Kerberos configuration error

Douglas E Engert deengert at gmail.com
Wed May 18 08:06:35 EDT 2016 

See:
https://wiki.shibboleth.net/confluence/display/IDP30/KerberosAuthnConfiguration#KerberosAuthnConfiguration-KerberosConfiguration

With Kerberos, obtaining a TGT from a KDC proves that the KDC believes the user authenticated. But to prove that the KDC is the real KDC requires obtaining a
ticket for some service where the local system has the key for teh principal in a keytab file.

shibboleth.authn.Krb5.ServicePrincipal defines that principal and shibboleth.authn.Krb5.Keytab the location of the keytab file.

For example you could use the host's principal, host/<your IDPs host name>@<realm>, or the web server HTTP/<Idp's server name>@<realm>
or setup a separate principal. Ask your local Kerberos export on how they would like to handle this principal.


P.S. You can learn a lot about what is going on with the Kerberos protocol by running a network trace on the IDP and using wireshark to look at the kerberos packets.

On 5/17/2016 11:34 PM, Raja V, Scientist - B (CS) wrote:
> Can anyone tel me which once i have replace with "SERVICE/admin".
> I am getting the below error.
> Login Failure: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER)
>
>
> <bean id="shibboleth.authn.Krb5.ServicePrincipal" class="java.lang.String" c:_0="SERVICE/admin" />
>
>
> On Mon, May 16, 2016 at 5:01 PM, Douglas E Engert <deengert at gmail.com <mailto:deengert at gmail.com>> wrote:
>
>     Google for": "sun.security.krb5.KrbException: Server not found in Kerberos database (7) - LOOKING_UP_SERVER"
>     and also "sun.security.krb5.Asn1Exception: Identifier doesn't match expected value (906)"
>     suggests the the krb5.conf file is not correct. Most likely, the KDCs listed are not for the expected realm.
>
>     On 5/16/2016 1:34 AM, Raja V, Scientist - B (CS) wrote:
>
>         Hi all,
>
>         till we are facing the same issue. Please anyone suggest the solution.
>
>         Thanks,
>
>         Raja V
>
>         2016-05-16 11:59:28,097 - INFO [net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstKerberos:212] - Profile Action ValidateUsernamePasswordAgainstKerberos: Login by kerberosuser1 failed
>         javax.security.auth.login.LoginException: Checksum failed
>                 at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
>         Caused by: sun.security.krb5.KrbCryptoException: Checksum failed
>                 at sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128CtsHmacSha1EType.java:102)
>         Caused by: java.security.GeneralSecurityException: Checksum failed
>                 at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451)
>         2016-05-16 11:59:34,105 - WARN [net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstKerberos:215] - Profile Action ValidateUsernamePasswordAgainstKerberos: Login by kerberosuser1 failed
>         during GSS context establishment to verify KDC
>         org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER)
>                 at sun.security.jgss.krb5.Krb5Context.initSecContext(Krb5Context.java:770)
>         Caused by: sun.security.krb5.KrbException: Server not found in Kerberos database (7) - LOOKING_UP_SERVER
>                 at sun.security.krb5.KrbTgsRep.<init>(KrbTgsRep.java:73)
>         Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match expected value (906)
>                 at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
>         ~
>
>
>         On Thu, May 12, 2016 at 6:16 PM, Raja V, Scientist - B (CS) <raja at inflibnet.ac.in <mailto:raja at inflibnet.ac.in> <mailto:raja at inflibnet.ac.in <mailto:raja at inflibnet.ac.in>>> wrote:
>
>             Hi,
>             I am getting the below error while configuring the kerberos.
>
>             Login Failure: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - LOOKING_UP_SERVER)
>
>
>
>             thanks,
>             Raja V
>
>
>
>
>
>     --
>
>      Douglas E. Engert  <DEEngert at gmail.com <mailto:DEEngert at gmail.com>>
>
>     --
>     To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net <mailto:users-unsubscribe at shibboleth.net>
>
>
>
>

-- 

  Douglas E. Engert  <DEEngert at gmail.com>

More information about the users mailing list