the first appliance Kerberos authentication is failed with 'Wrong principal in request' error message.

      I generated two different keytab files to the two appliances. The hostname and DNS record is unique on both of the appliances.

      I used the same synatx when I generated the two keytab files to the two appliances with the unique FQDN name.

       

      >ktpass -princ HTTP/webgateway1.domain.local@DOMAIN.LOCAL -mapuser mwg-kerb-user1 -pass password -ptype KRB5_NT_PRINCIPAL -out webgateway1.domain.local.keytab

      >ktpass -princ HTTP/webgateway2.domain.local@DOMAIN.LOCAL -mapuser mwg-kerb-user2 -pass password -ptype KRB5_NT_PRINCIPAL -out webgateway2.domain.local.keytab

       

      Someone has any idea how can I debug the issue?

       

      Error logs:

      #tail /opt/mwg/log/mwg-errors/mwg-core.errors.log

      [2015-02-05 17:33:21.761 +01:00] [Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_API' error : 'Unspecified GSS failure.  Minor code may provide more information'

      [2015-02-05 17:33:21.761 +01:00] [Auth] [KerberosAuthentication] 'gss_accept_sec_context' 'GSS_MECH' error : 'Wrong principal in request'

       

      #tail /opt/mwg/log/debug/mwg-core__Auth.debug.log

      [2015-02-05 17:37:07.653 +01:00] [5675] Kerberos (4, 10.0.4.5) URL: http://www.google.com/

      [2015-02-05 17:37:07.653 +01:00] [5675] Kerberos (4, 10.0.4.5) Configuration: Kerberos Connection: 0x7f727cbf9550 RR: 0x7f727c3d5150

      [2015-02-05 17:37:07.653 +01:00] [5675] Kerberos (4, 10.0.4.5) Incoming credentials: Negotiate YIIGJQYGKwYBBQUCoIIGGTCCBhWgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgY KKwYBBAGCNwICCqKCBd8EggXbYIIF1wYJKoZIhvcSAQICAQBuggXGMIIFwqADAgEFoQMCAQ6iBwMFACA AAACjggRbYYIEVzCCBFOgAwIBBaEIGwZNS1UuSFWiJTAjoAMCAQKhHDAaGwRIVFRQGxJ3ZWJnYXRld2F 5MS5ta3UuaHWjggQZMIIEFaADAgESoQMCAQaiggQHBIIEA1TKy1l02YznxysgNu6gSg635rPnaCU0B1t a+u5KtV56MkiV5hT+x9aSdXtqpoeiufh3wri7t3hzSmw9I0C8v6MH7OQuLnt8DdAdBbIqPDIgUP5ZnBb Y2hRv+P2K49Xo6kxvA9I139qqn+TY9vc2tQL0GVPfnM3EQ2yn9U5rip6Gvheqe0YhFRiALnKxgNClb2G uFM6L1eG/I27SulXQxxa07pEvxC34NAEacCrU643Cz8Ns7zse8Z8ZB+6/AlmTppowskrzQa45BQu/a/9 jsHkR4z2MakTAYLzi1xhe2tPqsJw2bIX53nQ8wTraMJ954QsrO8p7SpOgszi46TZ9P0urqFFkOF2SlWi W7ZJxPM6w7tOJGE2ElA/iUIe0Hoh/+GNme5zXQ05gB82NtV2gjCH1wvd5Xc3Q6RlK/p0AEDqW6et4oSy xN8wjeMAdpRUcmDMwW/gsVnsuMt7WLnuLzMzDmzoaKioUjYvmNl4Sr6Xr2jbGtGUbyoYa8y8C6JMYKss 98TSla0U3RDpOiNDKrfulBwpYhd8K/YOpd5QsPFu9WepTo847yn9Vl+rScBV9piXdqliquefhworizfg ouwrzgf1qgCA67+tvp7lLHG3CiZKcv7ivXLnTu5zW9PC8j7+ZhYDk9R26Q5dGr22dZd6abqi8CTJSv4Q 3A2W5Ha/sn3DSdNItypGOMFNZlFsULpbcK9WJcmwxrGMwPDbjKrOeuCwVAHFTVfsnewEQPlbr4H2XZuq FgF/cYHeBMgDa9WhmOhemZH7EBGdDK01KQaKwKq8nLOgrRWHqlFnWrwc5F73//FJ30IlCk0Sx7R9lMYb ZxxB+P4qnmmw3fbzpWXSYy33j8t5GNEp4mwbHbztqFDTK51063NpYK8NG36D5ckxbkaZb9sLeb+PcnXm Us947ARfq8bTbKSesAOPgqGfQX4OIjkS5+b080qwT/ZIvXNSFMwUG+BFUNkSwKXBJwLc6waCeqT6JzN/ BL//mwfVQZEvyZU0SO9RYnbGfPn6JGMVgqIdhsZlAYAHm+sIFcGC7npFrrW0ibUP00jsgOXEA/Xz6BTh 9sdDtyI5EiMU+Nh2YDypAEpzN7JZpU5uZHYIO8A21nNjKE0/J3aTHinUoBkQEiXY5X5zACp2U9YURvVJ 0w35DRXoXKybBPPfgcMoYYUsDoHf3G/I6bFj1sDxEpIfxjFfRmuJcVX7010Njl2CrhM+vWeZ9bVaCeoX 7OcYhu6RQ7i/f9/n9G28aUkwH81msiBaOAq6YRRD4sy6Gba0oJ/XF6b7MbtR1E216TTXI9Q/+wMhKHIp x4Bl9Z+kggFMMIIBSKADAgESooIBPwSCATsKjNvIaoNGK+rrOMn2SguMqZQX+1rRnovpJpsCRPkxjrlu hX8Cs0Uy9KqyysB0Stz9A98vMQ5uC2eOB3nLuSj4/9sSua30L/07SvpUbGnjbasOVTgCGYu/GoILfEuS h2H3bRzCQmgKJe4f+3VIX2iEycO6PtZvMv7sTONmGGwyYo5hX3QcLTgB51+3U6lN1TMe/huylWnLhdmQ lHsMEoKXfPZQnyUJDQn35flZ4y6XFZETtoSE47FWkSEEZZ17KUBLN3AmWX/5ZnO8MGVicYjI1l19K805 CQOr9y5yoAKJ8zSTPkToWTX1jtY4N3jdAlyT8MbI1afguJcKHFgi1KOJ2rFiaJ3jLsbWrjaQIW0XJYDC bV6iYj1nISMeV8ttr8TmZZoaHCaTNV2mQQmDDpTRsOIfumMuli9bONM=

      [2015-02-05 17:37:07.654 +01:00] [5675] Kerberos: Authentication failed 'Wrong principal in request'

      [2015-02-05 17:37:07.654 +01:00] [5675] Kerberos (4, 10.0.4.5) Added authentication method: Negotiate

      [2015-02-05 17:37:07.654 +01:00] [5675] Kerberos (4, 10.0.4.5) Authentication didn't return values, failure ID: 0, authentication failed: 1

       

       

      Thanks,

      Zoltan