fartyalvikram
New Member.
2496 views

Kerberos Authentication not working

I want to configure Kerberos Authentication, So that my Active Directory Users can also login into IDM User Application.
After configuring the bcsLogin Configuration File when I restart the IDP server as suggested in the Access Manager Appliance Admin guide, using rcnovell-idp restart command, and I can see in the IDP logs they gives me error [Krb5LoginModule] authentication failed. IDP logs are given below
Debug is  true storeKey true useTicketCache true useKeyTab true doNotPrompt true ticketCache is /opt/novell/java/jre/lib/security/spnegoTicket.cache isInitiator true KeyTab is /opt/novell/java/jre/lib/security/nidpkey.keytab refreshKrb5Config is false principal is HTTP/nam.demo.local@DEMO.local tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
Principal is HTTP/nam.demo.local@DEMO.local
null credentials from Ticket Cache
>>> KeyTabInputStream, readName(): DEMO.local
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): nam.demo.local
>>> KeyTab: load() entry length: 65; type: 23
Looking for keys for: HTTP/nam.demo.local@DEMO.local
Java config name: null
Native config name: /etc/krb5.conf
Loaded from native config
Added key: 23version: 3
>>> KdcAccessibility: reset
Looking for keys for: HTTP/nam.demo.local@DEMO.local
Added key: 23version: 3
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=192.168.1.100 UDP:88, timeout=30000, number of retries =3, #bytes=145
>>> KDCCommunication: kdc=192.168.1.100 UDP:88, timeout=30000,Attempt =1, #bytes=145
>>> KrbKdcReq send: #bytes read=177
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =

>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16

>>>Pre-Authentication Data:
PA-DATA type = 15

>>> KdcAccessibility: remove 192.168.1.100
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Tue Jan 02 17:58:14 IST 2018 1514896094000
suSec is 609948
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/DEMO.local@DEMO.local
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =

>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16

>>>Pre-Authentication Data:
PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23.
Looking for keys for: HTTP/nam.demo.local@DEMO.local
Added key: 23version: 3
Looking for keys for: HTTP/nam.demo.local@DEMO.local
Added key: 23version: 3
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=192.168.1.100 UDP:88, timeout=30000, number of retries =3, #bytes=228
>>> KDCCommunication: kdc=192.168.1.100 UDP:88, timeout=30000,Attempt =1, #bytes=228
>>> KrbKdcReq send: #bytes read=1400
>>> KdcAccessibility: remove 192.168.1.100
Looking for keys for: HTTP/nam.demo.local@DEMO.local
Added key: 23version: 3
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
[Krb5LoginModule] authentication failed
Message stream modified (41)
<amLogEntry> 2018-01-02T12:28:56Z SEVERE NIDS Application: AM#100104105: AMDEVICEID#6CF8D8AFC3EC4E16: Could not initialize Kerberos/GSS No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!) </amLogEntry>

<amLogEntry> 2018-01-02T12:28:56Z DEBUG NIDS Application:
Method: SpnegoAuthenticator.<init>
Thread: RMI TCP Connection(2)-127.0.0.1
false
Kerberos Config :=
com.novell.nidp.authentication.local.kerb.ADUserAttr = userprincipalname
com.novell.nidp.authentication.local.kerb.upnSuffixes =
Reconfigure = true
com.novell.nidp.authentication.local.kerb.realm = DEMO.local
com.novell.nidp.authentication.local.kerb.kdc = 192.168.1.100
com.novell.nidp.authentication.local.kerb.jaas.conf = /opt/novell/java/jre/lib/security/bcsLogin.conf
com.novell.nidp.authentication.local.kerb.svcPrincipal = HTTP/nam.demo.local@DEMO.local
</amLogEntry>


On the Active Directory side, Inside Local Security Policy all below options are selected in "Network Security: Configure Encryption types allowed for Kerberos"
DES_CBC_CRC, DES_CBC_MD5, RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types
And on the User Account I checked the options as below screen shot


I am using Windows Server 2012 R2, Access Manager Appliance 4.4 and IDM 4.6.
0 Likes
9 Replies
Knowledge Partner
Knowledge Partner

Re: Kerberos Authentication not working

On 03-01-2018 12:34 AM, fartyalvikram wrote:
>
> I want to configure Kerberos Authentication, So that my Active Directory
> Users can also login into IDM User Application.
> After configuring the bcsLogin Configuration File when I restart the IDP
> server as suggested in the Access Manager Appliance Admin guide, using
> rcnovell-idp restart command, and I can see in the IDP logs they gives
> me error *[Krb5LoginModule] authentication failed*. IDP logs are given
> below
>


add a property to your bcsLogin config called isInitiator and set it to false.


