Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
781 views

AM 3.2 Kerberos configuration error


Hello,

So I am setting up Kerberos. Basic info:

IDS server name is mtkamids - IP addres is 192.168.1.80

First I created the serviceUser in AD:

Firstname: mtkamids
User Logon Name: mtkamids.mtk.dk

Then I ran this from the DC: setspn -A HTTP/mtkamids.mtk.dk@MTK.DK
mtkamids
Then: setspn -L mtkamids
Output: Registered ServicePrincipalNames for
CN=mtkamids,OU=ServiceAccounts,OU=MTK,DC=mtk,DC=dk:
HTTP/mtkamids.mtk.dk@MTK.DK
Then I ran this from the DC: ktpass /out nidpkey.keytab /princ
HTTP/mtkamids.mtk.dk@MTK.DK /mapuser mtkamids@mtk.dk /pass password

Output: Output keytab to nidpkey.keytab:
Keytab version: 0x502
keysize 66 HTTP/mtkamids.mtk.dk@MTK.DK ptype 0 (KRB5_NT_UNKNOWN) vno 4
etype 0x17 (RC4-HMAC) keylength 16 (0x4a358a2e8aed559ee9f1e5581652f162)

I copied it here, on the IDS server: /opt/novell/java/jre/lib/security

I added the IDS to the forward lookup zone.

I created the kerberos class with:
SPN: HTTP/mtkamids.mtk.dk@MTK.DK
Kerberos Realm: MTK.DK
JAAS config file for Kerberos:
/opt/novell/java/jre/lib/security/bcsLogin.conf
Kerberos KDC: 10.1.2.32
User Attribute: userprincipalname

My bcsLogin.conf looks like this:

com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
debug="true"
useTicketCache="true"
ticketCache="/opt/novell/java/jre/lib/security/spnegoTicket.cache"
doNotPrompt="true"
principal="HTTP/mtkamids.mtk.dk@MTK.DK"
useKeyTab="true"
keyTab="/opt/novell/java/jre/lib/security/nidpkey.keytab"
storeKey="true";
};

Then a restart: /etc/init.d/novell-idp restart

And here is the output from catalina.out:


Code:
--------------------

Debug is true storeKey true useTicketCache true useKeyTab true doNotPrompt true ticketCache is /opt/novell/java/jre/lib/security/
spnegoTicket.cache isInitiator true KeyTab is /opt/novell/jdk1.7.0_04/jre/lib/security/nidpkey.keytab refreshKrb5Config is false p
rincipal is HTTP/mtkamids.mtk.dk@MTK.DK tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
Principal is HTTP/mtkamids.mtk.dk@MTK.DK
null credentials from Ticket Cache
Added key: 23version: 3
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
Added key: 23version: 3
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=10.1.2.32 UDP:88, timeout=30000, number of retries =3, #bytes=138
>>> KDCCommunication: kdc=10.1.2.32 UDP:88, timeout=30000,Attempt =1, #bytes=138

SocketTimeOutException with attempt: 1
>>> KDCCommunication: kdc=10.1.2.32 UDP:88, timeout=30000,Attempt =2, #bytes=138

SocketTimeOutException with attempt: 2
>>> KDCCommunication: kdc=10.1.2.32 UDP:88, timeout=30000,Attempt =3, #bytes=138

SocketTimeOutException with attempt: 3
>>> KrbKdcReq send: error trying 10.1.2.32

java.net.SocketTimeoutException: Receive timed out
java.net.SocketTimeoutException: Receive timed out
at java.net.PlainDatagramSocketImpl.receive0(Native Method)
at java.net.AbstractPlainDatagramSocketImpl.receive(AbstractPlainDatagramSocketImpl.java:145)
at java.net.DatagramSocket.receive(DatagramSocket.java:786)
at sun.security.krb5.internal.UDPClient.receive(NetClient.java:207)
at sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:386)
at sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:339)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.krb5.KdcComm.send(KdcComm.java:323)
at sun.security.krb5.KdcComm.send(KdcComm.java:219)
at sun.security.krb5.KdcComm.send(KdcComm.java:191)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:319)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:364)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:731)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:580)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:721)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:719)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:718)
at javax.security.auth.login.LoginContext.login(LoginContext.java:590)
at sun.security.jgss.GSSUtil.login(GSSUtil.java:255)
at sun.security.jgss.krb5.Krb5Util.getServiceCreds(Krb5Util.java:334)
at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:76)
at sun.security.jgss.krb5.Krb5AcceptCredential$1.run(Krb5AcceptCredential.java:74)
...
>>> KdcAccessibility: add 10.1.2.32

