0 Replies Latest reply: May 27, 2011 4:15 AM by huber RSS

    Client not found in kerberos database

    huber
      Hello,

      I followed this blog http://www.bea-weblogic.com/weblogic-server-support-pattern-kerberos-and-spnego-configuration-issues.html "WebLogic Server Support Pattern:Kerberos and SPNEGO Configuration Issues" to configure Kerberos.

      1. The name of the security provider I created is TESTREALM

      2. I did create a krb5.ini file and copied it to all my domains
      [libdefaults]
      default_realm = TESTREALM
      default_tkt_enctypes = des-cbc-crc
      default_tgs_enctypes = des-cbc-crc
      ticket_lifetime = 600
      
      [realms]
      TESTREALM ={
      kdc = 192.168.20.1
      admin_server = 192.168.20.1
      default_domain = TESTREALM
      }
      
      [domain_realm]
      .mytestdomain.com = TESTREALM
      
      [appdefaults]
      autologin = true
      forward = true
      forwardable = true
      encrypt = true
      3. I created a principal user in AD (ADUSER@testrealm.de)
          -Launch Programs/Administrative Tools/Active Directory Users and Computers tool.
          -Right click on the Users node and select New/User (Do not select Machine).
          -Type in the user name in the “Full Name” field and in the “Logon Name”field.
          -Click Next and enter a password (and of course,memorize it).
          -Verify that none of the password options are checked and Click Next.
          -Click Finish.
      
          -Locate your newly created user in the Users tree in the left hand pane.
          -Right-click on the user node and select Properties.
          -Click on the “Account”tab.
          -Check the box:“Use DES encryption types for this account.”
          -Ensure no other box is checked,specifically:“Do not require Kerberos pre-authentication.”
          -Click OK.
      4. Create an SPN for the HTTP service for the WebLogic Server account
      The setspn command-line tool allows you to read,modify and delete the Service Principal Names (SPN) directory property for an Active Directory service account.
          setspn -A HTTP/ADUSER.mytestdomain.com ADUSER
          Registering ServicePrincipalNames for CN=ADUSER,CN=Users,DC=mydom,DC=com
          HTTP/ADUSER.mytestdomain.com
          Updated object
      5. Now I try to access the user with kinit
         kinit HTTP/ADUSER.mytestdomain.com@TESTREALM
      The kinit call throws the following exception
      is:Exception:krb_error 6 Client not found in Kerberos database (6),then the principal does not exist at all.
      Can someone give me a hint what the problem might be

      Thank You
      Tobias