subject:"Re\: \[Freeipa\-users\] Kerberos authentication from a third party app \- Shibboleth"

Re: [Freeipa-users] Kerberos authentication from a third party app - Shibboleth

2016-03-03 Thread Prashant Bapat

I guess I was looking at this wrongly!

Simo, you're right! Java and Kerberos wont work !

However password+OTP against LDAP server directly works! I can use that!

Thanks for your help!

On 3 March 2016 at 14:40, Prashant Bapat  wrote:

> Thanks.
>
> Let me figure out possible alternatives.
>
> On 3 March 2016 at 00:20, Simo Sorce  wrote:
>
>>
>>
>> On Wed, 2016-03-02 at 16:25 +0530, Prashant Bapat wrote:
>> > Thanks. But my problem is not OTP per se but Kerberos thru Java.
>> > Specifically i'm getting below error.
>> >
>> > javax.security.auth.login.LoginException: Pre-authentication information
>> > was invalid (24) - PREAUTH_FAILED
>> > at
>> >
>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
>> > Caused by: sun.security.krb5.KrbException: Pre-authentication
>> information
>> > was invalid (24) - PREAUTH_FAILED
>> > at sun.security.krb5.KrbAsRep.(KrbAsRep.java:82)
>> > Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match
>> > expected value (906)
>> > at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
>> >
>> > Any pointers ?
>>
>> Unfortunately Java tends to lag way behind with Krb5 and GSSAPI featurs
>> an APIs (years behind). In this case what happens is that your Java
>> module probably does not support FAST preauth.
>>
>> > On 1 March 2016 at 21:01, Alexander Bokovoy 
>> wrote:
>> >
>> > > On Tue, 01 Mar 2016, Prashant Bapat wrote:
>> > >
>> > >> Hi,
>> > >>
>> > >> I'm trying to use Shibboleth IdP with FreeIPA and Kerberos
>> Authentication.
>> > >> I'm aware of Ipsilon, just that Shibboleth is more suited for my use
>> case.
>> > >>
>> > >> I've installed ipa-client on a server and connected it to ipa.
>> Shibboleth
>> > >> is installed on this server and I'm able to get the Kerberos
>> > >> authentication
>> > >> working. Documented here
>> > >> <
>> > >>
>> https://wiki.shibboleth.net/confluence/display/IDP30/KerberosAuthnConfiguration
>> > >> >
>> > >> .
>> > >>
>> > >> However if I bring OTP into picture, authentication fails. Error
>> message
>> > >> is
>> > >> like "Pre-authentication information was invalid (24) -
>> PREAUTH_FAILED".
>> > >>
>> > >> Any pointers on how to make OTP work?
>> > >>
>> > > http://www.freeipa.org/page/V4/OTP
>> > > http://www.freeipa.org/page/V4/OTP/Detail
>> > >
>> > > --
>> > > / Alexander Bokovoy
>> > >
>> > --
>> > Manage your subscription for the Freeipa-users mailing list:
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > Go to http://freeipa.org for more info on the project
>>
>>
>> --
>> Simo Sorce * Red Hat, Inc * New York
>>
>>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos authentication from a third party app - Shibboleth

2016-03-03 Thread Prashant Bapat

Thanks.

Let me figure out possible alternatives.

On 3 March 2016 at 00:20, Simo Sorce  wrote:

