IBM Support

WebSphere DataPower fails to parse a Kerberos token

Question & Answer


Question

Why does DataPower fail to decrypt a Kerberos token and display the message "Cannot parse the file for Kerberos Keytab"? This error remains after confirming that the Service Principle Name (SPN) matches with the keytab file, the "setspn -l " command, and with the SPN field within the DataPower service.

Cause

One possible cause of this message is incompatible Kerberos Version Numbers (kvno). The kvno is an optional parameter of the ktpass command. Sometimes the default kvno assigned to the keytab entry does not match the kvno issued by the Key Distribution Center (KDC).

To determine the kvno issued by the KDC, issue the following command on the KDC:

ldifde -f c:\spn.txt -d "DC=abc,DC=xyz,DC=com" -l *,msDS-KeyVersionNumber -r
"(serviceprincipalname=<yourspn>*)" -p subtree

where:

ParametersComments
-f c:\spn.txt The file for storing the output
-d "DC=abc,DC=xyz,DC=com"This corresponds to a domain of ABC.XYZ.COM
-l *,msDS-KeyVersionNumber This tells the command to list the key version number
-r "(serviceprincipalname=HTTP/somename*)"
-p subtree
The bottom of the resulting file should contain the kvno used by the KDC, as shown below:
...
    dSCorePropagationData: 20110526195145.0Z
    dSCorePropagationData: 20110526195043.0Z
    dSCorePropagationData: 16010101000000.0Z
    msDS-KeyVersionNumber: 3

In the example above, the kvno assigned to by the KDC is 3. But a keytab analysis tool shows:

We can see that the KDC is generating Kerberos tokens with kvno = 3, but the keytab has an SPN entry with kvno = 1.

Answer

The solution is to regenerate the keytab with the kvno used by the KDC to generate the Kerberos tokens. For the above example, the ktpass command would be something like:

    ktpass -out c:\myservice.keytab -princ HTTP/myservice@ABC.XYZ.COMCOM -mapUser
    myServiceAcct -mapOp set -pass * -crypto RC4-HMAC-NT –ptype KRB5_NT_PRINCIPAL
    –kvno 3

Note that the last parameter forces the kvno to be 3.

Replace the DataPower copy of the keytab with the keytab generated with this command. For further information about troubleshooting Kerberos Tokens in DataPower sent from .Net, see the Troubleshooting section of this developerWorks article.

[{"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateway"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"--","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"4.0.2;4.0.1;5.0.0;6.0.0;6.0.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
08 June 2021

UID

swg21502341

Page Feedback