[IMPORTANT] Kerberos Issue : Pre Authentication failed (Error Code 24) with SAM account / No error with UPN account
Danny Mayer
mayer at ntp.isc.org
Tue Nov 27 12:34:39 EST 2007
Bornil Bruno bb (DBB) wrote:
> Hello,
>
>
> I'm a Business Intelligence consultant working on Business Objects
> products and the last one: BusinessObjects Enterprise XI Release 2 (BOE
> XI-R2).
> The BOE XI-R2 product allows to set up Active Directory, LDAP, NT
> authentications mechanisms (and also additionally SSO).
> I have to set up Single Sign On on BOE XI-R2 products and I did it
> successfully several times (on LDAP, AD and NT).
>
> On a specific project, the SSO (using Kerberos with Active Directory)
> does not work and we have difficulties to identify why it is not
> working...
>
> The Kerberos authentication is done through a JVM (1.4.2) and we can
> test it using "kinit" utility. We setup the krb5.ini and all files
> correctly.
> Here are the content of the krb5.ini file:
> [logging]
> default = CONSOLE
> kdc = CONSOLE
> admin_server = CONSOLE
>
> [libdefaults]
> default_realm = DBB.INT.DEXWIRED.NET
> dns_lookup_kdc = true
> dns_lookup_realm = true
> kdc_timeout = 30000
>
> [realms]
> DBB.INT.DEXWIRED.NET = {
> kdc = DLU0SINF001P.DBB.INT.DEXWIRED.NET
> default_domain = DBB.INT.DEXWIRED.NET
> }
>
> Note: We try to use logging with this syntax : default =
> FILE:C:/WINNT/default.log, but no logs were generated ! And CONSOLE
> outputs nothing on Windows.
>
This is a system directory so you need to make sure the account that's
running this has write access to that directory. A better strategy is to
create a different directory like C:\Kerberos and set the permissions on
that directory to allow the application to write there. You really
shouldn't be writing to WINNT at all.
Danny
More information about the Kerberos
mailing list