So I am trying to login as a user account called 'admin' among other users
As far as I can tell from websphere end 'admin' is being sent, although I
can't be sure if they append @EXAMPLE.COM or not
7/25/14 16:21:53:650 EDT] 000000bf FormLoginExte E SECJ0118E:
Authentication error during authentication for user admin
What logs from ApacheDS would be useful to tell me more about what is
actually being received? (note I am currently locked out of my websphere
admin console, as it is trying to authenticate with kerberos now, which
isn't working!)
I see messages like this., I have a principal with uid=admin under the
default search DN, I don't know how to interpret that, but it seems like
ApacheDS finds the user in directory correctly...
[16:22:29] DEBUG
[org.apache.directory.server.core.authn.AbstractAuthenticator] -
Authenticating uid=admin,ou=users,dc=example,dc=com
[16:22:29] DEBUG
[org.apache.directory.server.core.authn.AbstractAuthenticator] -
uid=admin,ou=users,dc=example,dc=com Authenticated
[16:22:29] DEBUG [org.apache.directory.server.OPERATION_LOG] - <<
BindOperation successful
[16:22:29] DEBUG
[org.apache.directory.server.ldap.handlers.request.BindRequestHandler] -
Returned SUCCESS message: MessageType : BIND_RESPONSE
Message ID : 1
BindResponse
Ldap Result
Result code : (SUCCESS) success
Matched Dn : 'null'
Diagnostic message : 'null'
Thanks
On Fri, Jul 25, 2014 at 4:46 PM, Kiran Ayyagari <[email protected]>
wrote:
> On Sat, Jul 26, 2014 at 2:10 AM, Brian Laskey <[email protected]>
> wrote:
>
> > Thanks all for the help. I am able to successfully use kinit on the linux
> > server to authenticate using my generated keytab file. It seemed that the
> > passwords were not working, but after editing all the passwords of my
> > principals and trying again everything started to work?
> >
> > bash-4.1$ env
> > KRB5_CONFIG=/opt/IBM/WebSphere/V8.5/AppServer/etc/krb5/apacheds-krb.conf
> > kinit -V -k -t /opt/IBM/WebSphere/V8.5/AppServer/etc/krb5/apacheds.keytab
> > was/[email protected]
> > Using default cache: /tmp/krb5cc_13553
> > Using principal: was/[email protected]
> > Using keytab: /opt/IBM/WebSphere/V8.5/AppServer/etc/krb5/apacheds.keytab
> > Authenticated to Kerberos v5
> >
> >
> > Unfortunately, I am now stuck with WebSphere errors on log in:
> > com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper.login
> ProbeId:554
> >
> Reporter:com.ibm.ws.security.auth.kerberos.Krb5LoginModuleWrapper@84ff01dd
> > javax.security.auth.login.FailedLoginException: Login error:
> > com.ibm.security.krb5.KrbException, status code: 29
> > message: A service is not available
> > at
> >
> >
> com.ibm.security.jgss.i18n.I18NException.throwFailedLoginException(I18NException.java:30)
> > at
> > com.ibm.security.auth.module.Krb5LoginModule.a(Krb5LoginModule.java:719)
> > at
> > com.ibm.security.auth.module.Krb5LoginModule.b(Krb5LoginModule.java:742)
> > at
> >
> com.ibm.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:25)
> >
> >
> > In ApacheDS debug logs, I see this exception corresponding to the login
> > attempt in websphere:
> >
> > [16:16:55] ERROR
> > [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] -
> > ERR_152 Unexpected exception: 1
> > java.lang.ArrayIndexOutOfBoundsException: 1
> > at sun.security.krb5.PrincipalName.<init>(Unknown Source)
> >
> looks like a bad principal name was sent or a bug in parsing code in
> ApacheDS
> what is the principal that websphere is sending?
>
> > at javax.security.auth.kerberos.KerberosPrincipal.<init>(Unknown
> > Source)
> > at
> >
> >
> org.apache.directory.shared.kerberos.KerberosUtils.getKerberosPrincipal(KerberosUtils.java:312)
> > at
> >
> >
> org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.getClientEntry(AuthenticationService.java:169)
> > at
> >
> >
> org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService.execute(AuthenticationService.java:122)
> > at
> >
> >
> org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler.messageReceived(KerberosProtocolHandler.java:206)
> > at
> >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:690)
> > at
> >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
> > at
> >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
> > at
> >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
> > at
> >
> >
> org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:407)
> > at
> >
> >
> org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:236)
> > at
> >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
> > at
> >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47)
> > at
> >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765)
> > at
> >
> >
> org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:109)
> > at
> >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417)
> > at
> >
> >
> org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:410)
> > at
> >
> >
> org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.readHandle(AbstractPollingConnectionlessIoAcceptor.java:701)
> > at
> >
> >
> org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.processReadySessions(AbstractPollingConnectionlessIoAcceptor.java:670)
> > at
> >
> >
> org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor.access$800(AbstractPollingConnectionlessIoAcceptor.java:61)
> > at
> >
> >
> org.apache.mina.core.polling.AbstractPollingConnectionlessIoAcceptor$Acceptor.run(AbstractPollingConnectionlessIoAcceptor.java:607)
> > at
> >
> >
> org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)
> > at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown
> > Source)
> > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> > at java.lang.Thread.run(Unknown Source)
> >
> > Although later I do see SUCCESS messages in the logs for that same user
> > request
> >
> > [16:16:55] DEBUG
> > [org.apache.directory.server.ldap.handlers.request.BindRequestHandler] -
> > Returned SUCCESS message: MessageType : BIND_RESPONSE
> > ...
