SPNEGO & IDP 3.2.1

Cantor, Scott cantor.2 at osu.edu
Thu May 26 23:35:24 EDT 2016

> 2016-05-26 14:10:30,267 - ERROR
> [net.shibboleth.idp.authn.spnego.impl.SPNEGOAuthnController:180] - Error
> extracting principal name from security context

I can't really tell you anything useful, though obviously that's the failure.

> I can issue tickets using krb5 and the IDP authN but I don't know how to test
> consuming them with SPNEGO.

Support for Kerberos via password isn't related to the SPNEGO code, if that's what you mean. It might be slightly related if you made KDC verification work, since that involves a service principal and a sort of pseudo GSS loop that is conceptually like SPNEGO requires. It's still totally different code, but it might show similar problems. If you don't do KDC verification, then the password option really has nothing to do with making SPNEGO work. It's trivial in comparison.
> So I assume I'm sending a Kerberos ticket?

No idea.

> Of note, the IDP is on Windows running in a domain NOT associated with the
> keytab principal. Not sure if this is an issue or not, moving domains is the only
> way I know to rule it out.

No idea.

> Next steps? Is there additional debug info I can light up for SPNEGO and GSS
> in the Shibboleth stack?

Nope, unless there's some hidden Java option to do it, but that would be meaningless information to me. 
-- Scott

More information about the users mailing list