-
Title
Server not found in Kerberos database -
Description
We setup VSJ as per Deployment Guide and try to test it using Simple, but it failed with the error msg:
run_sanityCheck:
[echo] Running VSJ Sanity Check. This may take a few minutes ...
[java] 2008-01-23 11:12:16,989 [DEBUG] VSJ Standard Edition 3.2 RC3
[java] Initial Parameters -
[java] kdc:-- no value assigned --
[java] realm:xxxxxxxx
[java] princ:HOST/xxxxxxxxx
[java] site:-- no value assigned --
[java] keytab:-- no value assigned --
[java] ccache:-- no value assigned --
[java] allowUnsecured:true
[java] allowFallback:false
[java] fallbackCrossRealm:false
[java] allowNTLM:false
[java] ntlm.signing.domain : -- no value assigned --
[java] ntlm.signing.username: -- no value assigned --
[java] ntlm.signing.password: -- no value assigned --
[java] ntlm.signing.always : false
[java] userHandledExcept:false
[java] policy: -- no value assigned --
[java] groupsAsRoles: false
[java] supportMultipleSPN: false
[java] disableTicketSanityCheck: false
[java] trimUnsolicitedBasic: false
[java] trimUnsolicitedNTLM: false
[java] trimUnsolicitedSPNEGO: false
[java] userPrincipalAttribute: -- no value assigned --
[java] qualifyUserPrincipal: false
[java] userPrincipalFormatterClass: -- no value assigned --
[java] directoryFactory: -- no value assigned --
[java] password: set from idm.password
[java] 2008-01-23 11:12:16,989 [DEBUG] SecurityProviders -
[java] SUN version 1.5
[java] SunRsaSign version 1.5
[java] SunJSSE version 1.5
[java] SunJCE version 1.5
[java] SunJGSS version 1.0
[java] SunSASL version 1.5
[java] 2008-01-23 11:12:17,442 [ERROR] VSJ credentials (principal, realm, keytab/password) are invalid
[java] com.wedgetail.idm.sso.ConfigException: Could not validate VSJ password [caused by: com.dstc.security.kerberos.Kerber -
Cause
At present the VSJ service account has just one mapping, created by running ktpass, namely HTTP/xxxxx.com. Now you need to add extra SPN mappings, so that you end up with SPN mappings for all the combinations of { FQDN, short name } * { canonical name, alias(es...) }
-
Resolution
To add those SPN mappings, do NOT use ktpass.exe. Instead use setspn.exe. If the VSJ service account is "vsjuser" then the commands that someone needs to run are:
example:
setspn -A HTTP/abc.def.com vsjuser
setspn -A HTTP/abc vsjuser
(If setspn isn't happy with just "vsjuser", use vsjuser@DEF.COM or DEF\vsjuser).
After you do this, if you run "setspn -L vsjuser" you should see all four mappings. Before you do this, "setspn -L vsjuser" should show just the one mapping for HTTP/abc.def.com that was created by ktpass.
Note that, while ktpass.exe requires the SPN to include the realm ("@DEF.COM"), e.g. "ktpass -princ HTTP/abc.def.com@DEF.COM -mapuser vsjuser", setspn.exe requires the SPN to _not_ include the realm, e.g. "setspn -A HTTP/abc.def.com".