Results 1 to 7 of 7

Thread: IDM 4.5.3 Kerberos and OSP: Error 'Checksum failed'

Threaded View

  1. #1
    Join Date
    Jan 2010

    IDM 4.5.3 Kerberos and OSP: Error 'Checksum failed'

    I'm trying to get Kerberos working in a test setup and it fails. I've
    followed the steps outlined in the documentation (IDM 4.5.3) but keep
    getting the same error.
    Situation is as follows:

    - Workstation: Windows 7 IE 11
    - DC and KDC: dc0001.test.company.com (server 2012R2), domain
    - Identity Applications server appserver.test.company.com (server
    - DNS name for the Identitity Apps: idm.testcompany.com

    I think I'm struggling with the difference in DNS name and hostname of
    the server. I've followed these steps:

    Init step:
    Checking if Kerberos is working with a test application, sts and other
    Kerberos enabled sites. I can confirm: Kerberos works from the

    1. Create user 'idm' with user logon name 'HTTP/idm.testcompany.com' and
    pre win2000 name 'idm'. Password is set ot QWER1234 (do not change at
    login and no expiry)
    2. Set the SPN with setspn -A HTTP/idm.testcompany.com@TEST.COMPANY.COM
    3. Check with SPN -L: confirmed above SPN
    4. Export keytab: ktpass /out c:\idm.keytab /princ
    HTTP/idm.testcompany.com@TEST.COMPANY.COM /mapuser idm /mapop set /pass
    QWER1234 /crypto All /ptype KRB5_NT_PRINCIPAL

    Now, when checking with SPN -L it shows that the @TEST.COMPANY.COM was
    removed from the SPN with the ktpass command. I don't know why, but i'm
    ignoring this for now.

    5. Create krb5.ini


    default_realm = TEST.COMPANY.COM
    default_keytab_name = FILE:\netiq\idm\apps\tomcat\kerberos\idm.keytab
    kdc_timesync = 0
    forwardable = true
    proxiable = false
    kdc = dc0001.test.company.com
    admin_server = dc0001.test.company.com
    .test.company.com = TEST.COMPANY.COM
    test.company.com = TEST.COMPANY.COM


    6. Create Kerberos_login.config with principal
    'HTTP/idm.testcompany.com@TEST.COMPANY.COM' and pointer to keytab
    7. Changed java.security and added the pointer to the
    8. ran configupdate.bat and changed login to Kerberos. Furthermore added
    a user to both IDM and AD (we have lots of them as we do provisioning).
    CN as linking attribute.
    9. Restarted Identity Apps
    10. Added site to trusted sites and enabled Kerberos in the browser
    (followd by a browser restart)
    11. Purged Kerberos tickets on the workstation
    12. Try https://idm.testcompany.com/landing

    Result: After some time, the login page shows. The OSP logging (set to
    debug) displays:


    Error processing SPNEGO/Kerberos : Error processing SPNEGO/Kerberos : Failure unspecified at GSS-API level (Mechanism level: Checksum failed)


    I'm not sure what to try next. There are some very conflicting posts
    about enabling Kerberos in Tomcat on the web. Some state that you should
    not use the @ sign in the SPN.
    Some say that the server host name should be added as SPN etc. etc. I've
    also set 'this account supports Kerberos AES 128 bit encryption' and
    '... 256 bit encryption...' on the user account. I've also enabled
    'trust this user for delegation' on the user object 'delegation tab'
    after setting the SPN.

    Any Advice ?

    Sjoerdk's Profile: https://forums.netiq.com/member.php?userid=1135
    View this thread: https://forums.netiq.com/showthread.php?t=56022
    Last edited by kgroneman; 16-Jun-2016 at 03:01 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts