[Freeipa-users] Kerberos authentication from a third party app - Shibboleth

Prashant Bapat prashant at apigee.com
Thu Mar 3 09:42:20 UTC 2016 

I guess I was looking at this wrongly!

Simo, you're right! Java and Kerberos wont work !

However password+OTP against LDAP server directly works! I can use that!

Thanks for your help!

On 3 March 2016 at 14:40, Prashant Bapat <prashant at apigee.com> wrote:

> Thanks.
>
> Let me figure out possible alternatives.
>
> On 3 March 2016 at 00:20, Simo Sorce <simo at redhat.com> wrote:
>
>>
>>
>> On Wed, 2016-03-02 at 16:25 +0530, Prashant Bapat wrote:
>> > Thanks. But my problem is not OTP per se but Kerberos thru Java.
>> > Specifically i'm getting below error.
>> >
>> > javax.security.auth.login.LoginException: Pre-authentication information
>> > was invalid (24) - PREAUTH_FAILED
>> > at
>> >
>> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
>> > Caused by: sun.security.krb5.KrbException: Pre-authentication
>> information
>> > was invalid (24) - PREAUTH_FAILED
>> > at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:82)
>> > Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match
>> > expected value (906)
>> > at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
>> >
>> > Any pointers ?
>>
>> Unfortunately Java tends to lag way behind with Krb5 and GSSAPI featurs
>> an APIs (years behind). In this case what happens is that your Java
>> module probably does not support FAST preauth.
>>
>> > On 1 March 2016 at 21:01, Alexander Bokovoy <abokovoy at redhat.com>
>> wrote:
>> >
>> > > On Tue, 01 Mar 2016, Prashant Bapat wrote:
>> > >
>> > >> Hi,
>> > >>
>> > >> I'm trying to use Shibboleth IdP with FreeIPA and Kerberos
>> Authentication.
>> > >> I'm aware of Ipsilon, just that Shibboleth is more suited for my use
>> case.
>> > >>
>> > >> I've installed ipa-client on a server and connected it to ipa.
>> Shibboleth
>> > >> is installed on this server and I'm able to get the Kerberos
>> > >> authentication
>> > >> working. Documented here
>> > >> <
>> > >>
>> https://wiki.shibboleth.net/confluence/display/IDP30/KerberosAuthnConfiguration
>> > >> >
>> > >> .
>> > >>
>> > >> However if I bring OTP into picture, authentication fails. Error
>> message
>> > >> is
>> > >> like "Pre-authentication information was invalid (24) -
>> PREAUTH_FAILED".
>> > >>
>> > >> Any pointers on how to make OTP work?
>> > >>
>> > > http://www.freeipa.org/page/V4/OTP
>> > > http://www.freeipa.org/page/V4/OTP/Detail
>> > >
>> > > --
>> > > / Alexander Bokovoy
>> > >
>> > --
>> > Manage your subscription for the Freeipa-users mailing list:
>> > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > Go to http://freeipa.org for more info on the project
>>
>>
>> --
>> Simo Sorce * Red Hat, Inc * New York
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160303/04bf776f/attachment.htm>

More information about the Freeipa-users mailing list