> > [16:16:55] DEBUG [org.apache.directory.server.OPERATION_LOG] - <<
> > UnbindOperation successful
> > ...
> >
> >
> >
> >
> > On Fri, Jul 25, 2014 at 3:14 PM, Brian Laskey <[email protected]>
> > wrote:
> >
> > > > the default enctypes are
> > > > aes128-cts-hmac-sha1-96
> > > > des3-cbc-sha1-kd
> > > > des-cbc-md5
> > > > what error are you getting? the preauth error?
> > > If I set my conf file to only:
> > >
> > > default_tkt_enctypes = aes128-cts-hmac-sha1-96
> > > default_tgs_enctypes = aes128-cts-hmac-sha1-96
> > >
> > > And only check that off in the Kerberos setting page of ApacheDS
> > >
> > > I get this in kinit (on linux) for any user I've tried, with either
> > > manually typing password or keytab file
> > >
> > > kinit: Password incorrect while getting initial credentials
> > >
> > > I think I was seeing encryption type not supported by server error if I
> > > checked the RC4-HMAC box in ApacheDS and put that in my conf.
> > >
> > >
> > > > I would suggest to first test with kinit(to rule out any non-Studio
> > > > related issues), and
> > > > once this succeeds we can try with Studio
> > >
> > > I agree. But I can't seem to figure out why the password incorrect
> error
> > > is coming up?
> > >
> > >
> > > On Fri, Jul 25, 2014 at 2:44 PM, Kiran Ayyagari <[email protected]>
> > > wrote:
> > >
> > >> On Sat, Jul 26, 2014 at 12:00 AM, Brian Laskey <
> [email protected]>
> > >> wrote:
> > >>
> > >> > What are the supported encryption types for ApacheDS?
> > >> >
> > >> > the default enctypes are
> > >> aes128-cts-hmac-sha1-96
> > >> des3-cbc-sha1-kd
> > >> des-cbc-md5
> > >>
> > >>
> > >> > I've had some issues on the Linux side with kinit, I had configured
> my
> > >> > krb.conf file with:
> > >> > default_tkt_enctypes = aes128-cts-hmac-sha1-96
> > >> > default_tgs_enctypes = aes128-cts-hmac-sha1-96
> > >> >
> > >> > And tried checking that off only in the Kerberos settings of Studio.
> > >> Didn't
> > >> > seem to solve the password error with kinit. If I tried other
> > enctypes I
> > >> >
> > >> what error are you getting? the preauth error?
> > >>
> > >> > got other errors like encryption type not supported. Eg.g had
> problems
> > >> with
> > >> > below, not sure if it's the cause of my issues.
> > >> > #default_tkt_enctypes = des3-cbc-sha1 des-cbc-md5 aes128-cts
> > >> > des3-cbc-sha1-kd aes128-cts-hmac-sha1-96
> > >> > #default_tgs_enctypes = des3-cbc-sha1 des-cbc-md5 aes128-cts
> > >> > des3-cbc-sha1-kd aes128-cts-hmac-sha1-96
> > >> >
> > >> > I can try to install Studio on my red hat linux server, but that
> only
> > >> has
> > >> > IBM JDK 6 on it if that matters.
> > >> >
> > >> > I would suggest to first test with kinit(to rule out any non-Studio
> > >> related issues), and
> > >> once this succeeds we can try with Studio
> > >>
> > >> > Thanks
> > >> > Brian
> > >> >
> > >> >
> > >> > On Fri, Jul 25, 2014 at 2:23 PM, Kiran Ayyagari <
> [email protected]
> > >
> > >> > wrote:
> > >> >
> > >> > > On Fri, Jul 25, 2014 at 11:50 PM, Brian Laskey <
> > >> [email protected]>
> > >> > > wrote:
> > >> > >
> > >> > > > Apologies for the multiple emails, but if I change Directory
> > Studio
> > >> vm
> > >> > to
> > >> > > >
> > >> > > np, feel free to post
> > >> > >
> > >> > > > Sun/Oracle jdk1.6.0_31\jre\bin I get a different exception in
> > >> logging
> > >> > in
> > >> > > > with Kerberos or using the 'Check Authentication' button.
