Anonymous_User Absent Member.
Absent Member.
1392 views

NAM Kerberos issue: pre-authentication failed


I've setup NAM 3.2.2 IR2 with AD (2003 functional level, although there
ARE 2008 R2 servers as DC's in the domain).

However, when I restart the idp, the catalina.out gives errors regarding
the Kerberos stuff.

I've verified the Kerberos realm name is in all caps, I've verified the
userid/password.

It looks (to me) like an encryption issue, but the docs indicate that as
long as you re-did the keytab file, the DES issue should be resolved
(plus it only applies to Win7 and IE8).

> Config name: /etc/krb5.conf
> Debug is true storeKey true useTicketCache true useKeyTab true
> doNotPrompt true ticketCache is
> /opt/novell/java/jre/lib/security/spnegoTicket.cache isInitiator true
> KeyTab is /opt/novell/java/jre/lib/security/nidpkey.keytab
> refreshKrb5Config is false principal is
> HTTP/nam-idp-test.abc.com@abc.com tryFirstPass is false useFirstPass is
> false storePass is false clearPass is false
> Acquire TGT from Cache
> Principal is HTTP/nam-idp-test.abc.com@abc.com
> null credentials from Ticket Cache
> >>> KeyTabInputStream, readName(): ABC.COM
> >>> KeyTabInputStream, readName(): HTTP
> >>> KeyTabInputStream, readName(): nam-idp-test.abc.com
> >>> KeyTab: load() entry length: 84; type: 23

> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> Using builtin default etypes for default_tkt_enctypes
> default etypes for default_tkt_enctypes: 17 16 23 1 3.
> >>> KdcAccessibility: reset

> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> Using builtin default etypes for default_tkt_enctypes
> default etypes for default_tkt_enctypes: 17 16 23 1 3.
> Using builtin default etypes for default_tkt_enctypes
> default etypes for default_tkt_enctypes: 17 16 23 1 3.
> >>> KrbAsReq creating message
> >>> KrbKdcReq send: kdc=10.10.252.107 UDP:88, timeout=30000, number of

> retries =3, #bytes=171
> >>> KDCCommunication: kdc=10.10.252.107 UDP:88, timeout=30000,Attempt

> =1, #bytes=171
> >>> KrbKdcReq send: #bytes read=187
> >>>Pre-Authentication Data:

> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
> >>>Pre-Authentication Data:

> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
> >>>Pre-Authentication Data:

> PA-DATA type = 2
> PA-ENC-TIMESTAMP
> >>>Pre-Authentication Data:

> PA-DATA type = 16
>
> >>>Pre-Authentication Data:

> PA-DATA type = 15
>
> >>> KdcAccessibility: remove 10.10.252.107
> >>> KDCRep: init() encoding tag is 126 req type is 11
> >>>KRBError:

> sTime is Thu May 22 11:50:43 EDT 2014 1400773843000
> suSec is 183564
> error code is 25
> error Message is Additional pre-authentication required
> realm is abc.com
> sname is krbtgt/abc.com
> eData provided.
> msgType is 30
> >>>Pre-Authentication Data:

> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
> >>>Pre-Authentication Data:

> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
> >>>Pre-Authentication Data:

> PA-DATA type = 2
> PA-ENC-TIMESTAMP
> >>>Pre-Authentication Data:

> PA-DATA type = 16
>
> >>>Pre-Authentication Data:

> PA-DATA type = 15
>
> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
> Using builtin default etypes for default_tkt_enctypes
> default etypes for default_tkt_enctypes: 17 16 23 1 3.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> Using builtin default etypes for default_tkt_enctypes
> default etypes for default_tkt_enctypes: 17 16 23 1 3.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> Using builtin default etypes for default_tkt_enctypes
> default etypes for default_tkt_enctypes: 17 16 23 1 3.
> Using builtin default etypes for default_tkt_enctypes
> default etypes for default_tkt_enctypes: 17 16 23 1 3.
> >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
> >>> KrbAsReq creating message
> >>> KrbKdcReq send: kdc=10.10.252.107 UDP:88, timeout=30000, number of

