Hi all,

I've 2 set of NAM, both are using the same AD authentication.
The first set NAM running with Kerberos without any issue.
The 2nd set NAM which having issue.
I've created 2 separate user for this 2 NAM (2 different baseURL)

The situation is like this:-
I've logged in to the Windows with domain user, when i browse the
protected url, there's a basic authentication prompted, is either cancel
or enter the username and password in the basic authentication prompt,
the page straight redirect to the NAM login page.

Below is the catalina.out from IDP:-


Debug is true storeKey true useTicketCache true useKeyTab true
doNotPrompt true ticketCache is
/opt/novell/java/jre/lib/security/spnegoTicket.cache isInitiator true
KeyTab is /opt/novell/java/jre/lib/security/nidpkey.keytab
refreshKrb5Config is false principal is
HTTP/jjoportal.judiciary.gov.hk@JUD.HKSARG tryFirstPass is false
useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
Principal is HTTP/jjoportal.judiciary.gov.hk@JUD.HKSARG
null credentials from Ticket Cache
KeyTab instance already exists
Added key: 23version: 13
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17 18.
principal's key obtained from the keytab
Acquire TGT using AS Exchange
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17 18.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=10.33.112.15 UDP:88, timeout=30000, number of

retries =3, #bytes=159
>>> KDCCommunication: kdc=10.33.112.15 UDP:88, timeout=30000,Attempt =1,

#bytes=159
>>> KrbKdcReq send: #bytes read=177
>>> KrbKdcReq send: #bytes read=177
>>> KdcAccessibility: remove 10.33.112.15
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:

sTime is Tue Jan 13 11:13:22 HKT 2015 1421118802000
suSec is 358401
error code is 25
error Message is Additional pre-authentication required
realm is JUD.HKSARG
sname is krbtgt/JUD.HKSARG
eData provided.
msgType is 30
>>>Pre-Authentication Data:

PA-DATA type = 11
PA-ETYPE-INFO etype = 23
PA-ETYPE-INFO salt =
>>>Pre-Authentication Data:

PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23
PA-ETYPE-INFO2 salt = null
>>>Pre-Authentication Data:

PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:

PA-DATA type = 16
>>>Pre-Authentication Data:

PA-DATA type = 15
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
>>>KrbAsReq salt is JUD.HKSARGHTTPjjoportal.judiciary.gov.hk

Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 3 1 23 16 17 18.
Pre-Authenticaton: find key for etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=10.33.112.15 UDP:88, timeout=30000, number of

retries =3, #bytes=242
>>> KDCCommunication: kdc=10.33.112.15 UDP:88, timeout=30000,Attempt =1,

#bytes=242
>>> KrbKdcReq send: #bytes read=1436
>>> KrbKdcReq send: #bytes read=1436
>>> KdcAccessibility: remove 10.33.112.15
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/jjoportal.judiciary.gov.hk

principal is HTTP/jjoportal.judiciary.gov.hk@JUD.HKSARG
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 55 DB 02 94 BC 42 D6
E1 B8 1A E2 B5 C7 F2 94 3F U....B.........?

Added server's keyKerberos Principal
HTTP/jjoportal.judiciary.gov.hk@JUD.HKSARGKey Version 13key
EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 55 DB 02 94 BC 42 D6 E1 B8 1A E2 B5 C7 F2 94 3F
U....B.........?


[Krb5LoginModule] added Krb5Principal
HTTP/jjoportal.judiciary.gov.hk@JUD.HKSARG to Subject
Commit Succeeded

Found key for HTTP/jjoportal.judiciary.gov.hk@JUD.HKSARG(23)
<amLogEntry> 2015-01-13T03:13:22Z DEBUG NIDS Application:
Method: SpnegoAuthenticator.A
Thread: http-bio-/10.33.111.184-8443-exec-13
Supported Mechanism [0: 1.3.6.1.5.5.2 </amLogEntry>

<amLogEntry> 2015-01-13T03:13:22Z DEBUG NIDS Application:
Method: SpnegoAuthenticator.A
Thread: http-bio-/10.33.111.184-8443-exec-13
Supported Mechanism [1: 1.2.840.113554.1.2.2 </amLogEntry>