[Krb5LoginModule] authentication failed
Receive timed out
<amLogEntry> 2014-03-16T21:58:47Z SEVERE NIDS Application: AM#100104105: AMDEVICEID#047CC991A3C20DE3: Could not initialize Kerber
os/GSS No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!) </amLogEntry>

<amLogEntry> 2014-03-16T21:58:47Z DEBUG NIDS Application:
Method: SpnegoAuthenticator.<init>
Thread: RMI TCP Connection(23)-127.0.0.1
false
Kerberos Config :=
com.novell.nidp.authentication.local.kerb.ADUserAttr = userprincipalname
com.novell.nidp.authentication.local.kerb.upnSuffixes =
Reconfigure = true
com.novell.nidp.authentication.local.kerb.realm = MTK.DK
com.novell.nidp.authentication.local.kerb.kdc = 10.1.2.32
com.novell.nidp.authentication.local.kerb.jaas.conf = /opt/novell/java/jre/lib/security/bcsLogin.conf
com.novell.nidp.authentication.local.kerb.svcPrincipal = HTTP/mtkamids.mtk.dk
</amLogEntry>

--------------------


I can telnet from the IDS to AD on port 389,636 and 88.

Any idea what might be going on?

Thanks in advance,

Jacob.


--
jacmarpet
------------------------------------------------------------------------
jacmarpet's Profile: https://forums.netiq.com/member.php?userid=415
View this thread: https://forums.netiq.com/showthread.php?t=50292

0 Likes
8 Replies
Anonymous_User Absent Member.
Absent Member.

Re: AM 3.2 Kerberos configuration error


Looks like a coms issue to the KDC....

>>> KrbKdcReq send: error trying 10.1.2.32

java.net.SocketTimeoutException: Receive timed out

Are you sure that UDP port 88 is open through the firewall?


--
rtruscot
------------------------------------------------------------------------
rtruscot's Profile: https://forums.netiq.com/member.php?userid=293
View this thread: https://forums.netiq.com/showthread.php?t=50292

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AM 3.2 Kerberos configuration error


Telnet is TCP, the required protocol is UDP.... I would suspect that UDP
is being blocked but TCP is allowed...


--
ScorpionSting
------------------------------------------------------------------------
ScorpionSting's Profile: https://forums.netiq.com/member.php?userid=469
View this thread: https://forums.netiq.com/showthread.php?t=50292

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AM 3.2 Kerberos configuration error


That was exactly the problem. UDP was blocked by their firewall. Thanks
alot guys!

Jacob.


--
jacmarpet
------------------------------------------------------------------------
jacmarpet's Profile: https://forums.netiq.com/member.php?userid=415
View this thread: https://forums.netiq.com/showthread.php?t=50292

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AM 3.2 Kerberos configuration error


Hello again,

Annoyingly, now I am getting a new error.

<amLogEntry> 2014-03-17T12:24:15Z SEVERE NIDS Application: AM#200104101:
AMDEVICEID#047CC991A3C20DE3: AMAUTHID#6F1B535A7A0E756CAEA9
C2861C37D387: Error processing SPNEGO/Kerberos : Received NTLM Token
which currently is Not supported. </amLogEntry>

Google tells me that I need to enable all encryption types on the DCs
for Kerberos, for this to work. So I did that using the gpedit.msc tool.
This has no effect though. Still getting that error when a client, who
is part of the domain and has a Kerberos ticket(used the klist command).

I am getting this output when I start the tomcat, which seems ok to me:

>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/mtkamids.mtk.dk

principal is HTTP/mtkamids.mtk.dk@MTK.DK
Will use keytab
Added key: 23version: 4
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
Commit Succeeded

Found KeyTab
Found KerberosKey for HTTP/mtkamids.mtk.dk@MTK.DK
<amLogEntry> 2014-03-17T12:24:15Z DEBUG NIDS Application:
Method: SpnegoAuthenticator.A
Thread: http-bio-192.168.1.80-8443-exec-1
Supported Mechanism [0: 1.3.6.1.5.5.2 </amLogEntry>

<amLogEntry> 2014-03-17T12:24:15Z DEBUG NIDS Application:
Method: SpnegoAuthenticator.A
Thread: http-bio-192.168.1.80-8443-exec-1
Supported Mechanism [1: 1.2.840.113554.1.2.2 </amLogEntry>

