1) In the Active Directory, is the userPrincipalName or one of the altSecurityIdentities of the admin account jdraht/ad...@realm?
2) Might you be running Windows Server 2008 without Service Pack 2 on your AD? Before SP2 there was a bug that prevented any account with a "/" from authenticating. -Ross -----Original Message----- From: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] On Behalf Of Jeff draht Sent: Friday, January 07, 2011 1:13 PM To: kerberos@mit.edu Subject: Cross Realm Administration? We are testing Single Signon; I have a MS2008 KDC and AD server are one in the same, and a Solaris_10 ldap Client in a SAP environment which we seem to have partially kerberized. I can do a klist, klist -k and see my keytab... single signon works for the most part, we can login and authenticate against the AD Server. We used the adjoin.sh provided by SUN/Oracle to establish a Kerberos Client Conenction. I have even merged a few userid entries to the keytab. I can list them out. klist -k I can kinit userid w/o issue. All ldap client commands function just fine... I created the keytabs for one userid manually and the other I had the PC team create using ktpass as per the Instructios on MS TechNet. He created a key and I merged in on the solaris machine. I can see the entries just fine. What I cannot do is make kadmin work so that I can do remote kerberos administration or get the seam tool to authenticate? When I run kadmin I get the following error; We have a default REALM, i just did not want to post it all over the internet... Authenticating as principal jdraht/ad...@realm with password. kadmin: Client not found in Kerberos database while initializing kadmin interface When I run seam tool it populates 2 of 4 fields correctly and I add jdraht/ad...@realm and the password I get "Client not found in kerberos database?" The PC Admins claim that all fields are correct, they show me snapshots. Also, they claim that the DC's replicated the info fine. I am out of ideas? I have been and am reading every blog, support doc out there and am trying suggestions w/negres... Sun helped with the LDAP, but claim that kerberos and AD is not their area of expertise? Also and this may be related, the SAP DBA's are trying to use SNC and there seems to be an issue there? Maybe a Library issue or related to the above? Not sure yet? One problem at a time? Has anyone gone thru this exercise? If you have any suggestions? or can point me in a direction for support, please advise? Thanks, Jeff ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
