I try to test my in-ms-domain application. App server has deployed successful. Both, kerberos and username/password, authentication works well.
But when i add 'test' (there are some reason why it's controller) using 'KerberosRestTemplate' with generated by 'ktpass' client keytab, then 'SunJaasKerberosTicketValidator' thrown exception:
'java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))'.
I suggest the reason is generated keytab file by ktpass was broken. That's how i generate it:
"C:> ktpass /princ [email protected] /pass Qw1er2ty3 /ptype KRB5_NT_PRINCIPAL /out deniz.keytab
*NOTE: creating a keytab but not mapping principal to any user.
For the account to work within a Windows domain, the
principal must be mapped to an account, either at the
domain level (with /mapuser) or locally (using ksetup)
If you intend to map [email protected] to an account through other means
or don't need to map the user, this message can safely be ignored.
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to deniz.keytab:
Keytab version: 0x502
keysize 52 [email protected] ptype 1 (KRB5_NT_PRINCIPAL) vno 1 etype 0x17 (RC4-HMAC) keylength 16 (0xa0eb0b1e09b8c36edc
2da4762c53283f)*"
Just in case i've saved sample on my github: https://github.com/mezlogo/kerberos_sample
I think keytab my keytab broken, but can't find how to generate it for client usage (without HTTP/username@DOMAIN).
P.s. sorry for my English.
