Hello,

So I am setting up Kerberos. Basic info:

IDS server name is mtkamids - IP addres is 192.168.1.80

First I created the serviceUser in AD:

Firstname: mtkamids
User Logon Name: mtkamids.mtk.dk

Then I ran this from the DC: setspn -A HTTP/mtkamids.mtk.dk@MTK.DK
mtkamids
Then: setspn -L mtkamids
Output: Registered ServicePrincipalNames for
CN=mtkamids,OU=ServiceAccounts,OU=MTK,DC=mtk,DC=dk :
HTTP/mtkamids.mtk.dk@MTK.DK
Then I ran this from the DC: ktpass /out nidpkey.keytab /princ
HTTP/mtkamids.mtk.dk@MTK.DK /mapuser mtkamids@mtk.dk /pass password

Output: Output keytab to nidpkey.keytab:
Keytab version: 0x502
keysize 66 HTTP/mtkamids.mtk.dk@MTK.DK ptype 0 (KRB5_NT_UNKNOWN) vno 4
etype 0x17 (RC4-HMAC) keylength 16 (0x4a358a2e8aed559ee9f1e5581652f162)

I copied it here, on the IDS server: /opt/novell/java/jre/lib/security

I added the IDS to the forward lookup zone.

I created the kerberos class with:
SPN: HTTP/mtkamids.mtk.dk@MTK.DK
Kerberos Realm: MTK.DK
JAAS config file for Kerberos:
/opt/novell/java/jre/lib/security/bcsLogin.conf
Kerberos KDC: 10.1.2.32
User Attribute: userprincipalname

My bcsLogin.conf looks like this:

com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
debug="true"
useTicketCache="true"
ticketCache="/opt/novell/java/jre/lib/security/spnegoTicket.cache"
doNotPrompt="true"
principal="HTTP/mtkamids.mtk.dk@MTK.DK"
useKeyTab="true"
keyTab="/opt/novell/java/jre/lib/security/nidpkey.keytab"
storeKey="true";
};

Then a restart: /etc/init.d/novell-idp restart

And here is the output from catalina.out:


Code:
--------------------

Debug is true storeKey true useTicketCache true useKeyTab true doNotPrompt true ticketCache is /opt/novell/java/jre/lib/security/
spnegoTicket.cache isInitiator true KeyTab is /opt/novell/jdk1.7.0_04/jre/lib/security/nidpkey.keytab refreshKrb5Config is false p
rincipal is HTTP/mtkamids.mtk.dk@MTK.DK tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
Principal is HTTP/mtkamids.mtk.dk@MTK.DK
null credentials from Ticket Cache
Added key: 23version: 3
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
Added key: 23version: 3
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=10.1.2.32 UDP:88, timeout=30000, number of retries =3, #bytes=138
>>> KDCCommunication: kdc=10.1.2.32 UDP:88, timeout=30000,Attempt =1, #bytes=138

SocketTimeOutException with attempt: 1
>>> KDCCommunication: kdc=10.1.2.32 UDP:88, timeout=30000,Attempt =2, #bytes=138

SocketTimeOutException with attempt: 2
>>> KDCCommunication: kdc=10.1.2.32 UDP:88, timeout=30000,Attempt =3, #bytes=138

SocketTimeOutException with attempt: 3
>>> KrbKdcReq send: error trying 10.1.2.32

java.net.SocketTimeoutException: Receive timed out
java.net.SocketTimeoutException: Receive timed out
at java.net.PlainDatagramSocketImpl.receive0(Native Method)
at java.net.AbstractPlainDatagramSocketImpl.receive(A bstractPlainDatagramSocketImpl.java:145)
at java.net.DatagramSocket.receive(DatagramSocket.jav a:786)
at sun.security.krb5.internal.UDPClient.receive(NetCl ient.java:207)
at sun.security.krb5.KdcComm$KdcCommunication.run(Kdc Comm.java:386)
at sun.security.krb5.KdcComm$KdcCommunication.run(Kdc Comm.java:339)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.krb5.KdcComm.send(KdcComm.java:323)
at sun.security.krb5.KdcComm.send(KdcComm.java:219)
at sun.security.krb5.KdcComm.send(KdcComm.java:191)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBui lder.java:319)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqB uilder.java:364)
at com.sun.security.auth.module.Krb5LoginModule.attem ptAuthentication(Krb5LoginModule.java:731)
at com.sun.security.auth.module.Krb5LoginModule.login (Krb5LoginModule.java:580)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Nativ e Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Native MethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(De legatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:601)
at javax.security.auth.login.LoginContext.invoke(Logi nContext.java:784)
at javax.security.auth.login.LoginContext.access$000( LoginContext.java:203)
at javax.security.auth.login.LoginContext$5.run(Login Context.java:721)
at javax.security.auth.login.LoginContext$5.run(Login Context.java:719)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreat orPriv(LoginContext.java:718)
at javax.security.auth.login.LoginContext.login(Login Context.java:590)
at sun.security.jgss.GSSUtil.login(GSSUtil.java:255)
at sun.security.jgss.krb5.Krb5Util.getServiceCreds(Kr b5Util.java:334)
at sun.security.jgss.krb5.Krb5AcceptCredential$1.run( Krb5AcceptCredential.java:76)
at sun.security.jgss.krb5.Krb5AcceptCredential$1.run( Krb5AcceptCredential.java:74)
...
>>> KdcAccessibility: add 10.1.2.32

[Krb5LoginModule] authentication failed
Receive timed out
<amLogEntry> 2014-03-16T21:58:47Z SEVERE NIDS Application: AM#100104105: AMDEVICEID#047CC991A3C20DE3: Could not initialize Kerber
os/GSS No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!) </amLogEntry>

<amLogEntry> 2014-03-16T21:58:47Z DEBUG NIDS Application:
Method: SpnegoAuthenticator.<init>
Thread: RMI TCP Connection(23)-127.0.0.1
false
Kerberos Config :=
com.novell.nidp.authentication.local.kerb.ADUserAt tr = userprincipalname
com.novell.nidp.authentication.local.kerb.upnSuffi xes =
Reconfigure = true
com.novell.nidp.authentication.local.kerb.realm = MTK.DK
com.novell.nidp.authentication.local.kerb.kdc = 10.1.2.32
com.novell.nidp.authentication.local.kerb.jaas.con f = /opt/novell/java/jre/lib/security/bcsLogin.conf
com.novell.nidp.authentication.local.kerb.svcPrinc ipal = HTTP/mtkamids.mtk.dk
</amLogEntry>

--------------------


I can telnet from the IDS to AD on port 389,636 and 88.

Any idea what might be going on?

Thanks in advance,

Jacob.


--
jacmarpet
------------------------------------------------------------------------
jacmarpet's Profile: https://forums.netiq.com/member.php?userid=415
View this thread: https://forums.netiq.com/showthread.php?t=50292