Ive Setup NAM 3.2 SP2 R1 to communicatied with Kerberos to the AD 2008
R2.

How ever, when i strarted the idp the stdout.log give the error
pr-authentication failed. So i'm on a workstion logged to the AD and
when i go to the a site who is federated the inlogscreen appears.

can helpsome help me

The log file gives the following error:

Config name: C:\Windows\krb5.ini
Debug is true storeKey true useTicketCache true useKeyTab true
doNotPrompt true ticketCache is C:\Program Files
(x86)\Novell\jre64\lib\security\spnegoTicket.cache isInitiator true
KeyTab is C:\Program Files
(x86)\Novell\jre64\lib\security\nam-ontw.keytab refreshKrb5Config is
false principal is HTTP/nam-ontw.services.zuyd.nl@ID-MNGT-ONTW-AD.LOCAL
tryFirstPass is false useFirstPass is false storePass is false clearPass
is false
Acquire TGT from Cache
Principal is HTTP/nam-ontw.services.zuyd.nl@ID-MNGT-ONTW-AD.LOCAL
null credentials from Ticket Cache
>>> KeyTabInputStream, readName(): ID-MNGT-ONTW-AD.LOCAL
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): nam-ontw.services.zuyd.nl
>>> KeyTab: load() entry length: 87; type: 23

Added key: 23version: 10
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
>>> KdcAccessibility: reset

Added key: 23version: 10
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=145.91.30.72 UDP:88, timeout=30000, number of

retries =3, #bytes=180
>>> KDCCommunication: kdc=145.91.30.72 UDP:88, timeout=30000,Attempt =1,

#bytes=180
>>> KrbKdcReq send: #bytes read=199
>>>Pre-Authentication Data:

PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =

>>>Pre-Authentication Data:

PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:

PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:

PA-DATA type = 16

>>>Pre-Authentication Data:

PA-DATA type = 15

>>> KdcAccessibility: remove 145.91.30.72
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:

sTime is Wed Dec 17 11:09:40 CET 2014 1418810980000
suSec is 497039
error code is 25
error Message is Additional pre-authentication required
realm is ID-MNGT-ONTW-AD.LOCAL
sname is krbtgt/ID-MNGT-ONTW-AD.LOCAL
eData provided.
msgType is 30
>>>Pre-Authentication Data:

PA-DATA type = 11
PA-ETYPE-INFO etype = 23, salt =

>>>Pre-Authentication Data:

PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:

PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:

PA-DATA type = 16

>>>Pre-Authentication Data:

PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
Added key: 23version: 10
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
Added key: 23version: 10
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=145.91.30.72 UDP:88, timeout=30000, number of

retries =3, #bytes=265
>>> KDCCommunication: kdc=145.91.30.72 UDP:88, timeout=30000,Attempt =1,

#bytes=265
>>> KrbKdcReq send: #bytes read=114
>>> KrbKdcReq send: kdc=145.91.30.72 TCP:88, timeout=30000, number of

retries =3, #bytes=265
>>> KDCCommunication: kdc=145.91.30.72 TCP:88, timeout=30000,Attempt =1,

#bytes=265
>>>DEBUG: TCPClient reading 1574 bytes
>>> KrbKdcReq send: #bytes read=1574
>>> KdcAccessibility: remove 145.91.30.72

Added key: 23version: 10
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/nam-ontw.services.zuyd.nl

principal is HTTP/nam-ontw.services.zuyd.nl@ID-MNGT-ONTW-AD.LOCAL
Will use keytab
Added key: 23version: 10
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
Commit Succeeded

Found KeyTab
Found KerberosKey for
HTTP/nam-ontw.services.zuyd.nl@ID-MNGT-ONTW-AD.LOCAL
NIDPMeEntity.commonInitialize(): Complete! Config Name: Identity
Cluster
NIDPMeEntity.loadProtocol(): Loaded protocol:
com.novell.nidp.liberty.LibertyMeDescriptor:libert y12
NIDPMeEntity.loadProtocol(): Loaded protocol:
com.novell.nidp.saml2.SAML2MeDescriptor:saml2
NIDPMeEntity.loadProtocol(): Loaded protocol:
com.novell.nidp.saml.SAMLMeDescriptor:saml
NIDPSettings.NIDPSettings(): Completed loading settings from
configuration!
NIDPContext.doInit(): Cache initialized!
NIDPServletContext.doCommand(): Start successful.
Warning: Invalid resource key! Null or empty string!


--
ajmhochs
------------------------------------------------------------------------
ajmhochs's Profile: https://forums.netiq.com/member.php?userid=725
View this thread: https://forums.netiq.com/showthread.php?t=52443