9 Replies Latest reply on Mar 26, 2012 9:51 AM by Bill Robinson

    AD Kerberos login failure

    Antonio Caputo

      After the AD Kerberos has been defined following all the steps of the Admin Guide 7.6, we are not able to connect via Configration Manager.

       

      The CM returns a pop-up window with the following error:

       

      A network error has occurred. The authentication service may have closed the connection due to a long period of inactivity.

       

      while the the appserver.log says:

       

      +

      Unexpected exception

      java.lang.SecurityException: Configuration Error:

      expected , read

      at com.sun.security.auth.login.ConfigFile.(ADKAuthSvcStateMachine.java:88)

      at com.bladelogic.auth.service.AuthSvcStateMachineForType.visit(AuthSvcStateMachineForType.java:98)

      at com.bladelogic.auth.service.AuthSvcStateMachineForType.visit(AuthSvcStateMachineForType.java:28)

      at com.bladelogic.auth.common.AuthenticationType$ADKerberos.accept(AuthenticationType.java:171)

      at com.bladelogic.auth.service.AuthSvcStateMachineFactory.getSvcStateMachine(AuthSvcStateMachineFactory.java:75)

      at com.bladelogic.auth.service.AuthSvcConnection.handleAuthRequest(AuthSvcConnection.java:152)

      at com.bladelogic.auth.service.AuthSvcWorkerThread.execute(AuthSvcWorkerThread.java:62)

      at com.bladelogic.auth.service.AuthSvcWorkerThread.execute(AuthSvcWorkerThread.java:16)

      at com.bladelogic.app.service.thread.BlBlockingThread.run(BlBlockingThread.java:92)

      Caused by: java.io.IOException: Configuration Error:

      expected , read

      at com.sun.security.auth.login.ConfigFile.match(Unknown Source)

      at com.sun.security.auth.login.ConfigFile.parseLoginEntry(Unknown Source)

      at com.sun.security.auth.login.ConfigFile.readConfig(Unknown Source)

      at com.sun.security.auth.login.ConfigFile.init(Unknown Source)

      at com.sun.security.auth.login.ConfigFile.init(Unknown Source)

      ... 20 more

      Authentication Connection closed

      +

       

      Thanks for any help.

        • 1. Re: AD Kerberos login failure
          Antonio Caputo

          Just to remind that the AD is on Win2008

          • 2. Re: AD Kerberos login failure
            Bill Robinson

            can you post the conf files ?

             

            and this is for ADK or 'domain' authentication?

            • 3. Re: AD Kerberos login failure
              Antonio Caputo

              Here are the conf files. I am speaking about AD Kerberos.

              The DA on the same server works fine... So I would expect the same for AD Kerberos.

               

              -


              blappserv_krb5.conf

              -


               

              ticket_lifetime = 6000

              default_realm = WIND.ROOT.IT

              default_tkt_enctypes = des-cbc-md5

              default_tgs_enctypes = des-cbc-md5

               

              WIND.ROOT.IT = {

              kdc = dcwriv01.wind.root.it:88

              }

               

              .wind.root.it = WIND.ROOT.IT

               

              -


              blappserv_login.conf

              -


               

              com.sun.security.jgss.accept {

              com.sun.security.auth.module.Krb5LoginModule required

              useKeyTab=true

              keyTab="/usr/nsh/br/blauthsvc2.keytab"

              storeKey=true

              principal="blauthsvc2/blxsas02@WIND.ROOT.IT"

              doNotPrompt=true

              debug=true;

              };

              • 4. Re: AD Kerberos login failure
                Bill Robinson

                the reason I think you have a config file problem is this line in the output:

                +java.lang.SecurityException: Configuration Error:

                expected , read +

                 

                I saw 1 typos:

                should be

                 

                I don't know why that gives you the error about ';',

                 

                check the perms on the files too, that bladmin can read them (644 atleast)

                • 5. Re: AD Kerberos login failure
                  Antonio Caputo

                  I see, the ; is there and the perms are 777 on the blappserv_krb5.conf and blappserv_login.conf

                  • 6. Re: AD Kerberos login failure
                    Bill Robinson

                    the ';' should be there in these lines:

                    debug=true;

                    };

                    (which it is)

                     

                    so maybe it's choking on the domain_realms thing.

                    • 7. Re: AD Kerberos login failure
                      Antonio Caputo

                      I tested also with the "domain_realms" instead of "domain_realm" (even if the doc says "domain_realm") ... but without success.

                       

                      I am going to think that the guilty is the keytab file (remember the history that we are in win2008 ad???).

                       

                      So I am going back to think that the 2008 is still not supported!!! But no official answer is on that.

                      • 8. AD Kerberos login failure
                        Antonio Caputo

                        These are the steps that I performed recently at a customer who was not able to use ADK on Win2k8 R2. Maybe not all of them are necessary.

                         

                        - The customer asked to have only the rc4-hmac enabled and the DES disabled. So the Win2k8 R2 Domain Controller were set with DES disabled and rc4-hmac enabled. Also the the blauthsvc user on the DC must be set with the same (DES disabled and rc4-hmac enabled).

                         

                        - On the App Server define the blappserv_krb5.conf and blappserv_login.conf like these:

                         

                        #cat blappserv_krb5.conf

                        [libdefaults]

                        ticket_lifetime = 24h

                        default_realm = <MYREALM>

                        default_tkt_enctypes = rc4-hmac

                        default_tgs_enctypes = rc4-hmac

                        permitted_enctypes = rc4-hmac

                        allow_weak_crypto = yes

                        [realms]

                        GRUPPO.AUTOSTRADE.IT = {

                           kdc = <MYDC1>. <MYREALM>:88

                           kdc = <MYDC2>. <MYREALM>.IT:88

                           kdc = <MYDC3>. <MYREALM>.IT:88

                           kdc = <MYDC4>. <MYREALM>.IT:88

                        }

                        [domain_realm]

                        . <MYREALM> = <MYREALM>

                        <MYREALM> = <MYREALM>

                         

                        # cat blappserv_logic.conf

                        com.sun.security.jgss.accept {

                        com.sun.security.auth.module.Krb5LoginModule required

                        useKeyTab=true

                        keyTab="/opt/bl8/NSH/br/blauthsvc.keytab"

                        storeKey=true

                        principal="blappsv2/blserver@<MYREALM>"

                          doNotPrompt=true

                        debug=true;

                        };

                         

                        com.bladelogic.auth.service.ADKerberosPasswordLogin{

                        com.sun.security.auth.module.Krb5LoginModule required

                        useTicketCache=false

                        doNotPrompt=false

                        debug=true;

                        };

                         

                         

                        This file has two section because of the DA too.

                         

                        Then define the krb5 files on the console according with the documentation (I added the same as in the red lines above, but maybe it will work also without). Also follow the doc for the client registry configuration.

                         

                        The keytab file was created with a command like this:

                         

                        ktpass -out blauthsvc.keytab -princ blauthsvc/appr51@<MYREALM>.IT -mapuser  blauthsvc@<MYREALM>.IT +rndPass -minPass 33 -ptype KRB5_NT_PRINCIPAL-crypto DES-CBC-MD5


                        HTH.

                        • 9. AD Kerberos login failure
                          Bill Robinson

                          the 'principal' setting in the blappserv_login.conf should be blauthsvc/appr51@<MYREALM>.IT and not blappsv2/blserver@<MYREALM>