[Freeipa-users] Kerberos authentication from a third party app - Shibboleth
Simo Sorce
simo at redhat.com
Wed Mar 2 18:50:54 UTC 2016
On Wed, 2016-03-02 at 16:25 +0530, Prashant Bapat wrote:
> Thanks. But my problem is not OTP per se but Kerberos thru Java.
> Specifically i'm getting below error.
>
> javax.security.auth.login.LoginException: Pre-authentication information
> was invalid (24) - PREAUTH_FAILED
> at
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
> Caused by: sun.security.krb5.KrbException: Pre-authentication information
> was invalid (24) - PREAUTH_FAILED
> at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:82)
> Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match
> expected value (906)
> at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
>
> Any pointers ?
Unfortunately Java tends to lag way behind with Krb5 and GSSAPI featurs
an APIs (years behind). In this case what happens is that your Java
module probably does not support FAST preauth.
> On 1 March 2016 at 21:01, Alexander Bokovoy <abokovoy at redhat.com> wrote:
>
> > On Tue, 01 Mar 2016, Prashant Bapat wrote:
> >
> >> Hi,
> >>
> >> I'm trying to use Shibboleth IdP with FreeIPA and Kerberos Authentication.
> >> I'm aware of Ipsilon, just that Shibboleth is more suited for my use case.
> >>
> >> I've installed ipa-client on a server and connected it to ipa. Shibboleth
> >> is installed on this server and I'm able to get the Kerberos
> >> authentication
> >> working. Documented here
> >> <
> >> https://wiki.shibboleth.net/confluence/display/IDP30/KerberosAuthnConfiguration
> >> >
> >> .
> >>
> >> However if I bring OTP into picture, authentication fails. Error message
> >> is
> >> like "Pre-authentication information was invalid (24) - PREAUTH_FAILED".
> >>
> >> Any pointers on how to make OTP work?
> >>
> > http://www.freeipa.org/page/V4/OTP
> > http://www.freeipa.org/page/V4/OTP/Detail
> >
> > --
> > / Alexander Bokovoy
> >
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list