sadhani Absent Member.
Absent Member.
599 views

Kerberos for User App SSO not working


Hello,

I had a few issues in one of the non-kerberos proxy services. We
started debugging that issue. In the process, it broke one of the
existing kerberos proxy services. The Kerberos service was using totally
different contracts.

Following is the log indicating some kerberos error. Not sure what
might have caused this. Has anyone come across this issue before?

INFO NIDS Application: AM#500105034: AMDEVICEID#3F0E12AAD91AD472:
Loaded authentication class Kerberos </amLogEntry> Debug is true
storeKey true useTicketCache true useKeyTab true doNotPrompt true
ticketCache is /opt/novell/java/jre/lib/security/spnegoTicket.cache
isInitiator true KeyTab is C:\Program Files
(x86)\Novell\jre\lib\security\*.keytab refreshKrb5Config is false
principal is HTTP/*@*.com tryFirstPass is false useFirstPass is false
storePass is false clearPass is false Acquire TGT from Cache Principal
is HTTP/*@*.COM null credentials from Ticket Cache KeyTab instance
already exists Key for the principal HTTP/*@*.COM not available in
C:\Program Files (x86)\Novell\jre\lib\security\*.keytab
[Krb5LoginModule] authentication failed Unable to obtain password from
user <amLogEntry> 2011-11-23T01:39:55Z SEVERE NIDS Application:
AM#100104105: AMDEVICEID#3F0E12AAD91AD472: Could not initialize
Kerberos/GSS No valid credentials provided (Mechanism level: Attempt to
obtain new ACCEPT credentials failed!) </amLogEntry>


--
sadhani
------------------------------------------------------------------------
sadhani's Profile: http://forums.novell.com/member.php?userid=102002
View this thread: http://forums.novell.com/showthread.php?t=448625

0 Likes
2 Replies
sadhani Absent Member.
Absent Member.

Re: Kerberos for User App SSO not working


I forgot to mention that none of the authorization policies are being
evaluated for any of the policies. So, the redirection that we have set
is not working. Also, the laghttpheaders do not give anything for the
IDP.


--
sadhani
------------------------------------------------------------------------
sadhani's Profile: http://forums.novell.com/member.php?userid=102002
View this thread: http://forums.novell.com/showthread.php?t=448625

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Kerberos for User App SSO not working

sadhani wrote:

>
> Hello,
>
> I had a few issues in one of the non-kerberos proxy services. We
> started debugging that issue. In the process, it broke one of the
> existing kerberos proxy services. The Kerberos service was using
> totally different contracts.
>
> Following is the log indicating some kerberos error. Not sure what
> might have caused this. Has anyone come across this issue before?
>
> INFO NIDS Application: AM#500105034: AMDEVICEID#3F0E12AAD91AD472:
> Loaded authentication class Kerberos </amLogEntry> Debug is true
> storeKey true useTicketCache true useKeyTab true doNotPrompt true
> ticketCache is /opt/novell/java/jre/lib/security/spnegoTicket.cache
> isInitiator true KeyTab is C:\Program Files
> (x86)\Novell\jre\lib\security\*.keytab refreshKrb5Config is false
> principal is HTTP/*@*.com tryFirstPass is false useFirstPass is false
> storePass is false clearPass is false Acquire TGT from Cache Principal
> is HTTP/*@*.COM null credentials from Ticket Cache KeyTab instance
> already exists Key for the principal HTTP/*@*.COM not available in
> C:\Program Files (x86)\Novell\jre\lib\security\*.keytab
> [Krb5LoginModule] authentication failed Unable to obtain password from
> user <amLogEntry> 2011-11-23T01:39:55Z SEVERE NIDS Application:
> AM#100104105: AMDEVICEID#3F0E12AAD91AD472: Could not initialize
> Kerberos/GSS No valid credentials provided (Mechanism level: Attempt
> to obtain new ACCEPT credentials failed!) </amLogEntry>


Revert the change that broke it? It kinda looks like the configured SPN
on the contract is not matching with what is in the keytab file. Did
you check that?

--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.