I have a machine with a NetBIOS name of devmgr02. It has a name resolvable to devmgr02.example.com. I also have a host alias for this machine called dev.example.com. This is being handled by Active Directory. I don't have any issues with access to dev.example.com for anything we related, except with VSJ. It seems that VSJ (maybe it's WebSphere's fault) wants to use the physical host name devmgr02 for the Principal instead of dev. It appears as if VSJ asks for the host name or the IP address is used to reverse resolve the hostname which has 2 entries and devmgr02 is the first entry to be returned. Now, it doesn't seem that this happens in all cases, but often enough that it causes a problem.
I would like to avoid having to create new SPNs and keytabs every time we upgrade our servers from one machine to another ( while keeping the first machine running setup and configuration of the new machine ), but don't see a way to do this. Creating new SPNs and keytabs is painful from the perspective that the Windows server admins have to do the work and their priorities aren't always my priorities, not to mention the additional work required each time.
I did see an entry in the forums here that talked about using setspn -A when behind a load balancer, does this somehow apply?
Any ideas?
[3/22/07 11:28:33:800 CDT] 0000009e CommonsSsoLog E com.wedgetail.idm.sso.util.CommonsSsoLogger error Session ID: faw34234awf3f4w34afwe4
Request: /somecontextroot
Remote: 172.1.1.1
Principal: HTTP/dev.example.com@EXAMPLE.COM
Message: Could not authorize request: com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: org.ietf.jgss.GSSException, major code: 11, minor code: -1
major string: General failure, unspecified at GSSAPI level
minor string: com.dstc.security.kerberos.KerberosException: Could not decrypt service ticket with Key type 23, KVNO 4, Principal "HTTP/devmgr02.example.com@EXAMPLE.COM" using key:
Principal: HTTP/dev.example.com@EXAMPLE.COM
Type: 1
TimeStamp: Thu Nov 17 15:57:32 CST 2005
KVNO: -1
Key: [23, aa aa aa aa aa aa aa a aa aa aa aa aa aa aa aa ]
Exception for this key was: com.dstc.security.kerberos.CryptoException: Integrity check failure[Note: principal names are different; this may or may not be a problem]
[Note: KVNO used wildcard match, not exact match; perhaps the password used to generate this key is not the most recent password?]
Request: /somecontextroot
Remote: 172.1.1.1
Principal: HTTP/dev.example.com@EXAMPLE.COM
Message: Could not authorize request: com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: org.ietf.jgss.GSSException, major code: 11, minor code: -1
major string: General failure, unspecified at GSSAPI level
minor string: com.dstc.security.kerberos.KerberosException: Could not decrypt service ticket with Key type 23, KVNO 4, Principal "HTTP/devmgr02.example.com@EXAMPLE.COM" using key:
Principal: HTTP/dev.example.com@EXAMPLE.COM
Type: 1
TimeStamp: Thu Nov 17 15:57:32 CST 2005
KVNO: -1
Key: [23, aa aa aa aa aa aa aa a aa aa aa aa aa aa aa aa ]
Exception for this key was: com.dstc.security.kerberos.CryptoException: Integrity check failure[Note: principal names are different; this may or may not be a problem]
[Note: KVNO used wildcard match, not exact match; perhaps the password used to generate this key is not the most recent password?]
When it performs a basic fallback authentication, it responds with:connecting to devmgr02.example.com not connecting to dev.example.com.
My next post will includes the commands we use for ktpass and jkutil.
My next post will includes the commands we use for ktpass and jkutil.