Environment
NetIQ Access Manager 4.0.2
NetIQ Access manager 4.1
NetIQ Access Manager 4.1.1
Situation
- NetIQ Access Manager configured for Kerberos authentication
- Before upgrading to version 4.0.2, 4.1 or 4.1.1 Kerberos authentication works without any problems
- NIDP server reports the following error message:
Debug is true storeKey true useTicketCache true useKeyTab true doNotPrompt true ticketCache is /opt/novell/java/jre/lib/security/spnegoTicket.cache isInitiator true KeyTab is /opt/novell/java/jre/lib/security/nidpkey.keytab refreshKrb5Config is false principal is HTTP/idpa.lab.nam.org@LAB.NAM.ORG tryFirstPass is false useFirstPass is false storePass is false clearPass is falseAcquire TGT from CachePrincipal is HTTP/idpa.lab.nam.org@LAB.NAM.ORG null credentials from Ticket CacheKey for the principal HTTP/idpa.lab.nam.org@LAB.NAM.ORG not available in /opt/novell/java/jre/lib/security/nidpkey.keytab [Krb5LoginModule] authentication failed Unable to obtain password from user
<amLogEntry> 2015-06-26T09:47:56Z SEVERE NIDS Application: AM#100104105: AMDEVICEID#1920980D6E0A746C: Could not initialize Kerberos/GSS No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!) </amLogEntry>
Resolution
- disable: "Use Kerberos DES encryption types for this account"
- enable: This account supports Kerberos AES 128
- create a new keytab file with "ktpass" using the /crypto all in order to create a keytab file which includes all possible key types.
- Note:
if you like to create a AES256-SHA1 key using the ktpass option /crypto "AES256-SHA1" you need to install the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8" from Oracle. For further installation instructions review the readme of the JCE package and enable: "This account supports Kerberos AES 256" AD account setting for the NIDP server
Cause
- JDK 8 (novell-jdk-1.8.0_X) has been installed
- des-cbc-crc and dec-cbc-md5 are disabled by default with JDK 8
Additional Information
- In case the installed JDK does not support the key included in the installed nidpkey.keytab file a LAN trace taken between the NIDP server and the Kerberos server will not list any krb5 traffic (UDP / TCP port 88)
- in order to enable Kerberos debugging log entries in the: "/var/opt/novell/nam/logs/idp/tomcat/catalina.out" add the following Java Option: "JAVA_OPTS="${JAVA_OPTS} -Dsun.security.krb5.debug=true"