I'm trying to configure spenego, and am having a problem when verifying the keytab file
When I test via kinit I get the krb_error 41 . I have tried jdk 1.5.20 and 1.6.20 but I get the same error in both. I have been googleing this error, and havent found any soltions. I have verified the server and my PC's time are in sync. If I tried in an invalid passowrd, or bogus user account I get diffents erros (ie, pre authenitcation failed) I'm a bit confussed about the difference between a domain and a Realm. in LDAP our domain is creata.com (I have this working in CAS) But when I log into windows the domain is Creata, in siturations when I have to login and specify the domain I use creata\dradtk. When looking at my account in AD, in the dropdown next to login name its @creata.com, but in the "login username (pre windows 2000)" its CREATA\ We tried creating a keypass with "/princ HTTP/[email protected]" but I got the same error when testing Does anyone have any ideas? Thanks Dave Our Admin created the keytab ktpass.exe /out cpaus-dradtk-tomcat.keytab /princ HTTP/cpaus-dradtk.creata....@creata /pass ******** /mapuser cpaus-dradtk-tomcat /ptype krb5_nt_principal /crypto rc4-hmac-nt My Testing: C:\Program Files\Java\jdk1.6.0_16\bin>klist -k Key tab: D:\tmp\CAS\tomcat1\webapps\cas\WEB-INF\cpaus-dradtk-tomcat.keytab, 1 entry found. [1] Service principal: HTTP/cpaus-dradtk.creata....@creata KVNO: 1 C:\Program Files\Java\jdk1.6.0_16\bin>kinit Password for dra...@creata: Exception: krb_error 41 Message stream modified (41) Message stream modified KrbException: Message stream modified (41) at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:53) at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:96) at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:449) at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:407) at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:316) at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:257) at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:107) C:\Windows\krb.ini (JDK 6) C:\winnt\krb.ini (JDK 5) [logging] default = FILE:C:\windows\krb5libs.log kdc = FILE:C:\windows\krb5kdc.log admin_server = FILE:C:\windows\kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = CREATA default_keytab_name = D:\tmp\CAS\tomcat1\webapps\cas\WEB-INF\cpaus-dradtk-tomcat.keytab dns_lookup_realm = false dns_lookup_kdc = false default_tkt_enctypes = rc4-hmac default_tgs_enctypes = rc4-hmac [realms] CREATA = { kdc = creataauad1.creata.com:88 } [domain_realm] .creata= CREATA creata= CREATA .creata.com= CREATA creata.com= CREATA When Testing in CAS 2009-10-19 08:48:20,597 INFO [org.jasig.cas.authentication.AuthenticationManagerImpl] - <AuthenticationHandler: org.jasig.cas.support.spnego.authentication.handler.support.JCIFSSpnegoAuthenticationHandler failed to authenticate the user which provided the following credentials: Principal is null> -- View this message in context: http://www.nabble.com/spenego-setup%2C-kinit-error-tp25950941p25950941.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
