Hi, I was testing and tuning the kerberos/passwordfetchclass that I had
working last week, then when I returned to it a couple of days later,
the kerberos seems to have broken with the log saying "no kerberos
prinicipal found in the token". It is AM 4.1.1.1 appliance.

Any suggestions as to why this does not work suddenly would be greatly
appreciated.

I have gone through and double checks all the settings I had when it was
working and they are the same.

Here is the dump of an attempted authentication (the names and ip
addresses have been changed to protect the innocent :-))

Thanks,
Mark Currie






<amLogEntry> 2015-10-09T00:14:35Z DEBUG NIDS Application:
Method: NIDPProxyableServlet.myDoGetWithProxy
Thread: ajp-bio-127.0.0.1-9019-exec-14
****** HttpServletRequest Information:
Method: GET
Scheme: https
Context Path: /nidp
Servlet Path: /idff
Query String:
RequestID=idmu7tLvbcmgi2M8kk8AYjUe9YB8s&MajorVersi on=1&MinorVersion=2&IssueInstant=2015-10-09T00%3A14%3A35Z&ProviderID=https%3A%2F%2Fidp.zzzz zzzz.com.au%3A443%2Fnesp%2Fidff%2Fmetadata&RelaySt ate=MA%3D%3D&consent=urn%3Aliberty%3Aconsent%3Auna vailable&ForceAuthn=false&IsPassive=false&NameIDPo licy=onetime&ProtocolProfile=http%3A%2F%2Fprojectl iberty.org%2Fprofiles%2Fbrws-art&target=https%3A%2F%2Fvibe2.zzzzzzzz.com.au%2Fs sf%2Fa&AuthnContextStatementRef=kerberos%2Ftoken%2 Furi
Path Info: /sso
Server Name: idp.zzzzzzzz.com.au
Server Port: 443
Content Length: -1
Content Type: null
Auth Type: null
Request URL: https://idp.zzzzzzzz.com.au/nidp/idff/sso
Host IP Address: 192.168.1.160
Remote Client IP Address: 192.168.1.67
Cookie: (0 of 1): JSESSIONID, FD60D0C9613FB2860C3B1C721EE56C99
Header: Name: accept, Value: application/x-ms-application, image/jpeg,
application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap,
application/vnd.ms-excel, application/vnd.ms-powerpoint,
application/msword, */*
Header: Name: accept-language, Value: en-AU
Header: Name: user-agent, Value: Mozilla/4.0 (compatible; MSIE 7.0;
Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR
3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Header: Name: accept-encoding, Value: gzip
Header: Name: DNT, Value: 1
Header: Name: cookie, Value:
JSESSIONID=FD60D0C9613FB2860C3B1C721EE56C99
Header: Name: connection, Value: Keep-Alive
Header: Name: host, Value: idp.zzzzzzzz.com.au
Header: Name: authorization, Value: Contains Other Authorization
information
Header: Name: Via, Value: 1.1 idp.zzzzzzzz.com.au (Access
Gateway-ag-B143A0E76852AF1D-5156)
Session Id: FD60D0C9613FB2860C3B1C721EE56C99
Session Last Accessed Time: 1444349675375
</amLogEntry>

<amLogEntry> 2015-10-09T00:14:35Z DEBUG NIDS Application:
Method: CacheMap.A
Thread: ajp-bio-127.0.0.1-9019-exec-14

Retrieval of object com.novell.nidp.servlets.NIDPServletSession@651029 8b
from cache session succeeded using key FD60D0C9613FB2860C3B1C721EE56C99.
Cache size is 6
</amLogEntry>

<amLogEntry> 2015-10-09T00:14:35Z DEBUG NIDS Application: AM#600105011:
AMDEVICEID#E0B13F0F3BB6CB52: AMAUTHID#FD60D0C9613FB2860C3B1C721EE56C99:
IDP liberty12 handler to process request received for /nidp/idff
</amLogEntry>

<amLogEntry> 2015-10-09T00:14:35Z DEBUG NIDS Application:
Method: CacheMap.A
Thread: ajp-bio-127.0.0.1-9019-exec-14

Retrieval of object com.novell.nidp.servlets.NIDPServletSession@651029 8b
from cache session succeeded using key FD60D0C9613FB2860C3B1C721EE56C99.
Cache size is 6
</amLogEntry>

<amLogEntry> 2015-10-09T00:14:35Z VERBOSE NIDS Application: Session has
consumed authentications: false </amLogEntry>

<amLogEntry> 2015-10-09T00:14:35Z DEBUG NIDS Application:
Method: ProxyProfile.isProxyRequest
Thread: ajp-bio-127.0.0.1-9019-exec-14
/nidp/idff/sso is a ProxyRequest: false </amLogEntry>

<amLogEntry> 2015-10-09T00:14:35Z INFO NIDS Application: AM#500105016:
AMDEVICEID#E0B13F0F3BB6CB52: AMAUTHID#FD60D0C9613FB2860C3B1C721EE56C99:
Processing login resulting from Service Provider authentication request.
</amLogEntry>

<amLogEntry> 2015-10-09T00:14:35Z VERBOSE NIDS Application: Session has
consumed authentications: false </amLogEntry>

<amLogEntry> 2015-10-09T00:14:35Z INFO NIDS Application: AM#500105009:
AMDEVICEID#E0B13F0F3BB6CB52: AMAUTHID#FD60D0C9613FB2860C3B1C721EE56C99:
Executing contract KerberosPW-Contract. </amLogEntry>

<amLogEntry> 2015-10-09T00:14:35Z VERBOSE NIDS Application: Session has
consumed authentications: false </amLogEntry>

