Hello,

I'm trying to setup Kerberos SSO for IDM 4.5.

I would like to SSO to IDM user application when I'm already Windows AD
authenticated.

IDM 4.5 is setup with OSP + SSPR and normal login is working well.

I followed the documentation here : http://tinyurl.com/glan5zx

1) I have create the AD user with login Name HTTP/iam1.adir.local
2) Associate the user with the SPN: setspn -A
HTTP/iam1.adir.local@ADIR.LOCAL iam1
3) Verify the spn :
C:\Users\Administrator.ADIR>setspn -L iam1
Registered ServicePrincipalNames for
CN=IAM1,CN=Computers,DC=adir,DC=local:
HTTP/iam1.adir.local@ADIR.LOCAL
WSMAN/iam1
WSMAN/iam1.adir.local
RestrictedKrbHost/IAM1
HOST/IAM1
RestrictedKrbHost/iam1.adir.local
HOST/iam1.adir.local

4) Generate the keytab:
C:\Users\Administrator.ADIR>ktpass /out iam1.keytab /princ
HTTP/iam1.adir.local@ADIR.LOCAL /mapuser iam1@adir.local /mapop set
/pass pa$$w0rd /cry
o All /ptype KRB5_NT_PRINCIPAL

5) Create the krb5.ini in c:\Windows
[libdefaults]
default_realm = ADIR.LOCAL
kdc_timesync = 0
forwardable = true
proxiable = false
[realms]
ADIR.LOCAL = {
kdc = winad.adir.local
admin_server = winad.adir.local
}
[domain_realm]
..adir.local = ADIR.LOCAL
adir.local = ADIR.LOCAL

6) Copy the keytab file in c:\netiq\idm\pps\tomcat\kerberos

7) Created the Kerberos_login.config
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
debug="true"
refreshKrb5Config="true"
useTicketCache="true"

ticketCache="c:\\NetIQ\\idm\\apps\\tomcat\kerberos \\spnegoTicket.cache"
doNotPrompt="true"
principal="HTTP/iam1.adir.local@ADIR.LOCAL"
useKeyTab="true"

keyTab="c:\\NetIQ\\idm\\apps\\tomcat\kerberos\\iam 1.keytab"
storeKey="true";
};
8) And updated the java.security file:
#Kerberos config - updated April 2016
login.config.url.1=file:c:/NetIQ/idm/apps/tomcat/kerberos/Kerberos_login.config

9)And updated the Authentication method with configupdate --> Method =
Kerberos

10) I have restarted Tomcat and also everything and get this error in
OSP log (this is the only error with TRACE level):

[OIDP]
Time: 2016-04-05T13:09:11.108+0200
Level: ERROR
Java Execution:
Class: com.novell.oidp.spnego.KerberosAuthenticator
Method: A
Line Number: -1
Thread: localhost-startStop-1
Message: Could not initialize Kerberos/GSS No valid credentials provided
(Mechanism level: Attempt to obtain new ACCEPT credentials failed!)


Any help ?

Thanks a lot

Regards

Sylvain


--
sma
------------------------------------------------------------------------
sma's Profile: https://forums.netiq.com/member.php?userid=174
View this thread: https://forums.netiq.com/showthread.php?t=55657