Hi, Im trying to test kerberos authentication with 2003 AD and MWG 7.1.0, after creating the keytab I try to upload to MWG and nothing happens . I don´t know if the syntax is correct or its a bug , I search for the keytabs via shell prompt but no way, appears that never was imported the file.
sorry my english friends.please I need some light with this issue.
my check list is
Create a DNS record for MWG
Create a user account for the service
time and date between MWG and KDC sync ok
Internet explorer settings ok
ktpass syntax ktpass -princ HTTP/mymwg.mydomain.loc@MYDOMAIN.LOC -mapuser mwg71 -pass mypass -crypto DES-CBC-CRC -ptype KRB5_NT_PRINCIPAL
by the way I have EWS 5.5 and EWS 5.6 working like a charm with kerberos.
Here is my checklist, maybe it contains a step and some info that helps you.
Every user (client) must exist in the AD /kerberos database
When creating the user account, use the simple name of the computer. For example, if the host is named myProxy.example.com, create a user in Active Directory called myProxy. Note the password you defined when creating the user account. You will need it in step 3. Do not select the User must change password at next logon option, or any other password options.
MichaelMessage was edited by: michael_schneider on 18/05/2011 13:01:04 CEST
well Michael I follow the additional steps (vey usefull thanks you!) but now I ve got the following error when tying to authenticate and seems the keytab was not uploaded to appliance cos I can not find anywhere...
[Auth] [KerberosAuthentication] SPNEGOExtractNegotiateToken SPNEGO error : SPNEGOExtractNegotiateToken() failed
Hello Herman and Michael,
I'm having the same error message (SPNEGOExtractNegotiateToken SPNEGO error : SPNEGOExtractNegotiateToken() failed) in the mwg-logfiles.
Since we proved that kerberos works fine on the linux shell (kinit -V -k -t <keytab-file.keytab> -> Authorized, ... and ... kinit -V <AD-User> -> Authorized), we assume a module using the kerberos engine is responsible for this error message.
Hints on this would be much appreciated.Nachricht geändert durch uwegoldenstein on 16.06.11 07:46:51 CDT
Some problems that can lead to those errors are:
-time on WG is not in sync with user's clock
-how you are accessing the proxy (do you have the IP set in the proxy settings? or do you have the FQDN set?) you will need to have the name specified during keytab creation, so in Herman's example it was "HTTP/mymwg.mydomain.loc@MYDOMAIN.LOC"
In this case you would need "mymwg.mydomain.loc" in the proxy settings.
The main catch that stumped me when I first attempted to use kerberos was the second bullet point. Make sure you are using the proxy as you specified when generating the keytab file.
Thanks to Jon , now I can use kerberos , in my case the problem was the time sync, I was set the time date manually in my MWG but Jon sets sync with an NTP server... ufff .... thanks again Jon !! I think that is time to someone write the appropiate KB or/and add to the product guide the step by step.
I'll work on putting something together in the coming weeks, I'll add it to the documents section of the community along with my other articles.
I put a document together based on my experiences with Kerberos.
It's quite comprehensive, please leave any comments if you notice any errors, or see room for improvment.
I apologize for my English, and to be resurrecting the post, if you need to carry elsewhere let me know.
I have problems in the implementation of the Kerberos authentication, follow the referenced document here reviewed the guidelines given here, however unsuccessfully in my implemntion.
When running the command "tail--f /opt/mwg/log/mwg errors/mwg-core.errors.log" I have this error.
[09/19/2014 17: 34: 25 929 -03: 00] [Auth] [KerberosAuthentication] 'SPNEGOExtractNegotiateToken' SPNEGO 'error:' SPNEGOExtractNegotiateToken () failed '
If someone has a detailed step by step how to deploy would be very useful.
I appreciate any help.