I've setup Apache HTTPD 2.4 with mod_auth_kerb, created a service account on Active Directory, added a SPN for my http hostname, created a keytab file on the linux machine, and had SSO start working nicely for users logged into the AD domain from IE. It was all good!
However, every week or so, users instead of getting signed into the website instead get a http basic auth prompt up, which won't accept their credentials. Looking in the httpd server logs, we see entries like:
[auth_kerb:error] [pid 8040] [client 192.168.100.100:54460] gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, Key version number for principal in key table is incorrect)
What seems to have happened is that the KVNO (Kerberos Key Version Number) on AD has incremented, so they keytab is invalid. We can see that by doing something like:
$ kinit '[email protected]'
Password for [email protected]
$ kvno HTTP/sso.example.com
HTTP/[email protected]: kvno = 12
$ klist -k krb5-keytab
Keytab name: FILE:krb5-keytab
KVNO Principal
---- ---------------------------------------------
11 HTTP/[email protected]
The KVNO that AD is reported has somehow been incremented, and is one higher than the one in the keytab that Apache is using, which is causing the Kerberos SSO to fail
If we re-create the keytab, with something like:
$ kinit '[email protected]'
Password for [email protected]
$ KEYTAB=krb5-keytab
$ SN="HTTP/[email protected]"
$ KVNO=`kvno $SN | awk -F'kvno = ' '{print $2}'`
$ echo "KVNO for $SN is $KVNO"
KVNO for HTTP/[email protected] is 12
$ rm $KEYTAB
$ ktutil
addent -password -p HTTP/[email protected] -k 12 -e arcfour-hmac
wkt krb5-keytab
$ chown apache.apache $KEYTAB
$ chmod 440 $KEYTAB
$ chcon -u system_u -t httpd_config_t $KEYTAB
$ service httpd restart
Then Kerberos SSO will begin working again, and all will be fine! For a week or so, when suddenly it will fail again, as the KVNO has silently and mysteriously bumped itself one value higher on AD....
So, what do I need to do, either on AD or in how I create the kerberos keytab file on Linux, so that the KVNO doesn't keep randomly increasing itself every 1-2 weeks thus breaking all our user's ability to access the site?