Kerberos Authentication stops working after upgrading NetIQ Access manager to 4.0.2, 4.1, 4.1.1

  • 7016681
  • 14-Jul-2015
  • 14-Jul-2015

Environment


NetIQ Access Manager 4.0.2
NetIQ Access manager 4.1
NetIQ Access Manager 4.1.1

Situation

  • NetIQ Access Manager configured for Kerberos authentication

  • Before upgrading to version 4.0.2, 4.1 or 4.1.1 Kerberos authentication works without any problems

  • NIDP server reports the following error message:

    Debug is  true storeKey true useTicketCache true useKeyTab true doNotPrompt true ticketCache is /opt/novell/java/jre/lib/security/spnegoTicket.cache isInitiator true KeyTab is /opt/novell/java/jre/lib/security/nidpkey.keytab refreshKrb5Config is false principal is HTTP/idpa.lab.nam.org@LAB.NAM.ORG tryFirstPass is false useFirstPass is false storePass is false clearPass is falseAcquire TGT from CachePrincipal is HTTP/idpa.lab.nam.org@LAB.NAM.ORG null credentials from Ticket CacheKey for the principal HTTP/idpa.lab.nam.org@LAB.NAM.ORG not available in /opt/novell/java/jre/lib/security/nidpkey.keytab                [Krb5LoginModule] authentication failed Unable to obtain password from user
    <amLogEntry> 2015-06-26T09:47:56Z SEVERE NIDS Application: AM#100104105: AMDEVICEID#1920980D6E0A746C:  Could not initialize Kerberos/GSS No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!) </amLogEntry>

Resolution

  • disable: "Use Kerberos DES encryption types for this account"
  • enable: This account supports Kerberos AES 128
  • create a new keytab file with "ktpass" using the /crypto all in order to create a keytab file which includes all possible key types.

  • Note:
    if you like to create a AES256-SHA1 key using the ktpass option /crypto "AES256-SHA1" you need to install the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8" from Oracle. For further installation instructions review the readme of the JCE package and enable: "This account supports Kerberos AES 256" AD account setting for the NIDP server

Cause

  • JDK 8  (novell-jdk-1.8.0_X) has been installed
  • des-cbc-crc and dec-cbc-md5 are disabled by default with JDK 8

Additional Information

  • In case the installed JDK does not support the key included in the installed nidpkey.keytab file a LAN trace taken between the NIDP server and the Kerberos server will not list any krb5 traffic (UDP / TCP port 88)
  • in order to enable Kerberos debugging log entries in the: "/var/opt/novell/nam/logs/idp/tomcat/catalina.out" add the following Java Option: "JAVA_OPTS="${JAVA_OPTS} -Dsun.security.krb5.debug=true"