[Freeipa-users] Kerberos authentication from a third party app - Shibboleth
Prashant Bapat
prashant at apigee.com
Thu Mar 3 09:10:48 UTC 2016
Thanks.
Let me figure out possible alternatives.
On 3 March 2016 at 00:20, Simo Sorce <simo at redhat.com> wrote:
>
>
> On Wed, 2016-03-02 at 16:25 +0530, Prashant Bapat wrote:
> > Thanks. But my problem is not OTP per se but Kerberos thru Java.
> > Specifically i'm getting below error.
> >
> > javax.security.auth.login.LoginException: Pre-authentication information
> > was invalid (24) - PREAUTH_FAILED
> > at
> >
> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
> > Caused by: sun.security.krb5.KrbException: Pre-authentication information
> > was invalid (24) - PREAUTH_FAILED
> > at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:82)
> > Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match
> > expected value (906)
> > at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
> >
> > Any pointers ?
>
> Unfortunately Java tends to lag way behind with Krb5 and GSSAPI featurs
> an APIs (years behind). In this case what happens is that your Java
> module probably does not support FAST preauth.
>
> > On 1 March 2016 at 21:01, Alexander Bokovoy <abokovoy at redhat.com> wrote:
> >
> > > On Tue, 01 Mar 2016, Prashant Bapat wrote:
> > >
> > >> Hi,
> > >>
> > >> I'm trying to use Shibboleth IdP with FreeIPA and Kerberos
> Authentication.
> > >> I'm aware of Ipsilon, just that Shibboleth is more suited for my use
> case.
> > >>
> > >> I've installed ipa-client on a server and connected it to ipa.
> Shibboleth
> > >> is installed on this server and I'm able to get the Kerberos
> > >> authentication
> > >> working. Documented here
> > >> <
> > >>
> https://wiki.shibboleth.net/confluence/display/IDP30/KerberosAuthnConfiguration
> > >> >
> > >> .
> > >>
> > >> However if I bring OTP into picture, authentication fails. Error
> message
> > >> is
> > >> like "Pre-authentication information was invalid (24) -
> PREAUTH_FAILED".
> > >>
> > >> Any pointers on how to make OTP work?
> > >>
> > > http://www.freeipa.org/page/V4/OTP
> > > http://www.freeipa.org/page/V4/OTP/Detail
> > >
> > > --
> > > / Alexander Bokovoy
> > >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160303/b4a5886a/attachment.htm>
More information about the Freeipa-users
mailing list