Kerberos authentication using Java and ActiveDirectory: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN

active-directory java kerberos
6,483

Solution 1

KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN means the KDC has no idea who holds the SPN, at your case the requested SPN is HTTP/self-test.example.com

The two common reasons for this are:

  1. the SPN doesn't exists on any account in the Active Directory Forest (doesn't seems to be your case)
  2. there are more then one account that is holding the same SPN (duplicate SPN)

You probably have a duplicate SPN somewhere, hence two accounts or more are holding the same SPN.

To check the AD forest what account(s) hold an SPN run the following command:

setspn -Q HTTP/self-test.example.com

That should show you all the accounts (if any) that carry that SPN.

A * (wildcard) is also valid if you wish on using for a query

e.g. setspn -Q HTTP/self-test*

Solution 2

Requesting a ticket for Realm: EESERV.LOCAL
Should request ticket for Realm: EXAMPLE.COM

Cause same as source of Registered ServicePrincipalNames for CN=Alfresco-Test HTTP,CN=Users,DC=eeserv,DC=local:

Assuming service principal exists in AD and is properly configured, changing this may be sufficient. Don't know how to change.

Share:
6,483

Related videos on Youtube

Therealmarley
Author by

Therealmarley

Updated on September 18, 2022

Comments

  • Therealmarley
    Therealmarley over 1 year

    Iv'e got a Java app that is SSO-enabled using Kerberos under the URL http://alf-test.example.com/. Unfortunately somethings not working, the AD says it doesn't know the service principal. This is the TGS-REQ exchange:

    Request:

    Kerberos TGS-REQ
Record Mark: 1499 bytes
    0... .... .... .... .... .... .... .... = Reserved: Not set
    .000 0000 0000 0000 0000 0101 1101 1011 = Record Length: 1499
Pvno: 5
MSG Type: TGS-REQ (12)
padata: PA-TGS-REQ
KDC_REQ_BODY
    Padding: 0
    KDCOptions: 40810000 (Forwardable, Renewable, Canonicalize)
    Realm: EESERV.LOCAL
    Server Name (Service and Instance): HTTP/alf-test.example.com
        Name-type: Service and Instance (2)
        Name: HTTP
        Name: alf-test.example.com
    till: 2037-09-13 02:48:05 (UTC)
    Nonce: 632225483
    Encryption Types: rc4-hmac rc4-hmac-old rc4-md4 des-cbc-md5 des-cbc-crc rc4-hmac-exp rc4-hmac-old-exp

    Reply:

    Kerberos KRB-ERROR
Record Mark: 125 bytes
    0... .... .... .... .... .... .... .... = Reserved: Not set
    .000 0000 0000 0000 0000 0000 0111 1101 = Record Length: 125
Pvno: 5
MSG Type: KRB-ERROR (30)
stime: 2011-06-08 12:06:23 (UTC)
susec: 23385
error_code: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (7)
Realm: EESERV.LOCAL
Server Name (Service and Instance): HTTP/alf-test.example.com
    Name-type: Service and Instance (2)
    Name: HTTP
    Name: alf-test.example.com
e-data

    However, the following works:

    kinit HTTP/alf-test.example.com

    Also, I get this output when I want setspn to list the service principal names, which looks good to me:

    setspn -l test-alfrescohttp
Registered ServicePrincipalNames for CN=Alfresco-Test HTTP,CN=Users,DC=example,DC=com:
    HTTP/alf-test
    HTTP/alf-test.example.com

    So, the service principal seems to exist, but I constantly see the KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN error in Wireshark when the browser first hits the host. I'm confused, what could be wrong here?

    Best regards, Michael

  • Therealmarley
    Therealmarley almost 13 years
    You are right, but unfortunately, that was a mistake on my side. I forgot to replace the domain part with example.com.
  • maweeras
    maweeras almost 13 years
    Can you please edit your original post and sanitize as appropriate? Else leave the domain names as is. Your typos make it hard to answer your question. The SPN unknown response was received as the KDC the request went to couldn't find something with the relevant SPN. Is this KDC from the same domain as when the setspn -l was issued against? your kinit is working as that kerberos client is configured to find the KDC for the realm where the SPN is registered.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to verify kerberos token?
Why is JDK1.8.0u121 unable to find the kerberos default_tkt_enctypes types? (KrbException: no supported default etypes for default_tkt_enctypes)
checksum failed: Kerberos / Spring / Active Directory (2008)
Java Authentication against Active Directory, authentication mismatch?
Java SSO: Kerberos authentication against Active Directory
How to connect with Java into Active Directory
Apache Kerberos Authentication - Client didn't delegate us their credential
How do I configure a SQL Server datasource in JBoss to connect using a specific Active Directory user?
How to make HttpClient use Kerberos?
Integrated Windows Authentication (NTLM) in a Java/WebLogic app?