<amLogEntry> 2015-10-09T00:14:35Z VERBOSE NIDS Application: Session has
consumed authentications: false </amLogEntry>

<amLogEntry> 2015-10-09T00:14:35Z DEBUG NIDS Application:
Method: LocalAuthenticationClass.<init>
Thread: ajp-bio-127.0.0.1-9019-exec-14
Parameter m_ExpiredCheck(ExpiredCheck) = false </amLogEntry>

<amLogEntry> 2015-10-09T00:14:35Z VERBOSE NIDS Application: Executing
authentication method Introduction </amLogEntry>

<amLogEntry> 2015-10-09T00:14:35Z VERBOSE NIDS Application:
Authentication method Introduction failed while executing the class
com.novell.nidp.authentication.local.IntroductionC lass@46584d5d
</amLogEntry>

<amLogEntry> 2015-10-09T00:14:35Z VERBOSE NIDS Application: Session has
consumed authentications: false </amLogEntry>

<amLogEntry> 2015-10-09T00:14:35Z VERBOSE NIDS Application: Session has
consumed authentications: false </amLogEntry>

<amLogEntry> 2015-10-09T00:14:35Z VERBOSE NIDS Application: Session has
consumed authentications: false </amLogEntry>

<amLogEntry> 2015-10-09T00:14:35Z DEBUG NIDS Application:
Method: LocalAuthenticationClass.<init>
Thread: ajp-bio-127.0.0.1-9019-exec-14
Parameter m_ExpiredCheck(ExpiredCheck) = false </amLogEntry>

<amLogEntry> 2015-10-09T00:14:35Z DEBUG NIDS Application:
Method: LocalAuthenticationClass.<init>
Thread: ajp-bio-127.0.0.1-9019-exec-14
Parameter m_ExpiredCheck(ExpiredCheck) = false </amLogEntry>

<amLogEntry> 2015-10-09T00:14:35Z VERBOSE NIDS Application: Executing
authentication method Kerberos_Method </amLogEntry>

<amLogEntry> 2015-10-09T00:14:35Z DEBUG NIDS Application:
Method: KerberosClass.L
Thread: ajp-bio-127.0.0.1-9019-exec-14
In isNoNegotiateHeaderExists().... </amLogEntry>

<amLogEntry> 2015-10-09T00:14:35Z DEBUG NIDS Application:
Method: KerberosClass.L
Thread: ajp-bio-127.0.0.1-9019-exec-14
No Negotiate Header property Name = null </amLogEntry>

<amLogEntry> 2015-10-09T00:14:35Z DEBUG NIDS Application:
Method: KerberosClass.L
Thread: ajp-bio-127.0.0.1-9019-exec-14
isNoNegotiateHeaderExists returns false </amLogEntry>

<amLogEntry> 2015-10-09T00:14:35Z DEBUG NIDS Application:
Method: KerberosClass.doAuthenticate
Thread: ajp-bio-127.0.0.1-9019-exec-14
canDoNegotiate: true </amLogEntry>

<AMLOGENTRY> 2015-10-09T00:14:35Z SEVERE NIDS APPLICATION: AM#200104102:
AMDEVICEID#E0B13F0F3BB6CB52: AMAUTHID#FD60D0C9613FB2860C3B1C721EE56C99:
NO KERBEROS PRINCIPAL FOUND IN THE TOKEN </AMLOGENTRY>

<AMLOGENTRY> 2015-10-09T00:14:35Z SEVERE NIDS APPLICATION: AM#200104112:
AMDEVICEID#E0B13F0F3BB6CB52: AMAUTHID#FD60D0C9613FB2860C3B1C721EE56C99:
NO USER MATCHED IN THE USERSTORE(S) </AMLOGENTRY>

<amLogEntry> 2015-10-09T00:14:35Z DEBUG NIDS Application:
Method: KerberosClass.doAuthenticate
Thread: ajp-bio-127.0.0.1-9019-exec-14
canDoNegotiate: false </amLogEntry>

<amLogEntry> 2015-10-09T00:14:35Z DEBUG NIDS Application:
Method: KerberosClass.doAuthenticate
Thread: ajp-bio-127.0.0.1-9019-exec-14
doForm: true </amLogEntry>

<amLogEntry> 2015-10-09T00:14:35Z DEBUG NIDS Application:
Method: KerberosClass.K
Thread: ajp-bio-127.0.0.1-9019-exec-14
Doing Form Login ... </amLogEntry>

<amLogEntry> 2015-10-09T00:14:35Z DEBUG NIDS Application:
Method: PageToShow.addAttribute
Thread: ajp-bio-127.0.0.1-9019-exec-14
Attribute added to page [login] is
[url]=[https://idp.zzzzzzzz.com.au/nidp/idff/sso?sid=1]. </amLogEntry>

<amLogEntry> 2015-10-09T00:14:35Z DEBUG NIDS Application:
Method: PageToShow.addAttribute
Thread: ajp-bio-127.0.0.1-9019-exec-14
Attribute added to page [login] is
[target]=[https://vibe2.zzzzzzzz.com.au/ssf/a]. </amLogEntry>

<amLogEntry> 2015-10-09T00:14:35Z DEBUG NIDS Application:
Method: KerberosClass.K
Thread: ajp-bio-127.0.0.1-9019-exec-14
namePwdresult: 6 </amLogEntry>

<amLogEntry> 2015-10-09T00:14:35Z DEBUG NIDS Application:
Method: KerberosClass.K
Thread: ajp-bio-127.0.0.1-9019-exec-14
goErr() ... </amLogEntry>


--
mcurrie
------------------------------------------------------------------------
mcurrie's Profile: https://forums.netiq.com/member.php?userid=2014
View this thread: https://forums.netiq.com/showthread.php?t=54431