I try to test my in-ms-domain application. App server has deployed successful. Both, kerberos and username/password, authentication works well.
But when i add 'test' (there are some reason why it's controller) using 'KerberosRestTemplate' with generated by 'ktpass' client keytab, then 'SunJaasKerberosTicketValidator' thrown exception:
'java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))'.
I suggest the reason is generated keytab file by ktpass was broken. That's how i generate it:
"C:> ktpass /princ deniz@TESTAD.LOCAL /pass Qw1er2ty3 /ptype KRB5_NT_PRINCIPAL /out deniz.keytab
*NOTE: creating a keytab but not mapping principal to any user.
For the account to work within a Windows domain, the
principal must be mapped to an account, either at the
domain level (with /mapuser) or locally (using ksetup)
If you intend to map deniz@TESTAD.LOCAL to an account through other means
or don't need to map the user, this message can safely be ignored.
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to deniz.keytab:
Keytab version: 0x502
keysize 52 deniz@TESTAD.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 1 etype 0x17 (RC4-HMAC) keylength 16 (0xa0eb0b1e09b8c36edc
2da4762c53283f)*"
Just in case i've saved sample on my github: https://github.com/mezlogo/kerberos_sample
I think keytab my keytab broken, but can't find how to generate it for client usage (without HTTP/username@DOMAIN).
P.s. sorry for my English.
Whenever you run ktpass, AD increments the version numbers stored in AD by 1. So before running ktpass you need to look at the actual value and specify this value incremented by 1 using the /kvno option (https://technet.microsoft.com/en-us/library/cc753771.aspx) so that the key version number stored within AD and the one in the keytab file are identical.