> retries =3, #bytes=254
> >>> KDCCommunication: kdc=10.10.252.107 UDP:88, timeout=30000,Attempt

> =1, #bytes=254
> >>> KrbKdcReq send: #bytes read=102
> >>> KrbKdcReq send: kdc=10.10.252.107 TCP:88, timeout=30000, number of

> retries =3, #bytes=254
> >>> KDCCommunication: kdc=10.10.252.107 TCP:88, timeout=30000,Attempt

> =1, #bytes=254
> >>>DEBUG: TCPClient reading 1535 bytes
> >>> KrbKdcReq send: #bytes read=1535
> >>> KdcAccessibility: remove 10.10.252.107

> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> Using builtin default etypes for default_tkt_enctypes
> default etypes for default_tkt_enctypes: 17 16 23 1 3.
> >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType

> [Krb5LoginModule] authentication failed
> Message stream modified (41)
> <amLogEntry> 2014-05-22T15:50:43Z SEVERE NIDS Application: AM#100104105:
> AMDEVICEID#CA156ECCB2B7656F: Could not initialize Kerberos/GSS No valid
> credentials provided (Mechanism level: Attempt to obtain new ACCEPT
> credentials failed!) </amLogEntry>
>
> <amLogEntry> 2014-05-22T15:50:43Z DEBUG NIDS Application:
> Method: SpnegoAuthenticator.<init>
> Thread: RMI TCP Connection(2)-127.0.0.1
> false
> Kerberos Config :=
> com.novell.nidp.authentication.local.kerb.ADUserAttr = employeeID
> com.novell.nidp.authentication.local.kerb.upnSuffixes = abc.com
> Reconfigure = true
> com.novell.nidp.authentication.local.kerb.realm = ABC.COM
> com.novell.nidp.authentication.local.kerb.kdc = 10.10.252.107
> com.novell.nidp.authentication.local.kerb.jaas.conf =
> /opt/novell/java/jre/lib/security/bcsLogin.conf
> com.novell.nidp.authentication.local.kerb.svcPrincipal =
> HTTP/nam-idp-test.abc.com
> </amLogEntry>
>


Any ideas?

I know that MS removed DES by default in 2008 for security reasons, so
I'm not terribly keen on re-enabling DES unless I have to.


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=50912

0 Likes
6 Replies
Anonymous_User Absent Member.
Absent Member.

Re: NAM Kerberos issue: pre-authentication failed

kjhurni wrote:

>
> I've setup NAM 3.2.2 IR2 with AD (2003 functional level, although there
> ARE 2008 R2 servers as DC's in the domain).


I don't believe the functional level matters so much here.

> However, when I restart the idp, the catalina.out gives errors regarding
> the Kerberos stuff.
>
> I've verified the Kerberos realm name is in all caps, I've verified the
> userid/password.


Have you checked whether this kerberos principal

Have you changed/reset the kerberos principal's password against a 2008 R2 DC and then regenerated the keytab?
I recall seeing something about that being required when going from 2003 to 2008 R2 DCs.

> It looks (to me) like an encryption issue, but the docs indicate that as
> long as you re-did the keytab file, the DES issue should be resolved
> (plus it only applies to Win7 and IE8).
>
> I know that MS removed DES by default in 2008 for security reasons, so
> I'm not terribly keen on re-enabling DES unless I have to.


You should not need to. It's worked just fine for me - with Windows 2008 R2 SP1 DCs.
However I know a colleague had issues when going from 2003 to 2008 R2 DCs at a customer.

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NAM Kerberos issue: pre-authentication failed


alexmchugh;244848 Wrote:
> kjhurni wrote:
>
> >
> > I've setup NAM 3.2.2 IR2 with AD (2003 functional level, although

> there
> > ARE 2008 R2 servers as DC's in the domain).

