Tagged: Authentication, kerberos, Modules
This topic has 2 replies, 2 voices, and was last updated 7 months, 2 weeks ago by Jatinder Singh.
-
AuthorPosts
-
October 14, 2021 at 8:07 pm #28719
rohipati
ParticipantHello
I have configures Kerberos Authentication Module with AWS Aurora Kerberos Details.
Below are the errors from Logs.
I have followed the this doc – https://backstage.forgerock.com/knowledge/kb/article/a62965844 but couldnt resolve after following the solutions.>>> KeyTabInputStream, readName(): XYZ.COM
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): danvledwse01.xyz.com
>>> KeyTab: load() entry length: 88; type: 18
Looking for keys for: HTTP/[email protected]
Java config name: null
Native config name: /etc/krb5.conf
Loaded from native config
Added key: 18version: 0
>>> KdcAccessibility: reset
Looking for keys for: HTTP/[email protected]
Added key: 18version: 0
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=xyz.com UDP:88, timeout=30000, number of retries =3, #bytes=172
>>> KDCCommunication: kdc=xyz.com UDP:88, timeout=30000,Attempt =1, #bytes=172
>>> KrbKdcReq send: #bytes read=190
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = XYZ.COMHTTPdanvledwse01.xyz.com, s2kparams = null>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16>>>Pre-Authentication Data:
PA-DATA type = 15>>> KdcAccessibility: remove xyz.com
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Thu Oct 14 17:56:04 UTC 2021 1634234164000
suSec is 659797
error code is 25
error Message is Additional pre-authentication required
sname is krbtgt/[email protected]
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18, salt = XYZ.COMHTTPdanvledwse01.xyz.com, s2kparams = null>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16>>>Pre-Authentication Data:
PA-DATA type = 15KrbAsReqBuilder: PREAUTH FAILED/REQ, re-send AS-REQ
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23.
Looking for keys for: HTTP/[email protected]
Added key: 18version: 0
Looking for keys for: HTTP/[email protected]
Added key: 18version: 0
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=xyz.com UDP:88, timeout=30000, number of retries =3, #bytes=260
>>> KDCCommunication: kdc=xyz.com UDP:88, timeout=30000,Attempt =1, #bytes=260
>>> KrbKdcReq send: #bytes read=90
>>> KrbKdcReq send: kdc=xyz.com TCP:88, timeout=30000, number of retries =3, #bytes=260
>>> KDCCommunication: kdc=xyz.com TCP:88, timeout=30000,Attempt =1, #bytes=260
>>>DEBUG: TCPClient reading 1615 bytes
>>> KrbKdcReq send: #bytes read=1615
>>> KdcAccessibility: remove xyz.com
Looking for keys for: HTTP/[email protected]
Added key: 18version: 0
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply HTTP/danvledwse01.xyz.comOctober 14, 2021 at 8:27 pm #28721Jatinder Singh
ParticipantCould you please share AM’s debug logs on this transaction?
October 14, 2021 at 8:34 pm #28722Jatinder Singh
ParticipantAnd I would suggest to also check the connection as discussed at the bottom of this article:
https://backstage.forgerock.com/knowledge/kb/article/a14556843
-
AuthorPosts
You must be logged in to reply to this topic.