Hello,
I am trying to configure SPNego with "SPNgeo wizard" on EP 7.0 SPS11.
But I have a big issue :
<i>
Refreshing Keytab
>>>KinitOptions cache name is C:\Documents and Settings\XA70316ADM\krb5cc_XA70316ADM
>> Acquire default native Credentials
>>> LSA contains TGT for XA70316ADM@MYDOMAIN.CORP not svc-appl-j2ee-qp1-eu@MYDOMAIN.CORP
Principal is svc-appl-j2ee-qp1-eu@MYDOMAIN.CORP
null credentials from Ticket Cache
>>> KeyTabInputStream, readName(): MYDOMAIN.CORP
>>> KeyTabInputStream, readName(): svc-appl-j2ee-qp1-eu
>>> KeyTab: load() entry length: 65; type: 3
principal's key obtained from the keytab
principal is svc-appl-j2ee-qp1-eu@MYDOMAIN.CORP
>>> EType: sun.security.krb5.internal.crypto.DesCbcMd5EType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbAsReq etypes are: 1
>>> KrbKdcReq send: kdc=sma2001.mydomain.corp UDP:88, timeout=30000, number of retries =3, #bytes=250
>>> KDCCommunication: kdc=sma2001.mydomain.corp UDP:88, timeout=30000,Attempt =1, #bytes=250
>>> KrbKdcReq send: #bytes read=192
>>> KrbKdcReq send: #bytes read=192
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Tue Aug 28 15:44:57 CEST 2007 1188308697000
suSec is 301117
error code is 24
error Message is Pre-authentication information was invalid
realm is MYDOMAIN.CORP
sname is krbtgt/MYDOMAIN.CORP
eData provided.
[Krb5LoginModule] authentication failed Pre-authentication information was invalid (24)
Error creating GSS context.
[EXCEPTION]
GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:189)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Krb5AcceptCredential.java:80)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:75)
at sun.security.jgss.GSSManagerImpl.getCredentialElement(GSSManagerImpl.java:149)
at sun.security.jgss.GSSCredentialImpl.add(GSSCredentialImpl.java:334)
at sun.security.jgss.GSSCredentialImpl.<init>(GSSCredentialImpl.java:44)
at sun.security.jgss.GSSManagerImpl.createCredential(GSSManagerImpl.java:102)
at com.sap.engine.config.diagtool.tests.authentication.krb.Krb5ServerTest.createGSSContext(Krb5ServerTest.java:104)
at com.sap.engine.config.diagtool.tests.authentication.krb.Krb5ServerTest.execute(Krb5ServerTest.java:75)
at com.sap.engine.config.diagtool.Task.execute(Task.java:55)
at com.sap.engine.config.diagtool.Launcher.run(Launcher.java:343)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at com.sap.engine.config.diagtool.Launcher.main(Launcher.java:394)
Caused by: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:585)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:475)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at sun.security.jgss.LoginUtility.run(LoginUtility.java:57)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5AcceptCredential.getKeyFromSubject(Krb5AcceptCredential.java:186)
... 15 more
Caused by: KrbException: Pre-authentication information was invalid (24)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:67)
at sun.security.krb5.KrbAsReq.getReply(DashoA12275:315)
at sun.security.krb5.Credentials.acquireTGT(DashoA12275:361)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:576)
... 29 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.ah.a(DashoA12275:134)
at sun.security.krb5.internal.av.a(DashoA12275:63)
at sun.security.krb5.internal.av.<init>(DashoA12275:58)
at sun.security.krb5.KrbAsRep.<init>(DashoA12275:53)
... 32 more
Acquire credential failed for realm MYDOMAIN.CORP
</i>
I try to select the option "Do not require Kerberos preauthentication" on Active Directory user properties. But it still the same !
Does anybody know how to solve this ?
Regards,
Chris