some hints: use the following commands to test your keytab file:
kinit -k -t /etc/krb5.keytab HTTP/idp.aa.com kvno -k /etc/krb5.keytab HTTP/idp.aa.com the second command should report something like "keytab entry valid". Set file system permissions of the keytab file so that the Shibboleth IdP can read it. (/etc/krb5.keytab is usually only readable by root while the IdP process runs under the id of e.g. tomcat. So it would be better to use another location for the keytab...) On 17.06.2012 09:11, xinyi yu wrote: > Hi, > I use kerberos on shibboleth, but I get "Authentication failed" on the > login page. I create the HTTP/idp.aa.com and write the key in the > /etc/krb5.keytab . I use kinit -k HTTP/idp.aa.com > -t /etc/krb5.keytab and scp the krb5.keytab file to sp > > idp-process.log > 21:47:40.989 - INFO [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:125] - > kerberos idp servlet started > 21:47:40.990 - DEBUG [ch.SWITCH.aai.idp.kerberos.HttpNegotiator:72] - HTTP: > Returning response code '401'. Authorization header not found. > 21:47:41.757 - INFO [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:125] - > kerberos idp servlet started > 21:47:41.758 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:156] - > Authentication process error. > > Any clue will be appreciated. > Thanks > xinyi > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos -- Mark Pröhl [email protected] www.kerberos-buch.de ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