>
> I don't believe the functional level matters so much here.
>
> > However, when I restart the idp, the catalina.out gives errors

> regarding
> > the Kerberos stuff.
> >
> > I've verified the Kerberos realm name is in all caps, I've verified

> the
> > userid/password.

>
> Have you checked whether this kerberos principal
>
> Have you changed/reset the kerberos principal's password against a 2008
> R2 DC and then regenerated the keytab?
> I recall seeing something about that being required when going from 2003
> to 2008 R2 DCs.
>
> > It looks (to me) like an encryption issue, but the docs indicate that

> as
> > long as you re-did the keytab file, the DES issue should be resolved
> > (plus it only applies to Win7 and IE8).
> >
> > I know that MS removed DES by default in 2008 for security reasons,

> so
> > I'm not terribly keen on re-enabling DES unless I have to.

>
> You should not need to. It's worked just fine for me - with Windows 2008
> R2 SP1 DCs.
> However I know a colleague had issues when going from 2003 to 2008 R2
> DCs at a customer.
>
> --
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...


I think your first sentence got cut off.

If I try the 2008 R2 DC to generate the keytab file:
1) I get an error (apparently it's a bug) that the pType doesn't match
the account type and then:
2) ktpass literally crashes every time

Note that there's a discrepency in the docs in 5.2.2 where step 3 says
the User Logon Name is:
HTTP://amser.provo.novell.com

But then in step 6 they say the UserLogonName is:
HTTP/amswer.provo.novell.com@AD.NOVELL.COM

So I don't know if that's the issue, since we created the user according
to step 3.

I have tried another 2008 DC and ktpass doesn't crash this time,
although still get the ptype and account type do not match.

setspn -L shows that there's 3 SPN for the user:
HTTP/nam-idpt-test.abc.com
HTTP/abc.com
HTTP/nam-idpt-test.abc.com@ABC.COM


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=50912

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NAM Kerberos issue: pre-authentication failed

kjhurni wrote:

>
> If I try the 2008 R2 DC to generate the keytab file:
> 1) I get an error (apparently it's a bug) that the pType doesn't match
> the account type and then:
> 2) ktpass literally crashes every time


Is this a computer or user account in Active Directory? The documentation says to create a user account.

Have you tried adding the following to ktpass to get rid of your pType error?

-pType KRB5_NT_PRINCIPAL

> Note that there's a discrepency in the docs in 5.2.2 where step 3 says
> the User Logon Name is:
> HTTP://amser.provo.novell.com
>


This is correct for 5.2.2 step 3 and for 5.3.3 step 3

> But then in step 6 they say the UserLogonName is:
> HTTP/amswer.provo.novell.com@AD.NOVELL.COM


This is correct format for 5.2.2 step 6 (setspn) and 5.2.3 step 1 (ktpass) and 5.3.4 step 2 (bcsLogin.conf)

> So I don't know if that's the issue, since we created the user according
> to step 3.
>
> I have tried another 2008 DC and ktpass doesn't crash this time,
> although still get the ptype and account type do not match.
>
> setspn -L shows that there's 3 SPN for the user:
> HTTP/nam-idpt-test.abc.com
> HTTP/abc.com
> HTTP/nam-idpt-test.abc.com@ABC.COM


I only have the first and last of the SPNs listed above in my config.

--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NAM Kerberos issue: pre-authentication failed


alexmchugh;244861 Wrote:
> kjhurni wrote:
>
> >
> > If I try the 2008 R2 DC to generate the keytab file:
> > 1) I get an error (apparently it's a bug) that the pType doesn't

> match
> > the account type and then:
> > 2) ktpass literally crashes every time

>
> Is this a computer or user account in Active Directory? The
> documentation says to create a user account.
>
> Have you tried adding the following to ktpass to get rid of your pType
> error?
>
> -pType KRB5_NT_PRINCIPAL
>
> > Note that there's a discrepency in the docs in 5.2.2 where step 3

> says
> > the User Logon Name is:
> > HTTP://amser.provo.novell.com
> >

>
> This is correct for 5.2.2 step 3 and for 5.3.3 step 3
>
> > But then in step 6 they say the UserLogonName is:
> > HTTP/amswer.provo.novell.com@AD.NOVELL.COM

