I've setup NAM 3.2.2 IR2 with AD (2003 functional level, although there
ARE 2008 R2 servers as DC's in the domain).

However, when I restart the idp, the catalina.out gives errors regarding
the Kerberos stuff.

I've verified the Kerberos realm name is in all caps, I've verified the
userid/password.

It looks (to me) like an encryption issue, but the docs indicate that as
long as you re-did the keytab file, the DES issue should be resolved
(plus it only applies to Win7 and IE8).

> Config name: /etc/krb5.conf
> Debug is true storeKey true useTicketCache true useKeyTab true
> doNotPrompt true ticketCache is
> /opt/novell/java/jre/lib/security/spnegoTicket.cache isInitiator true
> KeyTab is /opt/novell/java/jre/lib/security/nidpkey.keytab
> refreshKrb5Config is false principal is
> HTTP/nam-idp-test.abc.com@abc.com tryFirstPass is false useFirstPass is
> false storePass is false clearPass is false
> Acquire TGT from Cache
> Principal is HTTP/nam-idp-test.abc.com@abc.com
> null credentials from Ticket Cache
> >>> KeyTabInputStream, readName(): ABC.COM
> >>> KeyTabInputStream, readName(): HTTP
> >>> KeyTabInputStream, readName(): nam-idp-test.abc.com
> >>> KeyTab: load() entry length: 84; type: 23

> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> Using builtin default etypes for default_tkt_enctypes
> default etypes for default_tkt_enctypes: 17 16 23 1 3.
> >>> KdcAccessibility: reset

> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> Using builtin default etypes for default_tkt_enctypes
> default etypes for default_tkt_enctypes: 17 16 23 1 3.
> Using builtin default etypes for default_tkt_enctypes
> default etypes for default_tkt_enctypes: 17 16 23 1 3.
> >>> KrbAsReq creating message
> >>> KrbKdcReq send: kdc=10.10.252.107 UDP:88, timeout=30000, number of

> retries =3, #bytes=171
> >>> KDCCommunication: kdc=10.10.252.107 UDP:88, timeout=30000,Attempt

> =1, #bytes=171
> >>> KrbKdcReq send: #bytes read=187
> >>>Pre-Authentication Data:

> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
> >>>Pre-Authentication Data:

> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
> >>>Pre-Authentication Data:

> PA-DATA type = 2
> PA-ENC-TIMESTAMP
> >>>Pre-Authentication Data:

> PA-DATA type = 16
>
> >>>Pre-Authentication Data:

> PA-DATA type = 15
>
> >>> KdcAccessibility: remove 10.10.252.107
> >>> KDCRep: init() encoding tag is 126 req type is 11
> >>>KRBError:

> sTime is Thu May 22 11:50:43 EDT 2014 1400773843000
> suSec is 183564
> error code is 25
> error Message is Additional pre-authentication required
> realm is abc.com
> sname is krbtgt/abc.com
> eData provided.
> msgType is 30
> >>>Pre-Authentication Data:

> PA-DATA type = 11
> PA-ETYPE-INFO etype = 23, salt =
>
> >>>Pre-Authentication Data:

> PA-DATA type = 19
> PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null
>
> >>>Pre-Authentication Data:

> PA-DATA type = 2
> PA-ENC-TIMESTAMP
> >>>Pre-Authentication Data:

> PA-DATA type = 16
>
> >>>Pre-Authentication Data:

> PA-DATA type = 15
>
> KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
> Using builtin default etypes for default_tkt_enctypes
> default etypes for default_tkt_enctypes: 17 16 23 1 3.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> Using builtin default etypes for default_tkt_enctypes
> default etypes for default_tkt_enctypes: 17 16 23 1 3.
> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> Using builtin default etypes for default_tkt_enctypes
> default etypes for default_tkt_enctypes: 17 16 23 1 3.
> Using builtin default etypes for default_tkt_enctypes
> default etypes for default_tkt_enctypes: 17 16 23 1 3.
> >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
> >>> KrbAsReq creating message
> >>> KrbKdcReq send: kdc=10.10.252.107 UDP:88, timeout=30000, number of

> retries =3, #bytes=254
> >>> KDCCommunication: kdc=10.10.252.107 UDP:88, timeout=30000,Attempt

> =1, #bytes=254
> >>> KrbKdcReq send: #bytes read=102
> >>> KrbKdcReq send: kdc=10.10.252.107 TCP:88, timeout=30000, number of

> retries =3, #bytes=254
> >>> KDCCommunication: kdc=10.10.252.107 TCP:88, timeout=30000,Attempt

> =1, #bytes=254
> >>>DEBUG: TCPClient reading 1535 bytes
> >>> KrbKdcReq send: #bytes read=1535
> >>> KdcAccessibility: remove 10.10.252.107

> Added key: 23version: 0
> Ordering keys wrt default_tkt_enctypes list
> Using builtin default etypes for default_tkt_enctypes
> default etypes for default_tkt_enctypes: 17 16 23 1 3.
> >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType

> [Krb5LoginModule] authentication failed
> Message stream modified (41)
> <amLogEntry> 2014-05-22T15:50:43Z SEVERE NIDS Application: AM#100104105:
> AMDEVICEID#CA156ECCB2B7656F: Could not initialize Kerberos/GSS No valid
> credentials provided (Mechanism level: Attempt to obtain new ACCEPT
> credentials failed!) </amLogEntry>
>
> <amLogEntry> 2014-05-22T15:50:43Z DEBUG NIDS Application:
> Method: SpnegoAuthenticator.<init>
> Thread: RMI TCP Connection(2)-127.0.0.1
> false
> Kerberos Config :=
> com.novell.nidp.authentication.local.kerb.ADUserAt tr = employeeID
> com.novell.nidp.authentication.local.kerb.upnSuffi xes = abc.com
> Reconfigure = true
> com.novell.nidp.authentication.local.kerb.realm = ABC.COM
> com.novell.nidp.authentication.local.kerb.kdc = 10.10.252.107
> com.novell.nidp.authentication.local.kerb.jaas.con f =
> /opt/novell/java/jre/lib/security/bcsLogin.conf
> com.novell.nidp.authentication.local.kerb.svcPrinc ipal =
> HTTP/nam-idp-test.abc.com
> </amLogEntry>
>


Any ideas?

I know that MS removed DES by default in 2008 for security reasons, so
I'm not terribly keen on re-enabling DES unless I have to.


--
kjhurni
------------------------------------------------------------------------
kjhurni's Profile: https://forums.netiq.com/member.php?userid=322
View this thread: https://forums.netiq.com/showthread.php?t=50912