kerberos Authentication failed on shibboleth

Mark Pröhl mark at mproehl.net
Mon Jun 18 14:40:56 EDT 2012


some hints:

use the following commands to test your keytab file:

   kinit -k -t /etc/krb5.keytab HTTP/idp.aa.com
   kvno -k /etc/krb5.keytab HTTP/idp.aa.com

the second command should report something like "keytab entry valid".

Set file system permissions of the keytab file so that the Shibboleth 
IdP can read it. (/etc/krb5.keytab is usually only readable by root 
while the IdP process runs under the id of e.g. tomcat. So it would be 
better to use another location for the keytab...)


On 17.06.2012 09:11, xinyi yu wrote:
> Hi,
>    I use kerberos on shibboleth, but I get "Authentication failed" on the
> login page. I create the HTTP/idp.aa.com and write the key in the
> /etc/krb5.keytab . I use kinit -k HTTP/idp.aa.com
> -t /etc/krb5.keytab and scp the krb5.keytab file to sp
>
>   idp-process.log
> 21:47:40.989 - INFO [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:125] -
> kerberos idp servlet started
> 21:47:40.990 - DEBUG [ch.SWITCH.aai.idp.kerberos.HttpNegotiator:72] - HTTP:
> Returning response code '401'. Authorization header not found.
> 21:47:41.757 - INFO [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:125] -
> kerberos idp servlet started
> 21:47:41.758 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:156] -
> Authentication process error.
>
> Any clue will be appreciated.
> Thanks
> xinyi
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


-- 
Mark Pröhl
mark at mproehl.net
www.kerberos-buch.de


More information about the Kerberos mailing list