Charith De Silva
Charith De Silva

Reputation: 3740

Kerberos Authentication keytab KVNO

I have a network environment where kerberos authentication is setup in corporate standard (i.e. passoword can live only 30days for user). I've installed my java web application on this system which uses keytab file generated by KDC. All works fine until client user changes his network password after 30 + days. Goggling found it's due to KVNO out of synchronization. So as I understand the problem being KVNO sent by client browser is out of sync with keytab's KVNO. I have less knowledge on this network negotiation steps (I use spring security) so I'm waiting for you guys expertise to resolve this.Thanks in advance.

java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))  

Upvotes: 2

Views: 4545

Answers (2)

Charith De Silva
Charith De Silva

Reputation: 3740

After bit of research I found there is a problem related to this with Java 1.6 update 23 to 26. Updating to latest Java resolved the problem for me. Thanks for your input.

Upvotes: 1

Moritz
Moritz

Reputation: 1638

Every time the password of an account is changed, it's KVNO is increased. This makes all keytabs for that account invalid. As I understand your question, that is what happened to the service principal you created the keytab for, correct? In that case you need to re-create the keytab.

Upvotes: 4

Related Questions