Did the config of kerberos methods etc according to AM documentation
(using AM4 here)

Exported keytab on a W2012 DC

ktpass /out nidpkey.keytab /princ HTTP/dgam01.domainx.dk@DOMAINX.DK
/mapuser dgam01@domainx.dk /pass verynice

output from that command is:
Targeting domain controller: FMKAD01.domainx.dk
Successfully mapped HTTP/dgam01.domainx.dk to dgam01.
Password successfully set!
WARNING: pType and account type do not match. This might cause
Key created.
Output keytab to nidpkey.keytab:
Keytab version: 0x502
keysize 66 HTTP/dgam01.domainx.dk@DOMAINX.DK ptype 0 (KRB5_NT_UNKNOWN)
vno 16 etype 0x17 (RC4-HMAC) keylength 16 (0x518e69

Copied that key to /opt/novell/java/jre/lib/security/ on the am server

Fixed the bcsLogin.conf file

com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required

When I do a novell-idp restart, the following is in the identity server
catalina.out log file

Config name: /etc/krb5.conf
Debug is true storeKey true useTicketCache true useKeyTab true
doNotPrompt true ticketCache is
/opt/novell/java/jre/lib/security/spnegoTicket.cache isInitiator true
KeyTab is /usr/lib/java/jre/lib/security/nidpkey.keytab
refreshKrb5Config is false principal is
HTTP/dgam01.domainx.dk@DOMAINX.DK tryFirstPass is false useFirstPass is
false storePass is false clearPass is false
Acquire TGT from Cache
Principal is HTTP/dgam01.domainx.dk@DOMAINX.DK
null credentials from Ticket Cache
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
Key for the principal HTTP/dgam01.domainx.dk@DOMAINX.DK not available in
[Krb5LoginModule] authentication failed
Unable to obtain password from user

<amLogEntry> 2013-11-23T23:43:19Z SEVERE NIDS Application: AM#100104105:
AMDEVICEID#6155D8B2B5041888: Could not initialize Kerberos/GSS No valid
credentials provided (Mechanism level: Attempt to obtain new ACCEPT
credentials failed!) </amLogEntry>


in /etc/krb5.conf, i have entered
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac

What can I be doing wrong?


6525036's Profile: https://forums.netiq.com/member.php?userid=758
View this thread: https://forums.netiq.com/showthread.php?t=49300