>
>
> On Wed, 2016-03-02 at 16:25 +0530, Prashant Bapat wrote:
> > Thanks. But my problem is not OTP per se but Kerberos thru Java.
> > Specifically i'm getting below error.
> >
> > javax.security.auth.login.LoginException: Pre-authentication information
> > was invalid (24) - PREAUTH_FAILED
> > at
> >
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
> > Caused by: sun.security.krb5.KrbException: Pre-authentication information
> > was invalid (24) - PREAUTH_FAILED
> > at sun.security.krb5.KrbAsRep.(KrbAsRep.java:82)
> > Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match
> > expected value (906)
> > at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
> >
> > Any pointers ?
>
> Unfortunately Java tends to lag way behind with Krb5 and GSSAPI featurs
> an APIs (years behind). In this case what happens is that your Java
> module probably does not support FAST preauth.
>
> > On 1 March 2016 at 21:01, Alexander Bokovoy  wrote:
> >
> > > On Tue, 01 Mar 2016, Prashant Bapat wrote:
> > >
> > >> Hi,
> > >>
> > >> I'm trying to use Shibboleth IdP with FreeIPA and Kerberos
> Authentication.
> > >> I'm aware of Ipsilon, just that Shibboleth is more suited for my use
> case.
> > >>
> > >> I've installed ipa-client on a server and connected it to ipa.
> Shibboleth
> > >> is installed on this server and I'm able to get the Kerberos
> > >> authentication
> > >> working. Documented here
> > >> <
> > >>
> https://wiki.shibboleth.net/confluence/display/IDP30/KerberosAuthnConfiguration
> > >> >
> > >> .
> > >>
> > >> However if I bring OTP into picture, authentication fails. Error
> message
> > >> is
> > >> like "Pre-authentication information was invalid (24) -
> PREAUTH_FAILED".
> > >>
> > >> Any pointers on how to make OTP work?
> > >>
> > > http://www.freeipa.org/page/V4/OTP
> > > http://www.freeipa.org/page/V4/OTP/Detail
> > >
> > > --
> > > / Alexander Bokovoy
> > >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos authentication from a third party app - Shibboleth

2016-03-02 Thread Simo Sorce



On Wed, 2016-03-02 at 16:25 +0530, Prashant Bapat wrote:
> Thanks. But my problem is not OTP per se but Kerberos thru Java.
> Specifically i'm getting below error.
> 
> javax.security.auth.login.LoginException: Pre-authentication information
> was invalid (24) - PREAUTH_FAILED
> at
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
> Caused by: sun.security.krb5.KrbException: Pre-authentication information
> was invalid (24) - PREAUTH_FAILED
> at sun.security.krb5.KrbAsRep.(KrbAsRep.java:82)
> Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match
> expected value (906)
> at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
> 
> Any pointers ?

Unfortunately Java tends to lag way behind with Krb5 and GSSAPI featurs
an APIs (years behind). In this case what happens is that your Java
module probably does not support FAST preauth.

> On 1 March 2016 at 21:01, Alexander Bokovoy  wrote:
> 
> > On Tue, 01 Mar 2016, Prashant Bapat wrote:
> >
> >> Hi,
> >>
> >> I'm trying to use Shibboleth IdP with FreeIPA and Kerberos Authentication.
> >> I'm aware of Ipsilon, just that Shibboleth is more suited for my use case.
> >>
> >> I've installed ipa-client on a server and connected it to ipa. Shibboleth
> >> is installed on this server and I'm able to get the Kerberos
> >> authentication
> >> working. Documented here
> >> <
> >> https://wiki.shibboleth.net/confluence/display/IDP30/KerberosAuthnConfiguration
> >> >
> >> .
> >>
> >> However if I bring OTP into picture, authentication fails. Error message
> >> is
> >> like "Pre-authentication information was invalid (24) - PREAUTH_FAILED".
> >>
> >> Any pointers on how to make OTP work?
> >>
> > http://www.freeipa.org/page/V4/OTP
> > http://www.freeipa.org/page/V4/OTP/Detail
> >
> > --
> > / Alexander Bokovoy
> >
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos authentication from a third party app - Shibboleth

2016-03-02 Thread Alexander Bokovoy

On Wed, 02 Mar 2016, Prashant Bapat wrote:

Thanks. But my problem is not OTP per se but Kerberos thru Java.
Specifically i'm getting below error.

javax.security.auth.login.LoginException: Pre-authentication information
was invalid (24) - PREAUTH_FAILED
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
Caused by: sun.security.krb5.KrbException: Pre-authentication information
was invalid (24) - PREAUTH_FAILED
at sun.security.krb5.KrbAsRep.(KrbAsRep.java:82)
Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match
expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)

Any pointers ?

