Question & Answer
Question
Why does DataPower fail to decrypt a Kerberos token and display the message
"Cannot parse the file for Kerberos Keytab"? This error remains after confirming that the Service Principle Name (SPN) matches with the keytab file, the "setspn -l
Cause
One possible cause of this message is incompatible Kerberos Version Numbers (kvno). The kvno is an optional parameter of the ktpass command. Sometimes the default kvno assigned to the keytab entry does not match the kvno issued by the Key Distribution Center (KDC).
To determine the kvno issued by the KDC, issue the following command on the KDC:
ldifde -f c:\spn.txt -d "DC=abc,DC=xyz,DC=com" -l *,msDS-KeyVersionNumber -r
"(serviceprincipalname=<yourspn>*)" -p subtree
where:
Parameters | Comments |
-f c:\spn.txt | The file for storing the output |
-d "DC=abc,DC=xyz,DC=com" | This corresponds to a domain of ABC.XYZ.COM |
-l *,msDS-KeyVersionNumber | This tells the command to list the key version number |
-r "(serviceprincipalname=HTTP/somename*)" | |
-p subtree |
...
- dSCorePropagationData: 20110526195145.0Z
dSCorePropagationData: 20110526195043.0Z
dSCorePropagationData: 16010101000000.0Z
msDS-KeyVersionNumber: 3
In the example above, the kvno assigned to by the KDC is 3. But a keytab analysis tool shows:
- Key table: lowerhost-gdpwspi01.keytab
Number of entries: 1
[1] principal: host/gdpwspi01.sce.com@SCET.EIXT.COM
KVNO: 1
We can see that the KDC is generating Kerberos tokens with kvno = 3, but the keytab has an SPN entry with kvno = 1.
Answer
The solution is to regenerate the keytab with the kvno used by the KDC to generate the Kerberos tokens. For the above example, the ktpass command would be something like:
- ktpass -out c:\myservice.keytab -princ HTTP/myservice@ABC.XYZ.COMCOM -mapUser
myServiceAcct -mapOp set -pass * -crypto RC4-HMAC-NT –ptype KRB5_NT_PRINCIPAL
–kvno 3
Note that the last parameter forces the kvno to be 3.
Replace the DataPower copy of the keytab with the keytab generated with this command. For further information about troubleshooting Kerberos Tokens in DataPower sent from .Net, see the Troubleshooting section of this developerWorks article.
Was this topic helpful?
Document Information
Modified date:
08 June 2021
UID
swg21502341