[IMPORTANT] Kerberos Issue : Pre Authentication failed (Error Code 24) with SAM account / No error with UPN account
Bornil Bruno bb (DBB)
bruno.bb.bornil at dexia.be
Thu Nov 22 07:16:49 EST 2007
Hello,
I'm a Business Intelligence consultant working on Business Objects
products and the last one: BusinessObjects Enterprise XI Release 2 (BOE
XI-R2).
The BOE XI-R2 product allows to set up Active Directory, LDAP, NT
authentications mechanisms (and also additionally SSO).
I have to set up Single Sign On on BOE XI-R2 products and I did it
successfully several times (on LDAP, AD and NT).
On a specific project, the SSO (using Kerberos with Active Directory)
does not work and we have difficulties to identify why it is not
working...
The Kerberos authentication is done through a JVM (1.4.2) and we can
test it using "kinit" utility. We setup the krb5.ini and all files
correctly.
Here are the content of the krb5.ini file:
[logging]
default = CONSOLE
kdc = CONSOLE
admin_server = CONSOLE
[libdefaults]
default_realm = DBB.INT.DEXWIRED.NET
dns_lookup_kdc = true
dns_lookup_realm = true
kdc_timeout = 30000
[realms]
DBB.INT.DEXWIRED.NET = {
kdc = DLU0SINF001P.DBB.INT.DEXWIRED.NET
default_domain = DBB.INT.DEXWIRED.NET
}
Note: We try to use logging with this syntax : default =
FILE:C:/WINNT/default.log, but no logs were generated ! And CONSOLE
outputs nothing on Windows.
If we use kinit with a SAM account, we get an error code 24 (pre
authentication failed).
If we use kinit with an UPN account (for the same user account), we
succeed to authenticate a user.
Can you give me some information about how is done the authentication
mechanism.
Is that possible to specify to the JVM that we want to authenticate
users with SAM rather UPN, and How ?
Have you any idea and suggestions, please ?
Thanks for your help.
Regards,
Bruno.
--------------------------------------
Dexia Bank disclaimer:
http://www.dexia.be/maildisclaimer.htm
--------------------------------------
More information about the Kerberos
mailing list