<amLogEntry> 2014-03-17T12:24:15Z DEBUG NIDS Application:
Method: SpnegoAuthenticator.<init>
Thread: http-bio-192.168.1.80-8443-exec-1
true
Kerberos Config :=
FirstTime = true
SignAlias = signing
SignKeystorePassword = ZQR3FfIOgUidY0A2
SSLAlias = tomcat
SignPassword = Iws45jZSHXjG69gZ
com.novell.nidp.authentication.local.kerb.upnSuffixes =
Reconfigure = true
TruststorePassword = blH44D7nk5j08S8F
FALLBACK_AUTHCLASS =
com.novell.nidp.authentication.local.ProtectedPasswordClass
com.novell.nidp.authentication.local.kerb.ADUserAttr =
userprincipalname
EncAlias = encryption
com.novell.nidp.authentication.local.kerb.svcPrincipal =
HTTP/mtkamids.mtk.dk
AuthnRequest = null
SystemAccess = null
LECP = false
OCSPTruststorePassword = 2KLNSG5KjtIrXp4z
ExpireCheck = false
DefinesUser = true
com.novell.nidp.authentication.local.kerb.realm = MTK.DK
SSLPassword = ZQR3fIOgUiGdY0A2
EncPassword = P4Av1W648In00L5E
com.novell.nidp.authentication.local.kerb.kdc = 10.1.2.32
com.novell.nidp.authentication.local.kerb.jaas.conf =
/opt/novell/java/jre/lib/security/bcsLogin.conf
</amLogEntry>


Any idea on what might cause this?

Thanks in advance,

Jacob.


--
jacmarpet
------------------------------------------------------------------------
jacmarpet's Profile: https://forums.netiq.com/member.php?userid=415
View this thread: https://forums.netiq.com/showthread.php?t=50292

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AM 3.2 Kerberos configuration error

What browser did you test with? How was the browser configured regarding auth and trusting the IDP?

How did you force the group policy change to be applied?

What I believe is sufficent is to restart the KDC service on the Domain controller and on the workstation then purge all Kerberos tickets (I'd purge both user and local system tickets) on the workstation.

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AM 3.2 Kerberos configuration error


Yes. Now the client actually has the correct ticket for the IDS. It
actually also seems like the Kerberos authentication goes through. Now,
though, it is stuck in an endless loop after then authentication, when
doing SSO against the UA. My configuration is as follows:

Proxy: Published DNS Name: mtkid.mtk.dk (this has been added in the DNS
configuration on the environment).
Connect using SSL = true, connection port 8543. This has been configured
on the UA, and it works.

Protected resources: One called Login with kerberos authentication, and
a form fill policy, which works from a client which is not in the
domain.
Another protected resource called root which is /* it has an
authorization policy called A_UA_Redirect. This is what i think might be
wrong somehow. It has a rule that does the following: If data entry
field = http://mtk.mtk.dk redirect to
https://mtkid.mtk.dk/IDM/jsps/login/Login.jsp

It should do this so that people are redirected there, and then it
should form fill the UA login screen(this is of course for non Kerberos
people).

When mionitoring this process with Chrome(the same thing happens in IE),
I can see that it is redirected to some kerberos page, then so
sso=RequestID=xxx and a 200 OK then to
https://ids1.mtk.dk/8443/nidp/idiff/sso?sid=1, then some other page, and
then to the actual Login one, which I specified in the rule, which is
https://mtkid.mtk.dk/IDM/jsps/login/Login.jsp and then to
https://mtkid.mtk.dk/IDM/jsps/login.do;jsessionid=xxx

and then after that, it keeps reloading login.do infinitely. To me it
seems like I have been Kerberos authenticated and then something goes
wrong.

Any ideas?

Thanks in advance,

Jacob.


