kerberos Authentication failed on shibboleth

Mark Pröhl mark at
Mon Jun 18 14:40:56 EDT 2012

some hints:

use the following commands to test your keytab file:

   kinit -k -t /etc/krb5.keytab HTTP/
   kvno -k /etc/krb5.keytab HTTP/

the second command should report something like "keytab entry valid".

Set file system permissions of the keytab file so that the Shibboleth 
IdP can read it. (/etc/krb5.keytab is usually only readable by root 
while the IdP process runs under the id of e.g. tomcat. So it would be 
better to use another location for the keytab...)

On 17.06.2012 09:11, xinyi yu wrote:
> Hi,
>    I use kerberos on shibboleth, but I get "Authentication failed" on the
> login page. I create the HTTP/ and write the key in the
> /etc/krb5.keytab . I use kinit -k HTTP/
> -t /etc/krb5.keytab and scp the krb5.keytab file to sp
>   idp-process.log
> 21:47:40.989 - INFO [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:125] -
> kerberos idp servlet started
> 21:47:40.990 - DEBUG [ch.SWITCH.aai.idp.kerberos.HttpNegotiator:72] - HTTP:
> Returning response code '401'. Authorization header not found.
> 21:47:41.757 - INFO [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:125] -
> kerberos idp servlet started
> 21:47:41.758 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:156] -
> Authentication process error.
> Any clue will be appreciated.
> Thanks
> xinyi
> ________________________________________________
> Kerberos mailing list           Kerberos at

Mark Pröhl
mark at

More information about the Kerberos mailing list