I'm trying to configure spenego, and am having a problem when verifying the keytab file
When I test via kinit I get the krb_error 41 . I have tried jdk 1.5.20 and 1.6.20 but I get the same error in both. I have been googleing this error, and havent found any soltions. I have verified the server and my PC's time are in sync. If I tried in an invalid passowrd, or bogus user account I get diffents erros (ie, pre authenitcation failed)
I'm a bit confussed about the difference between a domain and a Realm. in LDAP our domain is creata.com (I have this working in CAS) But when I log into windows the domain is Creata, in siturations when I have to login and specify the domain I use creata\dradtk. When looking at my account in AD, in the dropdown next to login name its @creata.com, but in the "login username (pre windows 2000)" its CREATA\ We tried creating a keypass with "/princ HTTP/cpaus-dradtk.creata.com@CREATA.COM" but I got the same error when testing
Does anyone have any ideas?
Thanks
Dave
Our Admin created the keytabktpass.exe /out cpaus-dradtk-tomcat.keytab /princ HTTP/cpaus-dradtk.creata.com@CREATA /pass ******** /mapuser cpaus-dradtk-tomcat /ptype krb5_nt_principal /crypto rc4-hmac-nt
My Testing:C:\Program Files\Java\jdk1.6.0_16\bin>klist -k
Key tab: D:\tmp\CAS\tomcat1\webapps\cas\WEB-INF\cpaus-dradtk-tomcat.keytab, 1 entry found.
[1] Service principal: HTTP/cpaus-dradtk.creata.com@CREATA
KVNO: 1
C:\Program Files\Java\jdk1.6.0_16\bin>kinit
Password for dradtk@CREATA:
Exception: krb_error 41 Message stream modified (41) Message stream modified
KrbException: Message stream modified (41)
at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:53)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:96)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:449)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:407)
at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:316)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:257)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:107)
C:\Windows\krb.ini (JDK 6)
C:\winnt\krb.ini (JDK 5)[logging]
default = FILE:C:\windows\krb5libs.log
kdc = FILE:C:\windows\krb5kdc.log
admin_server = FILE:C:\windows\kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = CREATA
default_keytab_name = D:\tmp\CAS\tomcat1\webapps\cas\WEB-INF\cpaus-dradtk-tomcat.keytab
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
[realms]
CREATA = {
kdc = creataauad1.creata.com:88
}
[domain_realm]
.creata= CREATA
creata= CREATA
.creata.com= CREATA
creata.com= CREATA
When Testing in CAS2009-10-19 08:48:20,597 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler failed to authenticate the user which provided the following credentials: Principal is null>
