Anonymous_User Absent Member.
Absent Member.
278 views

Kerberos issues in access manager 3.2


Kerberos Authentication

I have configured kerberos authentication adding a windows XP machine
using the IE browser .We have followed the steps provided in the
documentation for the same.

When we are testing the URL for kerberos authentication from windows XP
machine we are getting the login prompt page .As per the novell
documentation we it must not ask for login and should login
directly.Pasting some of the lines from the documentation.

****************start
In the URL field, enter the base URL of the Identity Server with port
and application. For this example configuration:
http://amser.provo.novell.com:8080/nidp


The Identity Server should authenticate the user without prompting the
user for authentication information. If a problem occurs, check for the
following configuration errors:

Verify the default user store and contract. See Step 13.

******************************************end

Any quick help please


--
novell_usernew
------------------------------------------------------------------------
novell_usernew's Profile: https://forums.netiq.com/member.php?userid=3584
View this thread: https://forums.netiq.com/showthread.php?t=46881

0 Likes
6 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Kerberos issues in access manager 3.2

On 20.02.2013 09:24, novell usernew wrote:
>
> Kerberos Authentication
>
> I have configured kerberos authentication adding a windows XP machine
> using the IE browser .We have followed the steps provided in the
> documentation for the same.
>
> When we are testing the URL for kerberos authentication from windows XP
> machine we are getting the login prompt page .As per the novell
> documentation we it must not ask for login and should login
> directly.Pasting some of the lines from the documentation.
>
> ****************start
> In the URL field, enter the base URL of the Identity Server with port
> and application. For this example configuration:
> http://amser.provo.novell.com:8080/nidp
>
>
> The Identity Server should authenticate the user without prompting the
> user for authentication information. If a problem occurs, check for the
> following configuration errors:
>
> Verify the default user store and contract. See Step 13.


Can you provide more information about how you are trying to authenticate.

Are you trying to access a resource that is proxied by the Access
Gateway or are you trying to authenticate directly against the Identity
Server (IDP)?

What IE version?

Does the XP machine meet the requirements outlined in the documentation
(its computer account must be provisioned in the same AD domain as the
user account, The user/computer must not be running cached/offline mode)

Have you enabled the appropriate logging to debug level (5.3.1 Enabling
Logging for Kerberos Transactions)?

--
----------------------------------------------------------------------
Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Kerberos issues in access manager 3.2


I am trying to authenticate against Identity server and not the
protected URL
http://amser.provo.novell.com:8080/nidp

yes XP machine meets the requirement and i have add the machine to AD
domain.
Also for IE i have made the changes in Internet option for IE browser as
per given steps


--
novell_usernew
------------------------------------------------------------------------
novell_usernew's Profile: https://forums.netiq.com/member.php?userid=3584
View this thread: https://forums.netiq.com/showthread.php?t=46881

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Kerberos issues in access manager 3.2

On 20.02.2013 10:54, novell usernew wrote:
>
> I am trying to authenticate against Identity server and not the
> protected URL
> http://amser.provo.novell.com:8080/nidp


You need to define an ID in the contract card tab.

See:
https://www.netiq.com/documentation/netiqaccessmanager32/identityserverhelp/data/localcontract.html

"Configure a card for the contract by filling in the following:

ID: (Optional) Specify an alphanumeric value that identifies the card.
If you need to reference this card outside of the Administration
Console, you need to specify a value here. If you do not assign a value,
the Identity Server creates one for its internal use."

Once you define the ID, you can use this format URL: (assuming you
defined your ID as "krb")

http://idp.domain.com/nidp/app/login?id=krb

Alternatively, you can make Kerberos the default contract - however you
need to evaluate what consequences that has for existing services
accessed through your Access Manager solution.


--
----------------------------------------------------------------------
Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Kerberos issues in access manager 3.2


Alex,

First of all thanks

i tried your solution. Kerberos card is already configured and its id is
kerberos_1 and it is the default contract

when i use http://domainname/nidp/app/login?id=kerberos_1 without using
port number it gives page not found error.

But when i use http://domainname:8080/nidp/app/login?id=kerberos_1 it
gives again a login prompt.

Please note i am getting a commit successful message in the logs
indicating configuration is fine .


--
novell_usernew
------------------------------------------------------------------------
novell_usernew's Profile: https://forums.netiq.com/member.php?userid=3584
View this thread: https://forums.netiq.com/showthread.php?t=46881

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Kerberos issues in access manager 3.2

On 20.02.2013 13:14, novell usernew wrote:
>
> Alex,
>
> First of all thanks
>
> i tried your solution. Kerberos card is already configured and its id is
> kerberos_1 and it is the default contract
>
> when i use http://domainname/nidp/app/login?id=kerberos_1 without using
> port number it gives page not found error.
>
> But when i use http://domainname:8080/nidp/app/login?id=kerberos_1 it
> gives again a login prompt.
>
> Please note i am getting a commit successful message in the logs
> indicating configuration is fine .


Just a couple of suggestions.

1. try without the underscore (the documentation says you need to use an
alphanumeric value for the ID, that means A to Z and 0 to 9, no other
characters

2. From memory the "commit successful message" just means that the
keytab bit is okay. You should more get log entries when the actual user
authentication is in progress.

3. although it will work with http, you should eventually try to get
this working with https.

4. the reason you need to specify the port 8080 is that you haven't yet
translated the Identity Server Configuration Ports - see
https://www.netiq.com/documentation/netiqaccessmanager32/identityserverhelp/data/b6fyxpk.html
for details on how to do this.


--
----------------------------------------------------------------------
Alex McHugh
NetIQ Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support is provided via email.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Kerberos issues in access manager 3.2


Internet explorer version is 8.0


--
novell_usernew
------------------------------------------------------------------------
novell_usernew's Profile: https://forums.netiq.com/member.php?userid=3584
View this thread: https://forums.netiq.com/showthread.php?t=46881

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.