>
> This is correct format for 5.2.2 step 6 (setspn) and 5.2.3 step 1
> (ktpass) and 5.3.4 step 2 (bcsLogin.conf)
>
> > So I don't know if that's the issue, since we created the user

> according
> > to step 3.
> >
> > I have tried another 2008 DC and ktpass doesn't crash this time,
> > although still get the ptype and account type do not match.
> >
> > setspn -L shows that there's 3 SPN for the user:
> > HTTP/nam-idpt-test.abc.com
> > HTTP/abc.com
> > HTTP/nam-idpt-test.abc.com@ABC.COM

>
> I only have the first and last of the SPNs listed above in my config.
>
> --
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...


HI Alex,

User Account.

How can step 3 and 6 be correct if they both refer to two different
values for the same attribute:
User Logon Name

??

I'm not sure if multiple spn can cause an issue, but given that AD lets
you do that, I'd find it unlikely.

I've not tried the -pType switch because the NetIQ docs dont' tell you
to use that (one would think that if it really mattered, the docs would
have that in there). I did run across some KB articles that seemed to
indicate it's a bug in 2008 R2.

But I can try the pType switch (only happens on 2008 servers. If you do
ktpass on 2003 DC, you don't get the error).


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=50912

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NAM Kerberos issue: pre-authentication failed

kjhurni wrote:

>
> alexmchugh;244861 Wrote:
> > kjhurni wrote:
> >
> > >
> > > If I try the 2008 R2 DC to generate the keytab file:
> > > 1) I get an error (apparently it's a bug) that the pType doesn't

> > match
> > > the account type and then:
> > > 2) ktpass literally crashes every time

> >
> > Is this a computer or user account in Active Directory? The
> > documentation says to create a user account.
> >
> > Have you tried adding the following to ktpass to get rid of your pType
> > error?
> >
> > -pType KRB5_NT_PRINCIPAL
> >
> > > Note that there's a discrepency in the docs in 5.2.2 where step 3

> > says
> > > the User Logon Name is:
> > > HTTP://amser.provo.novell.com
> > >

> >
> > This is correct for 5.2.2 step 3 and for 5.3.3 step 3
> >
> > > But then in step 6 they say the UserLogonName is:
> > > HTTP/amswer.provo.novell.com@AD.NOVELL.COM

> >
> > This is correct format for 5.2.2 step 6 (setspn) and 5.2.3 step 1
> > (ktpass) and 5.3.4 step 2 (bcsLogin.conf)
> >
> > > So I don't know if that's the issue, since we created the user

> > according
> > > to step 3.
> > >
> > > I have tried another 2008 DC and ktpass doesn't crash this time,
> > > although still get the ptype and account type do not match.
> > >
> > > setspn -L shows that there's 3 SPN for the user:
> > > HTTP/nam-idpt-test.abc.com
> > > HTTP/abc.com
> > > HTTP/nam-idpt-test.abc.com@ABC.COM

> >
> > I only have the first and last of the SPNs listed above in my config.
> >
> > --
> > If you find this post helpful and are logged into the web interface,
> > show your appreciation and click on the star below...

>
> HI Alex,
>
> User Account.
>
> How can step 3 and 6 be correct if they both refer to two different
> values for the same attribute:
> User Logon Name


I see what you mean, in step 6 it should say:

setspn -A HTTP/<userLogonName>@<KERBEROS_REALM> <userName>

The documentation should be more consistent in it's terminology.

> I'm not sure if multiple spn can cause an issue, but given that AD lets
> you do that, I'd find it unlikely.


I also doubt this.

> I've not tried the -pType switch because the NetIQ docs dont' tell you
> to use that (one would think that if it really mattered, the docs would
> have that in there). I did run across some KB articles that seemed to
> indicate it's a bug in 2008 R2.
>
> But I can try the pType switch (only happens on 2008 servers. If you do
> ktpass on 2003 DC, you don't get the error).