> > >> > > >
> > >> > > > can you try with Studio on Linux/Unix? I suspect that RC4 is
> > being
> > >> > used
> > >> > > on Windows
> > >> > > box (RC4 encryption type is not yet supported in ApacheDS)
> > >> > >
> > >> > > > I don't seem to see any errors in apacheds.log
> > >> > > >
> > >> > > >
> > >> > > > Error while opening connection
> > >> > > > - *javax.security.auth.login.LoginException: Checksum failed*
> > >> > > > org.apache.directory.api.ldap.model.exception.LdapException:
> > >> > > > javax.security.auth.login.LoginException: Checksum failed
> > >> > > > at
> > >> > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1535)
> > >> > > > at
> > >> > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1421)
> > >> > > > at
> > >> > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:447)
> > >> > > > at
> > >> > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1175)
> > >> > > > at
> > >> > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:460)
> > >> > > > at
> > >> > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:306)
> > >> > > > at
> > >> > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:114)
> > >> > > > at
> > >> > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:109)
> > >> > > > at org.eclipse.core.internal.jobs.Worker.run(Worker.java:54)
> > >> > > > Caused by: javax.security.auth.login.LoginException: Checksum
> > failed
> > >> > > > at
> > >> > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
> > >> > > > at
> > >> > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
> > >> > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> > >> > > > at
> > >> > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> > >> > > > at
> > >> > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> > >> > > > at java.lang.reflect.Method.invoke(Method.java:597)
> > >> > > > at
> > >> > >
> javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
> > >> > > > at
> > >> > > >
> > >> >
> > javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
> > >> > > > at
> > >> > >
> javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
> > >> > > > at java.security.AccessController.doPrivileged(Native
> Method)
> > >> > > > at
> > >> > > >
> > >> >
> > javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
> > >> > > > at
> > >> > >
> javax.security.auth.login.LoginContext.login(LoginContext.java:579)
> > >> > > > at
> > >> > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1522)
> > >> > > > ... 8 more
> > >> > > > Caused by: KrbException: Checksum failed
> > >> > > > at
> > >> > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128CtsHmacSha1EType.java:85)
> > >> > > > at
> > >> > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128CtsHmacSha1EType.java:77)
> > >> > > > at
> > >> sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
> > >> > > > at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:87)
> > >> > > > at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:446)
> > >> > > > at
> > >> > sun.security.krb5.Credentials.sendASRequest(Credentials.java:401)
> > >> > > > at
> > >> sun.security.krb5.Credentials.acquireTGT(Credentials.java:350)
> > >> > > > at
> > >> > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
> > >> > > > ... 20 more
> > >> > > > Caused by: java.security.GeneralSecurityException: Checksum
> failed
> > >> > > > at
> > >> > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:431)
> > >> > > > at
> > >> > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:254)
> > >> > > > at
> > >> sun.security.krb5.internal.crypto.Aes128.decrypt(Aes128.java:59)
> > >> > > > at
> > >> > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128CtsHmacSha1EType.java:83)
> > >> > > > ... 27 more
> > >> > > >
> > >> > > > javax.security.auth.login.LoginException: Checksum failed
> > >> > > >
> > >> > > >
> > >> > > > On Fri, Jul 25, 2014 at 2:06 PM, Brian Laskey <
> > >> [email protected]>
> > >> > > > wrote:
> > >> > > >
> > >> > > > >
> > >> > > > > I appreciate the help with this. I am new to ApacheDS and
> > >> Kerberos.
> > >> > > > >
> > >> > > > > I have now tried that tutorial (of course I hadn't got that
> > far, I
> > >> > was
> > >> > > > > trying the tutorial before it, 4.1 - Authenticate with kinit
> on
> > >> > Linux!)
> > >> > > > >
> > >> > > > > Adding krbtgt/[email protected] SOLVES the "Server not
> > >> found
> > >> > in
> > >> > > > the
> > >> > > > > Kerberos database while getting initial credentials" error
> with
> > >> > kinit.
> > >> > > So
> > >> > > > > that's good.
> > >> > > > >
> > >> > > > > However, now in kinit I get a new error for any principal I
> try
> > >> > (either
> > >> > > > > using my generated keytab or by typing in the password).
> > >> > > > > Verbose output of kinit -V [email protected]
> > >> > > > > Using default cache: /tmp/krb5cc_13553
> > >> > > > > Using principal: [email protected]
> > >> > > > > Password for [email protected]:
> > >> > > > > kinit: Password incorrect while getting initial credentials
> > >> > > > >
> > >> > > > > I am trying kinit on a linux machine.
> > >> > > > >
> > >> > > > > On a separate Windows 7 machine, I have Apache Directory
> Studio.
