Priya B wrote:
> Thank you so much for your response!
>
> We modified the krb5.conf file (as below) and also switched from UDP
> to TCP. Now we're not getting any errors in the trace. But still we
> don't get the service ticket (same exception). In the trace for some
> reason, after the client gets the TGS response, the client closes the
> TCP connection, and never tries to get a service ticket. It is not
> querying regarding the service at all.
>
> Anyway, below are some answers to your questions:
>
> What version of Java?
>>>> 1.6
>
>
> Do you have cross realm setup between the two realms?
>>>> It should be there, because we have another application (based on SSPI)
>>>> using which we are able to sign-in to the same service.
>
>
> Do you have the krb5.conf on the client setup for cross realm?
>>>> We have. Below is the conf file. Do let us know if it needs any
>>>> corrections.
Note that Kerberos implementations just ignore unknown lines in the
krb5.conf, so you must be careful to get them correct.
>
> --------------------------------------------------------------
>
>
> [libdefaults]
> udp_preference_limit = 1
> default_realm = REALM1.COM
> dns_lookup_kdc = true
> [realms]
> REALM1.COM = {
> kdc = host1.realm1.com
> default_domain = realm1.com
>
> }
>
> REALM2.COM = {
>
> realm_type = WINNTv1
>
> ENC_TYPES_LIST = RC4_HMAC, DES_CBC_MD5, DES_CBC_CRC
>
What are the above two lines? What documentation where you reading on how to
setup a krb5.conf for Java? And what is "WINNTv1"? "NT" implies a very old OS.
Windows 2000 was the first that I know of that supports Kerberos.
>
> kdc = {
>
> name = host2.realm2.com
> default_domain = .realm2.com
>
> protocol = TCP
>
> }
>
> }
>
>
>
> [domain_realm]
> .realm1.com = REALM1.COM
> .realm2.com =REALM2.COM
>
>
>
>
> [capaths]
> REALM1.COM = {
> REALM2.COM = .
> }
>
> REALM2.COM = {
> REALM1.COM = .
> }
>
>
> [logging]
>
>
> --------------------------------------------------------------
>
> Is one or both of the realms Window AD?
>>>> Shall confirm that soon.
>
>
> You appear to have done some tracing, but have not said where you are
> seeing these messages or how far along the process of getting tickets
> has gotten. i.e. client to client's KDC or client to server's KDC.
>>>> client to client's KDC
>
>
>
> ________________________________________________
> Kerberos mailing list [email protected]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Douglas E. Engert <[email protected]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