--
Cheers,
Edward
0 Likes
fartyalvikram
New Member.

Re: Kerberos Authentication not working

Thanks, after adding isInitiator set to false, the Commit Succeeded.

Now when I try to access protected IDM User App using Kerberos Contract and enter login credentials of AD user then it redirect me to the User Application Guest Page and when I click on login button it redirect me to the same page again.
Please suggest me where I am wrong.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Kerberos Authentication not working

On 10-01-2018 11:24 PM, fartyalvikram wrote:
>
> Thanks, after adding isInitiator set to false, the Commit Succeeded.
>
> Now when I try to access protected IDM User App using Kerberos Contract
> and enter login credentials of AD user then it redirect me to the User
> Application Guest Page and when I click on login button it redirect me
> to the same page again.
> Please suggest me where I am wrong.
>
>


sorry, is NAM protecting OSP/UA or is this all done on OSP/UA?



--
Cheers,
Edward
0 Likes
fartyalvikram
New Member.

Re: Kerberos Authentication not working

Yes, inside NAM, currently I have protected User Application like below



Please suggest me if I miss anything.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Kerberos Authentication not working

On 11-01-2018 11:14 PM, fartyalvikram wrote:
>
> Yes, inside NAM, currently I have protected User Application like below
>
> 6082
>
> Please suggest me if I miss anything.
>
>
> +----------------------------------------------------------------------+
> |Filename: ua.JPG |
> |Download: https://forums.novell.com/attachment.php?attachmentid=6082 |
> +----------------------------------------------------------------------+
>


So what are you trying to achieve here? SSO to the userapp? If so, you'll have to configure federation between NAM and OSP. That is the only supported
way to do it. The behaviour you have so far make sense now as the UA has no clue who you are hence why it would show that you are logged in as guest.


--
Cheers,
Edward
0 Likes
fartyalvikram
New Member.

Re: Kerberos Authentication not working

My agenda is only that I want to login via Active Directory Users into IDM User Application.
Is this possible via configure federation between NAM and OSP?
0 Likes
Knowledge Partner
Knowledge Partner

Re: Kerberos Authentication not working

On 12-01-2018 10:54 PM, fartyalvikram wrote:
>
> My agenda is only that I want to login via Active Directory Users into
> IDM User Application.
> Is this possible via configure federation between NAM and OSP?


Yes, you would configure OSP as a service provider in NAM and on the service provider you configure the kerberos contract to be used for authentication.

Its all in the documentation:

https://www.netiq.com/documentation/identity-manager-46/setup/data/b1ciyngf.html




--
Cheers,
Edward
0 Likes
fartyalvikram
New Member.

Re: Kerberos Authentication not working

Thanks for correcting me.
Here is one problem with my OSP, when I try to access the Metadata for OSP using the below URL as documented,
http://192.168.1.111:8180/osp/a/idm/auth/saml2/spmetadata
It will goes to the following page and I tried to view the page source for the spmetadata.xml file but there is no content for spmetadata or metadata.



So can you please help me on this or I have to post another thread for this issue.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Kerberos Authentication not working

On 12-01-2018 11:44 PM, fartyalvikram wrote:
>
> Thanks for correcting me.
> Here is one problem with my OSP, when I try to access the Metadata for
> OSP using the below URL as documented,
> http://192.168.1.111:8180/osp/a/idm/auth/saml2/spmetadata
> It will goes to the following page and I tried to view the page source
> for the spmetadata.xml file but there is no content for spmetadata or
> metadata.


Check your OSP tomcat logs for any errors. If you dont see any set the log level to TRACE (-Dcom.netiq.idm.osp.logging.level=TRACE, default is WARN)
in setenv.sh and restart tomcat and try again I'd say.


--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.