New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Commander
Commander
968 views

Error "Kerberos/GSS No valid credentials provided"

Hi all

I'm trying to setup Kerberos and OSP log find the error "Could not initialize Kerberos/GSS No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)"

Enviroment
Portal server
> RHEL 7.3 64 bits (GUI)
> Tomcat 7.0.55
> IDMProv 4.5.6 (43710)
> landing 4.5.6 (1014)
> OSP 6.0.0 r5
IDM server
> RHEL 7.3 64 bits (GUI)
> eDirectory 9.0 SP3 Patch 1 (40005.13)
> IDM 4.5.6.0
AD Server
> Windows Server 2008


I followed the documentation

AD Server:
Service Account for Kerberos in AD: user.kerberos

setspn -S HTTP/portal.domain.net user.kerberos


 ktpass /out c:\user.kerberos.keytab /mapuser tiam.kerberos@DOMAIN.NET /princ tiam.kerberos@DOMAIN.NET /pass ***** /crypto All /kvno 0 -ptype KRB5_NT_PRINCIPAL


UA Server:

>> krb5.conf (/opt/netiq/idm/apps/tomcat/conf/)
[libdefaults]
default_realm = DOMAIN.NET
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true

[realms]
DOMAIN.NET = {
kdc = server-dc2.domain.net:88
}

[domain_realm]
.domain.net = DOMAIN.NET
domain.net = DOMAIN.NET


>> Kerberos_login.config (/opt/netiq/idm/apps/tomcat/kerberos/)
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt="true"
principal="user.kerberos@DOMAIN.NET"
useKeyTab="true"
keyTab="/opt/netiq/idm/apps/kerberos/user.kerberos.keytab"
storeKey="true";
};


>> java.security (/opt/netiq/idm/apps/jre/lib/security/)
login.config.url.1=file:/opt/netiq/idm/apps/tomcat/kerberos/Kerberos_login.config


>> configupdate.sh (/opt/netiq/idm/apps/UserApplication)

  • 2) Authentication
  • 77) Show advanced Options
  • 3) Authentication Method
  • 2) Kerberos
  • 3) SSO Clientes
  • all OAuth redirect url http://portal.domain.net:8080/....


With another application, it was proved that the url works correctly with kerberos, but when pointing it to the IDMProv, it gives the errors that are observed in the log of the OSP.



Thanks a lot.

Regards.
Labels (1)
Tags (3)
0 Likes
1 Reply
Highlighted
Absent Member.
Absent Member.

letroncoso,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

- Visit https://www.microfocus.com/support-and-services and search the knowledgebase and/or check
all the other self support options and support programs available.
- Open a service request: https://www.microfocus.com/support
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.microfocus.com)
- You might consider hiring a local partner to assist you.
https://www.partnernetprogram.com/partnerfinder/find.html

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.microfocus.com/faq.php

Sometimes this automatic posting will alert someone that can respond.

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot.

Good luck!

Your Micro Focus Forums Team
http://forums.microfocus.com



0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.