Yes, it was my impression that you need to run ktpass on the 2008 R2 server to generate a keytab that works against both 2003 and 2008 R2. I don't think it works in the opposite direction as they changed the security defaults to be more strict with 2008 R2
That said, most of our customers have moved off 2003 DCs a long time back, so I'm a bit rusty on that part.


--
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: NAM Kerberos issue: pre-authentication failed


alexmchugh;244868 Wrote:
> kjhurni wrote:
>
> >
> > alexmchugh;244861 Wrote:
> > > kjhurni wrote:
> > >
> > > >
> > > > If I try the 2008 R2 DC to generate the keytab file:
> > > > 1) I get an error (apparently it's a bug) that the pType doesn't
> > > match
> > > > the account type and then:
> > > > 2) ktpass literally crashes every time
> > >
> > > Is this a computer or user account in Active Directory? The
> > > documentation says to create a user account.
> > >
> > > Have you tried adding the following to ktpass to get rid of your

> pType
> > > error?
> > >
> > > -pType KRB5_NT_PRINCIPAL
> > >
> > > > Note that there's a discrepency in the docs in 5.2.2 where step 3
> > > says
> > > > the User Logon Name is:
> > > > HTTP://amser.provo.novell.com
> > > >
> > >
> > > This is correct for 5.2.2 step 3 and for 5.3.3 step 3
> > >
> > > > But then in step 6 they say the UserLogonName is:
> > > > HTTP/amswer.provo.novell.com@AD.NOVELL.COM
> > >
> > > This is correct format for 5.2.2 step 6 (setspn) and 5.2.3 step 1
> > > (ktpass) and 5.3.4 step 2 (bcsLogin.conf)
> > >
> > > > So I don't know if that's the issue, since we created the user
> > > according
> > > > to step 3.
> > > >
> > > > I have tried another 2008 DC and ktpass doesn't crash this time,
> > > > although still get the ptype and account type do not match.
> > > >
> > > > setspn -L shows that there's 3 SPN for the user:
> > > > HTTP/nam-idpt-test.abc.com
> > > > HTTP/abc.com
> > > > HTTP/nam-idpt-test.abc.com@ABC.COM
> > >
> > > I only have the first and last of the SPNs listed above in my

> config.
> > >
> > > --
> > > If you find this post helpful and are logged into the web

> interface,
> > > show your appreciation and click on the star below...

> >
> > HI Alex,
> >
> > User Account.
> >
> > How can step 3 and 6 be correct if they both refer to two different
> > values for the same attribute:
> > User Logon Name

>
> I see what you mean, in step 6 it should say:
>
> setspn -A HTTP/<userLogonName>@<KERBEROS_REALM> <userName>
>
> The documentation should be more consistent in it's terminology.
>
> > I'm not sure if multiple spn can cause an issue, but given that AD

> lets
> > you do that, I'd find it unlikely.

>
> I also doubt this.
>
> > I've not tried the -pType switch because the NetIQ docs dont' tell

> you
> > to use that (one would think that if it really mattered, the docs

> would
> > have that in there). I did run across some KB articles that seemed

> to
> > indicate it's a bug in 2008 R2.
> >
> > But I can try the pType switch (only happens on 2008 servers. If you

> do
> > ktpass on 2003 DC, you don't get the error).

>
> Yes, it was my impression that you need to run ktpass on the 2008 R2
> server to generate a keytab that works against both 2003 and 2008 R2. I
> don't think it works in the opposite direction as they changed the
> security defaults to be more strict with 2008 R2
> That said, most of our customers have moved off 2003 DCs a long time
> back, so I'm a bit rusty on that part.
>
>
> --
> If you find this post helpful and are logged into the web interface,
> show your appreciation and click on the star below...


Okay, I guess I'll retry on the 2008 R2 with the specific pType switch.

Also, do you know of a third party util that can check if the
keytab/login is correct (so at least that will help me to see if it's a
NAM issue or not)?


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=50912

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.