After upgrading to Authentication Service 4.2 the following error is seen:
Failed to find <SPN>(kvno x) in keytab FILE
Where SPN is your Service Principal name and x is the kvno number that is in the ticket but not in the service account Active Directory.
This same keytab works in 4.1.
The kvno's become mismatched by resetting the keytab with the same password and then not replacing all of the existing keytabs that share the same service account with the updated one.
This can be seen by running the following where hashtest.keytab is your keytab:
vastool ktutil -k /tmp/hashtest.keytab list --keys
The same hash will have a different kvno number and therefore the password was re-used.
It is recommended when using kerberos and keytabs to keep all keytabs in sync with any password changes that occur.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center