Hi,We're using Win2k8 AD, and I used a similar ktpass command to generate server's keytab. I think the "client not found" error is triggered because you attempt to authenticate as [email protected] instead of HTTP/[email protected]
In our linux box, I used this command to test : #kinit -V -k -t http-dev.keytab "HTTP/dev.mydomain.com" Authenticated to Kerberos v5 then klist shows expected kerberos ticket. Regards. Le 13/12/2012 18:39, brett_sinclair a écrit :
Hi I am trying to get SPNEGO working, I have followed the instructions (I hope!) in the SPNEGO page in the manual but have hit a brick wall hopefully someone can help!!! My Active Directory machine and my tomcat machine are both Windows 2008 servers (test virtual machines) I set up a test domain with them both on. When I try to login to the cas application I get an NTLM token instead of kerberos but searching around and looking at different posts I have read that I should make sure that the kerberos is working using the kinit command first so it is here I think I have found the problem: - on the AD machine - I created a user myspntest2 - I ran the command: ktpass.exe /out win2008test2.keytab /princ HTTP/[email protected] /pass * /mapuser [email protected] /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT - on the tomcat machine - I have copied the win2008test2.keytab - edited the krb5.conf to point to the new keytab - when I run the klist command I get: C:\Users\administrator.TESTDOMAIN>klist -k Key tab: C:\test\win2008test2.keytab, 1 entry found. [1] Service principal: HTTP/[email protected] KVNO: 3- all looks ok to me so far but when I run the kinit command I get:C:\Users\administrator.TESTDOMAIN>kinit win2008test2.testdomain.com Password for [email protected]: Exception: krb_error 6 Client not found in Kerberos database (6) Client not found in Kerberos database KrbException: Client not found in Kerberos database (6) at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66) at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:446) at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:404) at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:308) at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:237) at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:107) Caused by: KrbException: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133) at sun.security.krb5.internal.ASRep.init(ASRep.java:58) at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53) at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50) ... 5 more Does anyone have any clue as to why the user cannot be found in the database? Are there any special settings or permissions I need to give to the "myspntest2" user for this to work? Any ideas anyone, Thanks in advance
-- Philippe MARASSE Service Informatique - Centre Hospitalier Henri Laborit BP 587 - 370 avenue Jacques Coeur 86021 Poitiers Cedex Tel : 05.49.44.57.19
smime.p7s
Description: Signature cryptographique S/MIME
