kerberos Authentication failed on shibboleth

Mark Pröhl mark at mproehl.net
Mon Jun 18 14:51:28 EDT 2012


some more hints..

- do not copy the keytab file to the Shibboleth SP systems. In general a 
keytab should only be located on the server it was created for -- in 
case of kerberized Shibboleth this is the IdP. Other services must not 
be able to read the keys from the keytab file. This would be a big 
security issue.

- can you post the kerberos part of your Shibboleth configuration?

On 18.06.2012 20:40, Mark Pröhl wrote:
> some hints:
>
> use the following commands to test your keytab file:
>
> kinit -k -t /etc/krb5.keytab HTTP/idp.aa.com
> kvno -k /etc/krb5.keytab HTTP/idp.aa.com
>
> the second command should report something like "keytab entry valid".
>
> Set file system permissions of the keytab file so that the Shibboleth
> IdP can read it. (/etc/krb5.keytab is usually only readable by root
> while the IdP process runs under the id of e.g. tomcat. So it would be
> better to use another location for the keytab...)
>
>
> On 17.06.2012 09:11, xinyi yu wrote:
>> Hi,
>> I use kerberos on shibboleth, but I get "Authentication failed" on the
>> login page. I create the HTTP/idp.aa.com and write the key in the
>> /etc/krb5.keytab . I use kinit -k HTTP/idp.aa.com
>> -t /etc/krb5.keytab and scp the krb5.keytab file to sp
>>
>> idp-process.log
>> 21:47:40.989 - INFO [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:125] -
>> kerberos idp servlet started
>> 21:47:40.990 - DEBUG [ch.SWITCH.aai.idp.kerberos.HttpNegotiator:72] -
>> HTTP:
>> Returning response code '401'. Authorization header not found.
>> 21:47:41.757 - INFO [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:125] -
>> kerberos idp servlet started
>> 21:47:41.758 - DEBUG [ch.SWITCH.aai.idp.kerberos.KrbLoginServlet:156] -
>> Authentication process error.
>>
>> Any clue will be appreciated.
>> Thanks
>> xinyi
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>


-- 
Mark Pröhl
mark at mproehl.net
www.kerberos-buch.de


More information about the Kerberos mailing list