10 Replies Latest reply on Sep 29, 2012 7:11 PM by Bill Robinson Branched to a new discussion.

    AD Kerberos Integration Issue

    Justin Dettmann



      I have followed all the online steps to create the conf files etc, but when I try login using a domain user, I get the following error


      'No valid credentials provided (Mechanism level: Integrity check on decrypted field failed (31))'


      I found KA306992, but that refers to Vista. I have the console installed on Windows 2008 R2 and the Application Server is installed on Suse Linux Ent 11


      I attached the conf files I created.


      Just to confirm .... The principal in the blappserv_login must be the name of the BladeLogic Application Server??





        • 1. Re: AD Kerberos Integration Issue
          Bill Robinson

          You are using 'ADK' login or 'Domain' login? (adk being the one that requires the registry change on the client side)


          can you attach the bl_krb.conf and bl_client.conf files?


          also, what registry key did you add ?


          the principal name can be whatever you want actually.

          • 2. Re: AD Kerberos Integration Issue
            Justin Dettmann

            Hi Bill,


            Im using the ADK login.


            All the files I created are attached in the previous post.


            The reistry key I added is :



            I have set AuthServer IsADKAuthEnabled to true and restarted the appserver

            • 3. Re: AD Kerberos Integration Issue
              Justin Dettmann

              Just an update on this :


              The Windows admin recreated the keytab again as she did not type the domain name in when specifying the mapuser entry.


              But this hasnt fixed it yet.


              I am noticing that if I set the IsADKAuthEnabled to true and restart the appserver, it starts up and then shutsdown again. If I set it to false, it starts up just fine ??

              • 4. Re: AD Kerberos Integration Issue
                Bill Robinson

                if you set isADKAuthEnabled=false, then we don't try and startup the ADK authentication which in your case works because there is some problem w/ your adk setup.


                can you try using this in the krb5.conf files:



                ticket_lifetime = 6000

                default_realm = ZA.OMLAC.NET

                default_tkt_enctypes = des-cbc-md5 rc4-hmac

                default_tgs_enctypes = des-cbc-md5 rc4-hmac


                ZA.OMLAC.NET = {

                kdc = TSAWCP001.ZA.OMLAC.NET:88



                .za.omlac.net = ZA.OMLAC.NET




                also, can you use kinit to authenticate w/ that keytab ?

                1 of 1 people found this helpful
                • 5. Re: AD Kerberos Integration Issue
                  Justin Dettmann

                  I have been working with BMC support with this issue, and we actually tried this option as well as a few other options in the krb5.conf file. Also regenerated the keytab file a few times using different options.


                  Im just wondering, am I not missing something from the Linux side where the application server resides? Does ldap need to be configured etc, maybe this server does not have rights to AD or something like that, how do I go about checking this, it may be one of the basic requirements that are not in place?

                  • 6. Re: AD Kerberos Integration Issue
                    Orhan Taskin

                    I spent a lot of time and went through the steps over and over again and gave it up eventually. do yourself a favor and use Active Directory Authetication without kerberos.

                    • 7. Re: AD Kerberos Integration Issue
                      Justin Dettmann

                      It seems that I have hopefully overcome the keystore issue on the application server now. I have enabled IsADKAuthEnabled and the application server starts up now with this setting.

                      A new keystore file was created with some extra options and I edited the blapp_krb5 file to reflect some addition end types.


                      But, now when I try login to the blade console using the AD/Kerberos profile, the username field is greyed out, and does not get populated. This use to populate previously even though I couldnt log in with a ad user.

                      When I select connect with the user field blank is comes with a no tgt message.


                      I have updated the blclient_krb5 file on the console machine to reflect the changes and is identical to the blapp_krb5 file on the appserver.


                      Any ideas?









                      • 8. Re: AD Kerberos Integration Issue
                        Bill Robinson

                        the client side is not setup properly.  what OS is the client system?  can you try setting both of the registry keys recommended in the docs and rebooting your client system ?

                        • 9. Re: AD Kerberos Integration Issue
                          Justin Dettmann

                          Hi Bill,


                          The OS on the client side is Windows 2008. I have set the registry key in both places as mentioned in the KB and rebooted.



                          • 10. Re: AD Kerberos Integration Issue
                            Bill Robinson

                            I think we got this squared away - there seems to be some setting in your 2008 environment that is preventing java/blade from seeing the kerberos ticket.