Server not found in Kerberos database (7)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Server not found in Kerberos database (7)

Rich Thomas
Migrating from shibboleth 2.x to 3.2. IDP server is Windows. Java jre1.8.0_66. I'm using kerberos for logon page authentication. I have a new keytab generated for 3.2 test server with krb5.ini, krb5-authn-config.xml and password-authn-config.xml configured. When I authenticate against the IDP, I receive "Login Failure: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))". When I look in the Active Directory security logs I have a successful pre-authentication logon. The IDP host name is in our DNS.  

Here is how I'm pointing to the keytab file in krb5-authn-config.xml. Not sure if syntax is correct?

 <bean id="shibboleth.authn.Krb5.Keytab" class="java.lang.String" c:_0="%{idp.home}/credentials/aridp01-test.keytab" />

 Also tried to absolute path c:_0="C:\Program Files (x86)\Shibboleth\IdP\credentials\aridp01-test.keytab" forward and backslash.

Her is the error in the process log.

2015-12-10 09:47:54,127 - WARN [net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstKerberos:215] - Profile Action ValidateUsernamePasswordAgainstKerberos: Login by <username> failed during GSS context establishment to verify KDC
org.ietf.jgss.GSSException: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
        at sun.security.jgss.krb5.Krb5Context.initSecContext(Unknown Source)
Caused by: sun.security.krb5.KrbException: Server not found in Kerberos database (7)
        at sun.security.krb5.KrbTgsRep.<init>(Unknown Source)
Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match expected value (906)
        at sun.security.krb5.internal.KDCRep.init(Unknown Source)
Reply | Threaded
Open this post in threaded view
|

Re: Server not found in Kerberos database (7)

Rich Thomas
Missed populating SERVICE/principle <bean id="shibboleth.authn.Krb5.ServicePrincipal" class="java.lang.String" c:_0="shibboleth/serviceaccount.company.com@COMPANY.COM" />