As per the title, we're having issues with getting our cross domain
Kerberos SSO configured successfully.

The target state is to have 2 organisations (Organisation A and
Organisation B from here out) using Kerberos Auth from there respective
AD environments to authenticate to NAM, NAM to then do a password fetch
and form fill the login page for our the intranets(one each)

I've been working off:
- (with the following options for both
organistations (/pass * /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL
+SetPass)and using /in OrgB.keytab /out OrgA.keytab when generating the
Keytab for NAM)
- (Although I'm not using either AD as a user
- I've also added the JCE 7 unlimited stregth crypto
( to work with our AD environments

So far I have managed to get everything working for organisation A which
is the organisation who's AD is being connected to for the Kerberos
connection, however the authentication for organisation B does not work.

Starting up the IDP we get a "Commit Succeeded" however when we attempt
to authenticate with a user from OrgB we get the following:

Entered Krb5Context.acceptSecContext with state=STATE_NEW
Added key: 18version: 38
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
>>> EType: 1EType

<amLogEntry> 2016-11-16T04:31:18Z SEVERE NIDS Application: AM#200104101:
AMDEVICEID#91423A348238438C: AMAUTHID#7179ECB61790E02CCCA7385C03670C30:
Error processing SPNEGO/Kerberos : Error processing SPNEGO/Kerberos :
Error processing SPNEGO/Kerberos : Failure unspecified at GSS-API level
(Mechanism level: Checksum failed) </amLogEntry>

Both of the accounts have domain admin, the same passwords, SPN's set
etc etc

Any suggestions on where to look next?



ataylordc's Profile:
View this thread: