[jcifs] kerberos debug tool
Michael B Allen
miallen at ioplex.com
Wed Apr 9 15:35:46 GMT 2008
On Wed, 9 Apr 2008 09:17:11 +0200
"Rohnny Moland" <rmoland at gmail.com> wrote:
> Hi,
>
> Are any of you aware of a tool for debugging kerberos in internet
> explorer? Or a howto on how to setup kerberos in firefox 2. Kerberos
> seems to work fine between my linux box (kerberos "client" where I run
> my j2ee application) and windows 2003 server running active directory
> service. I can run both kinit HTTP/sam08-linux.TESTDOMAIN and kinit -k
> -t /usr/local/kerberos/ldap_jaas.keytab HTTP/sam08-linux.testdomain
> from my linux box.
>
> What I have done in IE 6 is:
> - enabled integrated windows authentication in the advanced tab
> - enabled automatic login in intranet zone
> - added the website of my linux box as a local intranet site
>
> I have also set 3 system properties in java for my app server:
> -Djava.security.krb5.conf=/etc/krb5.conf
> -Djava.security.krb5.kdc=10.10.10.22
> -Djava.security.krb5.realm=TESTDOMAIN
>
> But I am totally lost how I can debug this..After trying to switch
> from ntln authentication to kerberos, my internet explorer pops up a
> dialog box asking me to enter username/password. I assume this must be
> because it cannot get the kerberos ticket somehow.
If you can't get the service ticket then the problem is with the service
account (e.g. the SPN is not set or is wrong).
Go to the URL in my sig and get the "Plexcel Operator's Manual" and
look at the GSS_S_BAD_MECH error in the "Possible Issues" section. In
particular the wfetch.exe program can tell you if the problem is on the
client or server side.
Note: Plexcel is in no way related to JCIFS and currently does not
support Java. But of course the wire protocol and service account setup
is largely the same so much of the trouble-shooting is the same.
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
More information about the jcifs
mailing list