<amLogEntry> 2015-01-13T03:13:22Z DEBUG NIDS Application:
Method: SpnegoAuthenticator.<init>
Thread: http-bio-/10.33.111.184-8443-exec-13
true
Kerberos Config :=
FirstTime = true
SignAlias = signing
SignKeystorePassword = 81sZcmCjIcVHm27
SSLAlias = tomcat
SignPassword = G35IicEMPMOCiO2
com.novell.nidp.authentication.local.kerb.upnSuffi xes =
Reconfigure = true
TruststorePassword = FUmmj93vNrLm1f6
com.novell.nidp.authentication.local.kerb.ADUserAt tr =
userprincipalname
EncAlias = encryption
com.novell.nidp.authentication.local.kerb.svcPrinc ipal =
HTTP/jjoportal.judiciary.gov.hk
AuthnRequest = null
SystemAccess = null
LECP = false
OCSPTruststorePassword = TvsQz1uzaHmH740
ExpireCheck = false
DefinesUser = true
com.novell.nidp.authentication.local.kerb.realm = JUD.HKSARG
SSLPassword = 81sZcmCjIcVHm27
EncPassword = Hg4k7Z70r0Aiis5
com.novell.nidp.authentication.local.kerb.kdc = 10.33.112.15
com.novell.nidp.authentication.local.kerb.jaas.con f =
/opt/novell/java/jre/lib/security/bcsLogin.conf
</amLogEntry>

<amLogEntry> 2015-01-13T03:13:22Z VERBOSE NIDS Application: Executing
authentication method Kerberos </amLogEntry>

<amLogEntry> 2015-01-13T03:13:22Z DEBUG NIDS Application:
Method: KerberosClass.J
Thread: http-bio-/10.33.111.184-8443-exec-13
In isNoNegotiateHeaderExists().... </amLogEntry>

<amLogEntry> 2015-01-13T03:13:22Z DEBUG NIDS Application:
Method: KerberosClass.J
Thread: http-bio-/10.33.111.184-8443-exec-13
No Negotiate Header property Name = null </amLogEntry>

<amLogEntry> 2015-01-13T03:13:22Z DEBUG NIDS Application:
Method: KerberosClass.J
Thread: http-bio-/10.33.111.184-8443-exec-13
isNoNegotiateHeaderExists returns false </amLogEntry>

<amLogEntry> 2015-01-13T03:13:22Z DEBUG NIDS Application:
Method: IPRangeParser.A
Thread: http-bio-/10.33.111.184-8443-exec-13
Input String from kerb.properties: </amLogEntry>

<amLogEntry> 2015-01-13T03:13:22Z DEBUG NIDS Application:
Method: IPRangeParser.A
Thread: http-bio-/10.33.111.184-8443-exec-13
iterative ipAddr string: </amLogEntry>

<amLogEntry> 2015-01-13T03:13:22Z DEBUG NIDS Application:
Method: IPRangeParser.doKerberos
Thread: http-bio-/10.33.111.184-8443-exec-13
Remote Client (Browser or NAT) Address: 10.33.111.183 </amLogEntry>

<amLogEntry> 2015-01-13T03:13:22Z DEBUG NIDS Application:
Method: IPRangeParser.A
Thread: http-bio-/10.33.111.184-8443-exec-13
inRange: no matcing elements found, return false </amLogEntry>

<amLogEntry> 2015-01-13T03:13:22Z DEBUG NIDS Application:
Method: IPRangeParser.doKerberos
Thread: http-bio-/10.33.111.184-8443-exec-13
doKerberos: true </amLogEntry>

<amLogEntry> 2015-01-13T03:13:22Z DEBUG NIDS Application:
Method: KerberosClass.doAuthenticate
Thread: http-bio-/10.33.111.184-8443-exec-13
canDoNegotiate: true </amLogEntry>

<amLogEntry> 2015-01-13T03:13:22Z DEBUG NIDS Application:
Method: CacheMap.A
Thread: http-bio-/10.33.111.184-8443-exec-13

Retrieval of object com.novell.nidp.servlets.NIDPServletSession@5a6e95 af
from cache session succeeded using key A005993BBFA0DA119E7FF3075BB9CF9B.
Cache size is 16
</amLogEntry>

<amLogEntry> 2015-01-13T03:13:22Z DEBUG NIDS Application:
Method: NIDPResourceManager.A
Thread: http-bio-/10.33.111.184-8443-exec-13
Locale: en_US mapped to directory en </amLogEntry>

<amLogEntry> 2015-01-13T03:13:22Z VERBOSE NIDS Application:
Authentication method Kerberos requires additional interaction.
</amLogEntry>

<amLogEntry> 2015-01-13T03:13:22Z INFO NIDS Application: AM#500105010:
AMDEVICEID#F1958EC43BB52080: AMAUTHID#A005993BBFA0DA119E7FF3075BB9CF9B:
Contract Kerberos requires additional interaction. </amLogEntry>


Please advise.
Thanks.


--
alanchan1984
------------------------------------------------------------------------
alanchan1984's Profile: https://forums.netiq.com/member.php?userid=3291
View this thread: https://forums.netiq.com/showthread.php?t=52613