Symantec Access Management

  • 1.  Kerberos Authentication

    Broadcom Employee
    Posted Mar 14, 2017 01:29 AM

    We have configured Kerberos Authentication on SPS. Both SPS and Policy servers are in Linux environment. We created SPN's for webagent and policy servers.

     

    kinit SPN name prompts for password with valid password working fine. 

     

    However when we protect with Kerberos auth scheme. Getting below error.

     

    [03/14/2017][00:15:51][58473][9395056][134b8b45-b94ab343-86f41a84-0cfd2ab3-61946781-081][SmKcc::getCredentials][Kerberos Credential Cache login failed with service principal HTTP/scappd88.qcorpaa.aa.com@QCORPAA.AA.COM: Key table entry not found]



  • 2.  Re: Kerberos Authentication

    Posted Mar 14, 2017 01:41 AM

    Hi ,

     

    Refer 

     

    Request to Kerberos enabled webagent results in 500 error and 'Kerberos Credential Cache login failed with service' error message

    https://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.tec538839.html

     

    Regards,

    Leo Joseph.



  • 3.  Re: Kerberos Authentication

    Broadcom Employee
    Posted Mar 14, 2017 02:04 AM

    I have changed the kerb5.conf as below, but still the same error.

     

     

    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log


    [libdefaults]
    ticket_lifetime = 24000
    default_realm=qcorpaa.aa.com
    default_tgs_enctypes =rc4-hmac des-cbc-md5
    default_tkt_enctypes =rc4-hmac des-cbc-md5
    default_keytab_name = FILE:/etc/krb5.keytab
    dns_lookup_realm = false
    dns_lookup_kdc = false
    forwardable = true
    proxiable = true
    udp_preference_limit = 1

    [realms]
    QCORPAA.AA.COM = {
    kdc = dc2.qcorpaa.aa.com:88
    admin_server = dc2.qcorpaa.aa.com:764
    default_domain = qcorpaa.aa.com
    }

    [domain_realm]
    .qcorpaa.aa.com=QCORPAA.AA.COM
    qcorpaa.aa.com=QCORPAA.AA.COM

     

     

     

     

     

     

     

     

    [03/14/2017][01:01:48][61044][34556784][22872091-2f901773-7c7eea98-b1db956a-aa79d87e-e8][CSmCredentialManager::GatherAdvancedAuthCredentials][Calling SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials.]
    [03/14/2017][01:01:48][61044][34556784][22872091-2f901773-7c7eea98-b1db956a-aa79d87e-e8][SmKcc::getCredentials][Kerberos Credential Cache login failed with service principal HTTP/scappd88.qcorpaa.aa.com@QCORPAA.AA.COM: Key table entry not found]
    [03/14/2017][01:01:48][61044][34556784][22872091-2f901773-7c7eea98-b1db956a-aa79d87e-e8][CSmCredentialManager::GatherAdvancedAuthCredentials][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmFailure.]
    [03/14/2017][01:01:48][61044][34556784][22872091-2f901773-7c7eea98-b1db956a-aa79d87e-e8][ProcessAdvancedAuthentication][CredentialManager returned SmFailure, end new request.]
    [03/14/2017][01:01:48][61044][34556784][][ReportHealthData][Accumulating HealthMonitorCtxt.]



  • 4.  Re: Kerberos Authentication

    Posted Mar 14, 2017 06:42 AM

    Please refer below link.

    How to setup SiteMinder Kerberos Authentication - Part 1 

     

    Thanks,

    Sharan



  • 5.  Re: Kerberos Authentication

    Posted Mar 14, 2017 06:44 AM

    Also refer Kerberos Authentication with CA SSO Using Linux Policy Server
    https://communities.ca.com/docs/DOC-231172118

     

    Thanks,

    Sharan