kerberos Authentication failed on shibboleth
Mark Pröhl
mark at mproehl.net
Mon Jun 18 14:40:56 EDT 2012
some hints:
use the following commands to test your keytab file:
kinit -k -t /etc/krb5.keytab HTTP/idp.aa.com
kvno -k /etc/krb5.keytab HTTP/idp.aa.com
the second command should report something like "keytab entry valid".
Set file system permissions of the keytab file so that the Shibboleth
IdP can read it. (/etc/krb5.keytab is usually only readable by root
while the IdP process runs under the id of e.g. tomcat. So it would be
better to use another location for the keytab...)
On 17.06.2012 09:11, xinyi yu wrote:
> Hi,
> I use kerberos on shibboleth, but I get "Authentication failed" on the
> login page. I create the HTTP/idp.aa.com and write the key in the
> /etc/krb5.keytab . I use kinit -k HTTP/idp.aa.com
> -t /etc/krb5.keytab and scp the krb5.keytab file to sp
>
> idp-process.log
> 21:47:40.989 - INFO [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:125] -
> kerberos idp servlet started
> 21:47:40.990 - DEBUG [ch.SWITCH.aai.idp.kerberos.HttpNegotiator:72] - HTTP:
> Returning response code '401'. Authorization header not found.
> 21:47:41.757 - INFO [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:125] -
> kerberos idp servlet started
> 21:47:41.758 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:156] -
> Authentication process error.
>
> Any clue will be appreciated.
> Thanks
> xinyi
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Mark Pröhl
mark at mproehl.net
www.kerberos-buch.de
More information about the Kerberos
mailing list