> > >> > > > Following
> > >> > > > > the tutorial as best I can (Kerberos settings tab seems subtly
> > >> > > different
> > >> > > > > than the screens I see on Apache Directory Studio
> > 2.0.0.v20130628
> > >> /
> > >> > > Win7
> > >> > > > /
> > >> > > > > IBM Java 1.7 JRE)
> > >> > > > >
> > >> > > > > After I set up krbtgt and ldap principals, when I try to
> connect
> > >> as
> > >> > one
> > >> > > > of
> > >> > > > > my principals using Apache directory Studio I get this
> > exception:
> > >> > > > >
> > >> > > > > Error while opening connection
> > >> > > > > - java.lang.IllegalArgumentException
> > >> > > > > org.apache.directory.api.ldap.model.exception.LdapException:
> > >> > > > > java.lang.IllegalArgumentException
> > >> > > > > at
> > >> > > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1535)
> > >> > > > > at
> > >> > > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1421)
> > >> > > > > at
> > >> > > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$2.run(DirectoryApiConnectionWrapper.java:447)
> > >> > > > > at
> > >> > > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1175)
> > >> > > > > at
> > >> > > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.doBind(DirectoryApiConnectionWrapper.java:460)
> > >> > > > > at
> > >> > > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.bind(DirectoryApiConnectionWrapper.java:306)
> > >> > > > > at
> > >> > > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> org.apache.directory.studio.connection.core.jobs.OpenConnectionsRunnable.run(OpenConnectionsRunnable.java:114)
> > >> > > > > at
> > >> > > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> org.apache.directory.studio.connection.core.jobs.StudioConnectionJob.run(StudioConnectionJob.java:109)
> > >> > > > > at
> org.eclipse.core.internal.jobs.Worker.run(Worker.java:54)
> > >> > > > > Caused by: java.lang.IllegalArgumentException
> > >> > > > > at
> > >> > > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> javax.security.auth.login.AppConfigurationEntry.<init>(AppConfigurationEntry.java:84)
> > >> > > > > at
> > >> > > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$InnerConfiguration.getAppConfigurationEntry(DirectoryApiConnectionWrapper.java:1222)
> > >> > > > > at
> > >> > > javax.security.auth.login.LoginContext.init(LoginContext.java:269)
> > >> > > > > at
> > >> > > >
> > javax.security.auth.login.LoginContext.<init>(LoginContext.java:427)
> > >> > > > > at
> > >> > > > >
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1520)
> > >> > > > > ... 8 more
> > >> > > > >
> > >> > > > > java.lang.IllegalArgumentException
> > >> > > > >
> > >> > > > >
> > >> > > > > Seems like no matter which way I go I am finding all the
> > hurdles.
> > >> > > > >
> > >> > > > > Thank you,
> > >> > > > > Brian
> > >> > > > >
> > >> > > > > On Fri, Jul 25, 2014 at 12:12 PM, Emmanuel Lécharny <
> > >> > > [email protected]
> > >> > > > >
> > >> > > > > wrote:
> > >> > > > >
> > >> > > > >> Le 25/07/2014 17:19, Brian Laskey a écrit :
> > >> > > > >> > Actually, I solved the "Additional pre-authentication
> > required"
> > >> > > error
> > >> > > > by
> > >> > > > >> > Opening Configuration on my ApacheDS server with Directory
> > >> Studio,
> > >> > > on
> > >> > > > >> the
> > >> > > > >> > Kerberos Server tab, uncheck Require Pre-AuthenticationBy
> > >> > Encrypted
> > >> > > > >> > TimeStamp check box under Ticket Settings.
> > >> > > > >> >
> > >> > > > >> >
> > >> > > > >> > Now I receive a different error with kinit using the same
> > >> keytab
> > >> > and
> > >> > > > >> conf
> > >> > > > >> > file:
> > >> > > > >> > kinit: Server not found in Kerberos database while getting
> > >> initial
> > >> > > > >> > credentials
> > >> > > > >> >
> > >> > > > >> >
> > >> > > > >> > Should I create a principal krbtgt manually?
> > >> > > > >>
> > >> > > > >> I think so.
> > >> > > > >>
> > >> > > > >> Have you followed the tutorial on
> > >> > > > >>
> > >> > > > >>
> > >> > > >
> > >> > >
> > >> >
> > >>
> >
> http://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html
> > >> > > > >> ?
> > >> > > > >>
> > >> > > > >>
> > >> > > > >
> > >> > > >
> > >> > >
> > >> > >
> > >> > >
> > >> > > --
> > >> > > Kiran Ayyagari
> > >> > > http://keydap.com
> > >> > >
> > >> >
> > >>
> > >>
> > >>
> > >> --
> > >> Kiran Ayyagari
> > >> http://keydap.com
> > >>
> > >
> > >
> >
>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>
