As per the title, we're having issues with getting our cross domain
Kerberos SSO configured successfully.

The target state is to have 2 organisations (Organisation A and
Organisation B from here out) using Kerberos Auth from there respective
AD environments to authenticate to NAM, NAM to then do a password fetch
and form fill the login page for our the intranets(one each)

I've been working off:
- http://tinyurl.com/kmkofdg (with the following options for both
organistations (/pass * /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL
+SetPass)and using /in OrgB.keytab /out OrgA.keytab when generating the
Keytab for NAM)
- http://tinyurl.com/nbsrsd7 (Although I'm not using either AD as a user
store)
- I've also added the JCE 7 unlimited stregth crypto
(http://tinyurl.com/cx5p7xf) to work with our AD environments
encryption.

So far I have managed to get everything working for organisation A which
is the organisation who's AD is being connected to for the Kerberos
connection, however the authentication for organisation B does not work.


Starting up the IDP we get a "Commit Succeeded" however when we attempt
to authenticate with a user from OrgB we get the following:

Entered Krb5Context.acceptSecContext with state=STATE_NEW
Added key: 18version: 38
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha 1EType

<amLogEntry> 2016-11-16T04:31:18Z SEVERE NIDS Application: AM#200104101:
AMDEVICEID#91423A348238438C: AMAUTHID#7179ECB61790E02CCCA7385C03670C30:
Error processing SPNEGO/Kerberos : Error processing SPNEGO/Kerberos :
Error processing SPNEGO/Kerberos : Failure unspecified at GSS-API level
(Mechanism level: Checksum failed) </amLogEntry>

Both of the accounts have domain admin, the same passwords, SPN's set
etc etc

Any suggestions on where to look next?

Thanks

Adam


--
ataylordc
------------------------------------------------------------------------
ataylordc's Profile: https://forums.netiq.com/member.php?userid=11898
View this thread: https://forums.netiq.com/showthread.php?t=56851