Highlighted
Absent Member.
Absent Member.
517 views

Kerberos stopped working. Not sure of the reason


Kerberos stopped working. It was working until a couple of hours ago.

We are using NAM 3.1 SP4

I enabled logging for the Identity Server and see errors like

"Authentication Method Introduction Failed" and then "Authentication
contract Kerberos failed in method 'Kerberos' for session....."

Do these errors look familiar?

I have asked for new keytab files to be generated for the AD Domain
Controller which is being used as the KDC.

I am unclear on if I will need separate keytab files for the different
Identity Servers given that they are all using the same AD DC as the
KDC.
In the Identity Server manual, it says for the parameter /princ,
"Specify the service principal name for the Identity Server, then @,
followed by the Kerberos realm. The default value for the Kerberos realm
is the Active Directory domain name in all capitals. The Kerberos realm
value is case sensitive."

Any suggestions / comments would be appreciated. Thanks everyone.


--
sadhani
------------------------------------------------------------------------
sadhani's Profile: http://forums.novell.com/member.php?userid=102002
View this thread: http://forums.novell.com/showthread.php?t=450125

0 Likes
6 Replies
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Kerberos stopped working. Not sure of the reason

sadhani wrote:

>
> Kerberos stopped working. It was working until a couple of hours ago.
>
> We are using NAM 3.1 SP4
>
> I enabled logging for the Identity Server and see errors like
>
> "Authentication Method Introduction Failed" and then "Authentication
> contract Kerberos failed in method 'Kerberos' for session....."
>
> Do these errors look familiar?
>
> I have asked for new keytab files to be generated for the AD Domain
> Controller which is being used as the KDC.
>
> I am unclear on if I will need separate keytab files for the different
> Identity Servers given that they are all using the same AD DC as the
> KDC.
> In the Identity Server manual, it says for the parameter /princ,
> "Specify the service principal name for the Identity Server, then @,
> followed by the Kerberos realm. The default value for the Kerberos
> realm is the Active Directory domain name in all capitals. The
> Kerberos realm value is case sensitive."
>
> Any suggestions / comments would be appreciated. Thanks everyone.


We'll need some more logs rather than just "Authentication Method
Introduction Failed" and "Authentication
> contract Kerberos failed in method 'Kerberos' for session....."


Can you clear the catalina.out (echo > catalina.out) and then reproduce
the error and post the log here?

--
Cheers,
Edward
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Kerberos stopped working. Not sure of the reason


Did you come up with a solution for this one? We are facing the exact
same situation after upgrading to version 3.1.4. Before the upgrade it
was working fine and now the logs say that the KDC has no support for
the encryption type.

We have created the keytab file with -crypto all and also added
supported algorithm types to all at KDC end. Tried copying the original
keytab file (in case it had corrupted) again and restarted but with no
luck.


--
vesapi
------------------------------------------------------------------------
vesapi's Profile: http://forums.novell.com/member.php?userid=73631
View this thread: http://forums.novell.com/showthread.php?t=450125

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Kerberos stopped working. Not sure of the reason


Obviously something has changed in 3.1.4. When it starts to configure
kerberos, it reads etc/krb5.conf which is by default empty/commented.

I added default enc types to

default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac

under libdefaults, restarted tomcat and logs tell me commit succeeded.

This is very weird since nothing else has changed in the environment
which worked fine prior to upgrade.


--
vesapi
------------------------------------------------------------------------
vesapi's Profile: http://forums.novell.com/member.php?userid=73631
View this thread: http://forums.novell.com/showthread.php?t=450125

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Kerberos stopped working. Not sure of the reason


For us, the security team had applied some new patch on AD (KDC), which
changed the encryption and thus, broke the connection with NAM, since
the old key - values were no longer valid.
We generated a new keytab file on AD using the following command from
the NAM Identity Server guide:
I do not see any option for specifying crypto method. Please try
generating a keytab file using the command that they have given.
Also, make sure that your bcsLogin.conf under C:\Program
Files\Novell\jre\lib\security in Identity Server refers to the correct
keytab file. We had a situation once when it was referring to a
non-existent .keytab file, and thus Kerberos would not work. Replace
'nidpkey.keytab' with hostname.keytab of your identity server, and
update the value in bcsLogin.conf accordingly.

If this does not work, try posting the Identity Server log, and someone
on this forum more experienced than I might be able to help out.

