Hi all

I'm trying to setup Kerberos and OSP log find the error "Could not initialize Kerberos/GSS No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)"

Enviroment
Portal server
> RHEL 7.3 64 bits (GUI)
> Tomcat 7.0.55
> IDMProv 4.5.6 (43710)
> landing 4.5.6 (1014)
> OSP 6.0.0 r5
IDM server
> RHEL 7.3 64 bits (GUI)
> eDirectory 9.0 SP3 Patch 1 (40005.13)
> IDM 4.5.6.0
AD Server
> Windows Server 2008


I followed the documentation

AD Server:
Service Account for Kerberos in AD: user.kerberos

Code:
setspn -S HTTP/portal.domain.net user.kerberos
Code:
 ktpass /out c:\user.kerberos.keytab /mapuser tiam.kerberos@DOMAIN.NET /princ tiam.kerberos@DOMAIN.NET /pass ***** /crypto All /kvno 0 -ptype KRB5_NT_PRINCIPAL
UA Server:

>> krb5.conf (/opt/netiq/idm/apps/tomcat/conf/)
Code:
[libdefaults]
default_realm = DOMAIN.NET
default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
forwardable=true
 
[realms]
DOMAIN.NET = {
 kdc = server-dc2.domain.net:88
}
 
[domain_realm]
.domain.net = DOMAIN.NET
domain.net = DOMAIN.NET
>> Kerberos_login.config (/opt/netiq/idm/apps/tomcat/kerberos/)
Code:
com.sun.security.jgss.krb5.accept {
        com.sun.security.auth.module.Krb5LoginModule required
        doNotPrompt="true"
        principal="user.kerberos@DOMAIN.NET"
        useKeyTab="true"
        keyTab="/opt/netiq/idm/apps/kerberos/user.kerberos.keytab"
        storeKey="true";
};
>> java.security (/opt/netiq/idm/apps/jre/lib/security/)
Code:
login.config.url.1=file:/opt/netiq/idm/apps/tomcat/kerberos/Kerberos_login.config
>> configupdate.sh (/opt/netiq/idm/apps/UserApplication)
  • 2) Authentication
  • 77) Show advanced Options
  • 3) Authentication Method
  • 2) Kerberos
  • 3) SSO Clientes
  • all OAuth redirect url http://portal.domain.net:8080/....


With another application, it was proved that the url works correctly with kerberos, but when pointing it to the IDMProv, it gives the errors that are observed in the log of the OSP.

osp-idm.2017-08-08.zip

Thanks a lot.

Regards.