some more hints.. - do not copy the keytab file to the Shibboleth SP systems. In general a keytab should only be located on the server it was created for -- in case of kerberized Shibboleth this is the IdP. Other services must not be able to read the keys from the keytab file. This would be a big security issue.
- can you post the kerberos part of your Shibboleth configuration? On 18.06.2012 20:40, Mark Pröhl wrote: > some hints: > > use the following commands to test your keytab file: > > kinit -k -t /etc/krb5.keytab HTTP/idp.aa.com > kvno -k /etc/krb5.keytab HTTP/idp.aa.com > > the second command should report something like "keytab entry valid". > > Set file system permissions of the keytab file so that the Shibboleth > IdP can read it. (/etc/krb5.keytab is usually only readable by root > while the IdP process runs under the id of e.g. tomcat. So it would be > better to use another location for the keytab...) > > > On 17.06.2012 09:11, xinyi yu wrote: >> Hi, >> I use kerberos on shibboleth, but I get "Authentication failed" on the >> login page. I create the HTTP/idp.aa.com and write the key in the >> /etc/krb5.keytab . I use kinit -k HTTP/idp.aa.com >> -t /etc/krb5.keytab and scp the krb5.keytab file to sp >> >> idp-process.log >> 21:47:40.989 - INFO [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:125] - >> kerberos idp servlet started >> 21:47:40.990 - DEBUG [ch.SWITCH.aai.idp.kerberos.HttpNegotiator:72] - >> HTTP: >> Returning response code '401'. Authorization header not found. >> 21:47:41.757 - INFO [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:125] - >> kerberos idp servlet started >> 21:47:41.758 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:156] - >> Authentication process error. >> >> Any clue will be appreciated. >> Thanks >> xinyi >> ________________________________________________ >> Kerberos mailing list [email protected] >> https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Mark Pröhl [email protected] www.kerberos-buch.de ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