"On the Active Directory server, open a command window and enter a
ktpass command with
the following parameters:
ktpass /out value /princ value /mapuser value /pass value
The command parameters require the following values:
For this configuration example, you would enter the following command
to create a keytab file
named nidpkey:
ktpass /out nidpkey.keytab /princ HTTP/amser.provo.novell.com@AD.
NOVELL.COM /mapuser amser@AD.NOVELL.COM /pass novell
2 Copy the keytab file to the Identity Server.
Copy the file to the default location on the Identity Server:
Linux: /opt/novell/java/jre/lib/security
Windows Server 2003: C:\Program Files\Novell\jre\lib\security
Windows Server 2008: C:\Program Files (x86)\Novell\jre\lib\security
3 If the cluster contains multiple Identity Servers, copy the keytab
file to each member of the cluster"


- Sadhani


--
sadhani
------------------------------------------------------------------------
sadhani's Profile: http://forums.novell.com/member.php?userid=102002
View this thread: http://forums.novell.com/showthread.php?t=450125

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Kerberos stopped working. Not sure of the reason

NAM 3.1.4 has changed the Kerberos functionality. It included a new java
version in which the GSSAPI has changed. Extra functionality was
included that makes the kvno value important.

We needed to use /kvno with a value of 0 in the ktpass command line.
This tells GSSAPI to ignore checking on the version number and the
Kerberos functionality works. Otherwise you need to match the kvno value
to the current value in AD for this to work.

sadhani wrote:
> For us, the security team had applied some new patch on AD (KDC), which
> changed the encryption and thus, broke the connection with NAM, since
> the old key - values were no longer valid.
> We generated a new keytab file on AD using the following command from
> the NAM Identity Server guide:
> I do not see any option for specifying crypto method. Please try
> generating a keytab file using the command that they have given.
> Also, make sure that your bcsLogin.conf under C:\Program
> Files\Novell\jre\lib\security in Identity Server refers to the correct
> keytab file. We had a situation once when it was referring to a
> non-existent .keytab file, and thus Kerberos would not work. Replace
> 'nidpkey.keytab' with hostname.keytab of your identity server, and
> update the value in bcsLogin.conf accordingly.
>
> If this does not work, try posting the Identity Server log, and someone
> on this forum more experienced than I might be able to help out.
>
> "On the Active Directory server, open a command window and enter a
> ktpass command with
> the following parameters:
> ktpass /out value /princ value /mapuser value /pass value
> The command parameters require the following values:
> For this configuration example, you would enter the following command
> to create a keytab file
> named nidpkey:
> ktpass /out nidpkey.keytab /princ HTTP/amser.provo.novell.com@AD.
> NOVELL.COM /mapuser amser@AD.NOVELL.COM /pass novell
> 2 Copy the keytab file to the Identity Server.
> Copy the file to the default location on the Identity Server:
> Linux: /opt/novell/java/jre/lib/security
> Windows Server 2003: C:\Program Files\Novell\jre\lib\security
> Windows Server 2008: C:\Program Files (x86)\Novell\jre\lib\security
> 3 If the cluster contains multiple Identity Servers, copy the keytab
> file to each member of the cluster"
>
>
> - Sadhani
>
>

0 Likes
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Kerberos stopped working. Not sure of the reason

.. wrote:

> NAM 3.1.4 has changed the Kerberos functionality. It included a new
> java version in which the GSSAPI has changed. Extra functionality was
> included that makes the kvno value important.
>
> We needed to use /kvno with a value of 0 in the ktpass command line.
> This tells GSSAPI to ignore checking on the version number and the
> Kerberos functionality works. Otherwise you need to match the kvno
> value to the current value in AD for this to work.


I did some packet tracing a while back and noticed that the kvno
changes per OS version on the client side. Very annoying. If your kvno
doesn't match you can end up with messages like:

Entered Krb5Context.acceptSecContext with state=STATE_NEW
2011-10-31T00:38:44Z SEVERE NIDS Application: AM#200104101:
AMDEVICEID#95D31887FA3E2FDE: AMAUTHID#D97856592EBEE7F6B5A426C54DE3612A:
Error processing SPNEGO/Kerberos : Error processing SPNEGO/Kerberos :
Error processing SPNEGO/Kerberos : Failure unspecified at GSS-API level
(Mechanism level: Specified version of key is not available (44))

It took me a few hours troubleshooting and using the /kvno 0 option
when generating the keytab indeed fixed it for me. As far as I
understand it this kvno check became part of java version 1.6.0_18.




--
Cheers,
Edward
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.