Environment
Novell Access Manager 3.1 Service Pack 3
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Linux Novell Identity Server
Situation
- Configured kerberos authentication does not work with Microsoft Windows 2008 R2 server
- The catalina.out returns during the kerberos class initialization:
----------------------------------------------------------------
"[Krb5LoginModule] added Krb5Principal HTTP/idp.ema.corp@EMA.LOCAL to Subject
Commit Succeeded "
---------------------------------------------------------------- - Requesting a kerberos user authentication returns:
----------------------------------------------------------------
Error processing SPNEGO/Kerberos : Received NTLM Token which currently is Not supported
----------------------------------------------------------------
Resolution
The group policy on the Windows 2008 R2 server requires additional encryption types
- run the group policy editor "gpedit.msc" and select the "Network security: Configure encryption types allowed for kerberos
- select "DES_CBC_CRC, DES_CBC_MD5, RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1"
Additional Information
Taking a LAN trace between the NIDP server and the Windows 2008 R2 server will show the supported ciphers which can be used in the "Kerberos AS-REQ" in the "KDC_REQ_BODY" "Encryption type:" headers