On Wed, 2016-03-02 at 16:25 +0530, Prashant Bapat wrote: > Thanks. But my problem is not OTP per se but Kerberos thru Java. > Specifically i'm getting below error. > > javax.security.auth.login.LoginException: Pre-authentication information > was invalid (24) - PREAUTH_FAILED > at > com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804) > Caused by: sun.security.krb5.KrbException: Pre-authentication information > was invalid (24) - PREAUTH_FAILED > at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:82) > Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match > expected value (906) > at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140) > > Any pointers ?
Unfortunately Java tends to lag way behind with Krb5 and GSSAPI featurs an APIs (years behind). In this case what happens is that your Java module probably does not support FAST preauth. > On 1 March 2016 at 21:01, Alexander Bokovoy <aboko...@redhat.com> wrote: > > > On Tue, 01 Mar 2016, Prashant Bapat wrote: > > > >> Hi, > >> > >> I'm trying to use Shibboleth IdP with FreeIPA and Kerberos Authentication. > >> I'm aware of Ipsilon, just that Shibboleth is more suited for my use case. > >> > >> I've installed ipa-client on a server and connected it to ipa. Shibboleth > >> is installed on this server and I'm able to get the Kerberos > >> authentication > >> working. Documented here > >> < > >> https://wiki.shibboleth.net/confluence/display/IDP30/KerberosAuthnConfiguration > >> > > >> . > >> > >> However if I bring OTP into picture, authentication fails. Error message > >> is > >> like "Pre-authentication information was invalid (24) - PREAUTH_FAILED". > >> > >> Any pointers on how to make OTP work? > >> > > http://www.freeipa.org/page/V4/OTP > > http://www.freeipa.org/page/V4/OTP/Detail > > > > -- > > / Alexander Bokovoy > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project