Read the page, please. It has all the details what you need to implement
-- most importantly, you need to implement FAST channel support.

On 1 March 2016 at 21:01, Alexander Bokovoy wrote:

On Tue, 01 Mar 2016, Prashant Bapat wrote:

Hi,

I'm trying to use Shibboleth IdP with FreeIPA and Kerberos Authentication.
I'm aware of Ipsilon, just that Shibboleth is more suited for my use case.

I've installed ipa-client on a server and connected it to ipa. Shibboleth
is installed on this server and I'm able to get the Kerberos
authentication
working. Documented here
<
https://wiki.shibboleth.net/confluence/display/IDP30/KerberosAuthnConfiguration
>
.

However if I bring OTP into picture, authentication fails. Error message
is
like "Pre-authentication information was invalid (24) - PREAUTH_FAILED".

Any pointers on how to make OTP work?

http://www.freeipa.org/page/V4/OTP
http://www.freeipa.org/page/V4/OTP/Detail

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos authentication from a third party app - Shibboleth

2016-03-02 Thread Prashant Bapat

Thanks. But my problem is not OTP per se but Kerberos thru Java.
Specifically i'm getting below error.

javax.security.auth.login.LoginException: Pre-authentication information
was invalid (24) - PREAUTH_FAILED
at
com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
Caused by: sun.security.krb5.KrbException: Pre-authentication information
was invalid (24) - PREAUTH_FAILED
at sun.security.krb5.KrbAsRep.(KrbAsRep.java:82)
Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match
expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)

Any pointers ?

On 1 March 2016 at 21:01, Alexander Bokovoy  wrote:

> On Tue, 01 Mar 2016, Prashant Bapat wrote:
>
>> Hi,
>>
>> I'm trying to use Shibboleth IdP with FreeIPA and Kerberos Authentication.
>> I'm aware of Ipsilon, just that Shibboleth is more suited for my use case.
>>
>> I've installed ipa-client on a server and connected it to ipa. Shibboleth
>> is installed on this server and I'm able to get the Kerberos
>> authentication
>> working. Documented here
>> <
>> https://wiki.shibboleth.net/confluence/display/IDP30/KerberosAuthnConfiguration
>> >
>> .
>>
>> However if I bring OTP into picture, authentication fails. Error message
>> is
>> like "Pre-authentication information was invalid (24) - PREAUTH_FAILED".
>>
>> Any pointers on how to make OTP work?
>>
> http://www.freeipa.org/page/V4/OTP
> http://www.freeipa.org/page/V4/OTP/Detail
>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos authentication from a third party app - Shibboleth

2016-03-01 Thread Alexander Bokovoy


On Tue, 01 Mar 2016, Prashant Bapat wrote:

Hi,

I'm trying to use Shibboleth IdP with FreeIPA and Kerberos Authentication.
I'm aware of Ipsilon, just that Shibboleth is more suited for my use case.

I've installed ipa-client on a server and connected it to ipa. Shibboleth
is installed on this server and I'm able to get the Kerberos authentication
working. Documented here

.

However if I bring OTP into picture, authentication fails. Error message is
like "Pre-authentication information was invalid (24) - PREAUTH_FAILED".

Any pointers on how to make OTP work?

http://www.freeipa.org/page/V4/OTP
http://www.freeipa.org/page/V4/OTP/Detail

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Kerberos authentication from a third party app - Shibboleth

Re: [Freeipa-users] Kerberos authentication from a third party app - Shibboleth

Re: [Freeipa-users] Kerberos authentication from a third party app - Shibboleth

Re: [Freeipa-users] Kerberos authentication from a third party app - Shibboleth

Re: [Freeipa-users] Kerberos authentication from a third party app - Shibboleth

Re: [Freeipa-users] Kerberos authentication from a third party app - Shibboleth

6 matches

Site Navigation

Mail list logo

Footer information