Exporting kerberos keys from service principal

["Rippich, Andrej" <A....@psi-bt.de>]

Hi all,

I'm trying to set up a simple (and sample) web application which uses
Kerberos as authentication protocol.

I'm using Apache DS 1.5.1 as KDC.

I've created two service principals (krbtgt and a principal which
belongs to my target service) and a user principal.

I'm using JGSS with Sun's Krb5LoginModule with Java 6.

 

Because I don't now how to export the generated keys for the service
principal I've set a plain text password for my service principal. I've
further created a Keytab using the Java Tool ktab (ktab -a
server/hostname@EXAMPLE.COM plaintext password) using the same password
as I used when creating the service principal.

When I'm trying to run my application the client is able to get the TGT
and TGS ticket but on the server side the JGSS context acceptSecContext
call fails.

The JGSS debug output is:  (Mechanism level: Integrity check on
decrypted field failed (31)).

It seems to me there is something wrong with the keys of the service
principal but as I'm starting with Kerberos I'm not sure what exactly
causes the problem.

 

My question, is there a way (without writing my own Tool using
Ldap/JNDI) to export generated keys of a service principal from Apache
DS to a keytab? 

Or is there another solution and my approach is wrong?

Thanks in advance

Andrej