on 08-28-2014 6:34 PM
Hello,
We have recently had an issue with windows AD authentication after several DC's were decommissioned at our company. We have two domains for this thread we will call domain 1 Alpha an domain 2 Beta. absolutely nothing was changed in the BO config. Everyone was working fine yesterday. Users from DC Alpha have no issues with AD authentication. however users from domain Beta get
We are sure there is a reference to a decommissioned DC somewhere in the config but was cannot find it. Does anyone have a clue as to where these references are located? or are we barking up the wrong tree since LDAP is not used? thank you in advance for your input.
Check your krb5.ini file in either c:\windows or if using older docs it would have been c:\winnt on the server.
-Josh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Josh,.
We finally tested login this morning for the Bravo domain. for some odd reason they are still getting the same login error. This is a clustered configuration. I did find a krb5.ini file in both server and made the change. DO we need to restart the CMS db as well? Stuck.. Thank you.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
should only need to restart the web app server, Tomcat is default.
you can always go to the bin directory of the jre being used for your web app server and run the kinit command to verify krb5.ini settings. kinit user@DOMAIN.COM
also enabling Kerberos logs or collecting a wireshark trace on the web app server can show a bit more, logs: How to enable Kerberos event logging
Thank you Josh, here is what we get for the failed user.
D:\Business Objects\javasdk\jre\bin>kinit preis@KAPLANINC.COM
Password for user@BRAVO.COM:@@@@@@@
Exception: krb_error 14 KDC has no support for encryption type (14) KDC has no s
upport for encryption type
KrbException: KDC has no support for encryption type (14)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:66)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:486)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:444)
at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:310)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:259)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:106)
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:133)
at sun.security.krb5.internal.ASRep.init(ASRep.java:58)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:53)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:50)
... 5 more
D:\Business Objects\javasdk\jre\bin>
Hello,
For today's reader, in 2016, don't use RC4 as Kerberos encryption algorithm !
See:
Kerberos(SSO): throw RC4 away, adopt AES !
Regards,
Stéphane;
You hit that one WAY out of the park on the first swing. I cannot thank you enough.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
101 | |
13 | |
13 | |
11 | |
11 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.