I want to configure Kerberos Authentication, So that my Active Directory Users can also login into IDM User Application.
After configuring the bcsLogin Configuration File when I restart the IDP server as suggested in the Access Manager Appliance Admin guide, using rcnovell-idp restart command, and I can see in the IDP logs they gives me error [Krb5LoginModule] authentication failed. IDP logs are given below
Code:
Debug is  true storeKey true useTicketCache true useKeyTab true doNotPrompt true ticketCache is /opt/novell/java/jre/lib/security/spnegoTicket.cache isInitiator true KeyTab is /opt/novell/java/jre/lib/security/nidpkey.keytab refreshKrb5Config is false principal is HTTP/nam.demo.local@DEMO.local tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Acquire TGT from Cache
Principal is HTTP/nam.demo.local@DEMO.local
null credentials from Ticket Cache
>>> KeyTabInputStream, readName(): DEMO.local
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): nam.demo.local
>>> KeyTab: load() entry length: 65; type: 23
Looking for keys for: HTTP/nam.demo.local@DEMO.local
Java config name: null
Native config name: /etc/krb5.conf
Loaded from native config
Added key: 23version: 3
>>> KdcAccessibility: reset
Looking for keys for: HTTP/nam.demo.local@DEMO.local
Added key: 23version: 3
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=192.168.1.100 UDP:88, timeout=30000, number of retries =3, #bytes=145
>>> KDCCommunication: kdc=192.168.1.100 UDP:88, timeout=30000,Attempt =1, #bytes=145
>>> KrbKdcReq send: #bytes read=177
>>>Pre-Authentication Data:
	 PA-DATA type = 11
	 PA-ETYPE-INFO etype = 23, salt = 

>>>Pre-Authentication Data:
	 PA-DATA type = 19
	 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
	 PA-DATA type = 2
	 PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
	 PA-DATA type = 16

>>>Pre-Authentication Data:
	 PA-DATA type = 15

>>> KdcAccessibility: remove 192.168.1.100
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
	 sTime is Tue Jan 02 17:58:14 IST 2018 1514896094000
	 suSec is 609948
	 error code is 25
	 error Message is Additional pre-authentication required
	 sname is krbtgt/DEMO.local@DEMO.local
	 eData provided.
	 msgType is 30
>>>Pre-Authentication Data:
	 PA-DATA type = 11
	 PA-ETYPE-INFO etype = 23, salt = 

>>>Pre-Authentication Data:
	 PA-DATA type = 19
	 PA-ETYPE-INFO2 etype = 23, salt = null, s2kparams = null

>>>Pre-Authentication Data:
	 PA-DATA type = 2
	 PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
	 PA-DATA type = 16

>>>Pre-Authentication Data:
	 PA-DATA type = 15

KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23.
Looking for keys for: HTTP/nam.demo.local@DEMO.local
Added key: 23version: 3
Looking for keys for: HTTP/nam.demo.local@DEMO.local
Added key: 23version: 3
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23.
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=192.168.1.100 UDP:88, timeout=30000, number of retries =3, #bytes=228
>>> KDCCommunication: kdc=192.168.1.100 UDP:88, timeout=30000,Attempt =1, #bytes=228
>>> KrbKdcReq send: #bytes read=1400
>>> KdcAccessibility: remove 192.168.1.100
Looking for keys for: HTTP/nam.demo.local@DEMO.local
Added key: 23version: 3
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
		[Krb5LoginModule] authentication failed 
Message stream modified (41)
<amLogEntry> 2018-01-02T12:28:56Z SEVERE NIDS Application: AM#100104105: AMDEVICEID#6CF8D8AFC3EC4E16:  Could not initialize Kerberos/GSS No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!) </amLogEntry>

<amLogEntry> 2018-01-02T12:28:56Z DEBUG NIDS Application: 
Method: SpnegoAuthenticator.<init>
Thread: RMI TCP Connection(2)-127.0.0.1
false
Kerberos Config := 
	com.novell.nidp.authentication.local.kerb.ADUserAttr = userprincipalname
	com.novell.nidp.authentication.local.kerb.upnSuffixes = 
	Reconfigure = true
	com.novell.nidp.authentication.local.kerb.realm = DEMO.local
	com.novell.nidp.authentication.local.kerb.kdc = 192.168.1.100
	com.novell.nidp.authentication.local.kerb.jaas.conf = /opt/novell/java/jre/lib/security/bcsLogin.conf
	com.novell.nidp.authentication.local.kerb.svcPrincipal = HTTP/nam.demo.local@DEMO.local
 </amLogEntry>
On the Active Directory side, Inside Local Security Policy all below options are selected in "Network Security: Configure Encryption types allowed for Kerberos"
DES_CBC_CRC, DES_CBC_MD5, RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types
And on the User Account I checked the options as below screen shot
Name:  nam1.JPG
Views: 37
Size:  19.5 KB

I am using Windows Server 2012 R2, Access Manager Appliance 4.4 and IDM 4.6.