--
jacmarpet
------------------------------------------------------------------------
jacmarpet's Profile: https://forums.netiq.com/member.php?userid=415
View this thread: https://forums.netiq.com/showthread.php?t=50292

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AM 3.2 Kerberos configuration error

jacmarpet wrote:

>
> Yes. Now the client actually has the correct ticket for the IDS. It
> actually also seems like the Kerberos authentication goes through. Now,
> though, it is stuck in an endless loop after then authentication, when
> doing SSO against the UA. My configuration is as follows:
>
> Proxy: Published DNS Name: mtkid.mtk.dk (this has been added in the DNS
> configuration on the environment).
> Connect using SSL = true, connection port 8543. This has been configured
> on the UA, and it works.
>
> Protected resources: One called Login with kerberos authentication, and
> a form fill policy, which works from a client which is not in the
> domain.
> Another protected resource called root which is /* it has an
> authorization policy called A_UA_Redirect. This is what i think might be
> wrong somehow. It has a rule that does the following: If data entry
> field = http://mtk.mtk.dk redirect to
> https://mtkid.mtk.dk/IDM/jsps/login/Login.jsp
>
> It should do this so that people are redirected there, and then it
> should form fill the UA login screen(this is of course for non Kerberos
> people).


I would suggest you configure fallback to a username/password type auth for those IPs that don't meet the kerberos requirements rather than have two protected resources.
https://www.netiq.com/documentation/netiqaccessmanager32/identityserverhelp/data/b9ud20f.html#using_name_pw_form

> When mionitoring this process with Chrome(the same thing happens in IE),
> I can see that it is redirected to some kerberos page, then so
> sso=RequestID=xxx and a 200 OK then to
> https://ids1.mtk.dk/8443/nidp/idiff/sso?sid=1, then some other page, and
> then to the actual Login one, which I specified in the rule, which is
> https://mtkid.mtk.dk/IDM/jsps/login/Login.jsp and then to
> https://mtkid.mtk.dk/IDM/jsps/login.do;jsessionid=xxx


Kerberos authentication is a contract that by default doesn't return any password for the user. So formfill will never work unless your proxied app can accept some authentication that isn't username/password, you're going to need to enable the password retrieval class:

https://www.netiq.com/documentation/netiqaccessmanager32/identityserverhelp/data/pwdfetchproperties.html



--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: AM 3.2 Kerberos configuration error


alexmchugh;242183 Wrote:
> jacmarpet wrote:
>
> >
> > Yes. Now the client actually has the correct ticket for the IDS. It
> > actually also seems like the Kerberos authentication goes through.

> Now,
> > though, it is stuck in an endless loop after then authentication,

> when
> > doing SSO against the UA. My configuration is as follows:
> >
> > Proxy: Published DNS Name: mtkid.mtk.dk (this has been added in the

> DNS
> > configuration on the environment).
> > Connect using SSL = true, connection port 8543. This has been

> configured
> > on the UA, and it works.
> >
> > Protected resources: One called Login with kerberos authentication,

> and
> > a form fill policy, which works from a client which is not in the
> > domain.
> > Another protected resource called root which is /* it has an
> > authorization policy called A_UA_Redirect. This is what i think might

> be
> > wrong somehow. It has a rule that does the following: If data entry
> > field = http://mtk.mtk.dk redirect to
> > https://mtkid.mtk.dk/IDM/jsps/login/Login.jsp
> >
> > It should do this so that people are redirected there, and then it
> > should form fill the UA login screen(this is of course for non

> Kerberos
> > people).

>
> I would suggest you configure fallback to a username/password type auth
> for those IPs that don't meet the kerberos requirements rather than have
> two protected resources.
> http://tinyurl.com/kdrrcpx
>
> > When mionitoring this process with Chrome(the same thing happens in

> IE),
> > I can see that it is redirected to some kerberos page, then so
> > sso=RequestID=xxx and a 200 OK then to
> > https://ids1.mtk.dk/8443/nidp/idiff/sso?sid=1, then some other page,

> and
> > then to the actual Login one, which I specified in the rule, which is
> > https://mtkid.mtk.dk/IDM/jsps/login/Login.jsp and then to
> > https://mtkid.mtk.dk/IDM/jsps/login.do;jsessionid=xxx

>
> Kerberos authentication is a contract that by default doesn't return any
> password for the user. So formfill will never work unless your proxied
> app can accept some authentication that isn't username/password, you're
> going to need to enable the password retrieval class:
>
> http://tinyurl.com/l2xk359
>
>
>
> --
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...


Okay. I thought that I could have both the AM ask for credentials, if
the user did not have a Kerberos ticket, and at the same time let people
though, that did. I have added the internal IP addresses to the
exclusion list and added the fallback class. You say that I should only
one protected resource. I guess that will be root, because else people
would be able to access everything around the AM.

Jacob.


--
jacmarpet
------------------------------------------------------------------------
jacmarpet's Profile: https://forums.netiq.com/member.php?userid=415
View this thread: https://forums.netiq.com/showthread.php?t=50292

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.