Topic
IC4NOTICE: developerWorks Community will be offline May 29-30, 2015 while we upgrade to the latest version of IBM Connections. For more information, read our upgrade FAQ.
5 replies Latest Post - ‏2014-12-29T22:19:57Z by RanjithKoppu
SystemAdmin
SystemAdmin
9855 Posts
ACCEPTED ANSWER

Pinned topic WebSEAL, SPNEGO and keytab problem

‏2010-01-04T11:46:12Z |
The problem is that after I’ve configured SPNEGO/Kerberos and try to start WebSEAL I receive following error:

HPDST0130E The security service function gss_acquire_cred returned the error 'No principal in keytab matches desired name'
...
DPWWA2410E Initialization of Kerberos authentication for server principal 'HTTP@idptesti.xyz.fi' failed.

My webseald.conf looks as follows:
spnego-krb-service-name = HTTP@idptesti.xyz.fi
spnego-krb-keytab-file = /var/pdweb/keytab-palvelin/palvelin _HTTP.keytab

I already ran kinit with a keytab without any problem. What am I doing wrong here? Could it have something to do with domains/hosts? My AD domain is ABC.ROOT and the host name of the WebSEAL is 'palvelin'. The name idptesti.xyz.fi is used as point-of-contact for TFIM; the name is configured into /etc/hosts.
Updated on 2010-11-25T11:02:09Z at 2010-11-25T11:02:09Z by Giri_Daks
  • SystemAdmin
    SystemAdmin
    9855 Posts
    ACCEPTED ANSWER

    Re: WebSEAL, SPNEGO and keytab problem

    ‏2010-01-07T13:49:04Z  in response to SystemAdmin
    Problem solved. I had to add idptesti.xyz.fi under domain_realm stanza and into /etc/hosts file.
    • bakup
      bakup
      1 Post
      ACCEPTED ANSWER

      Re: WebSEAL, SPNEGO and keytab problem

      ‏2010-07-30T16:47:41Z  in response to SystemAdmin
      i add to host and ping is ok,but rut failed

      2010-07-30-22:05:20.088+08:00I----- 0x38CF0156 webseald WARNING wwa server config.cpp 1828 0x00000001
      DPWWA0342W The configuration data for this WebSEAL instance has been logged in '/var/pdweb/log/config_data__default-webseald-soaserverb_boot1.log'
      2010-07-30-22:05:20.412+08:00I----- 0x30923082 webseald ERROR bst general amstli.c 2191 0x00000001
      HPDST0130E The security service function gss_acquire_cred returned the error 'Miscellaneous failure' (code 0x000d0000/851968).
      2010-07-30-22:05:20.413+08:00I----- 0x30923082 webseald ERROR bst general amstli.c 2209 0x00000001
      HPDST0130E The security service function gss_acquire_cred returned the error 'No principal in keytab matches desired name' (code 0x1cff2901/486484225).
      2010-07-30-22:05:20.413+08:00I----- 0x13212064 webseald ERROR ias general ivpam.c 613 0x00000001
      HPDIA0100E An internal error has occurred.
      2010-07-30-22:05:20.413+08:00I----- 0x13212064 webseald WARNING ias general pdauthn.cpp 1773 0x00000001
      HPDIA0100E An internal error has occurred.
      2010-07-30-22:05:20.413+08:00I----- 0x38CF096A webseald ERROR wwa spnego authn-spnego.cpp 381 0x00000001
      DPWWA2410E Initialization of Kerberos authentication for server principal 'HTTP@soaserverb.gs.tobacco.gov.cn' failed.
      2010-07-30-22:05:20.419+08:00I----- 0x38AD50A4 webseald WARNING wiv general IVServer.cpp 1007 0x00000001
      DPWIV0164W Could not start background process
      what is it
      • Giri_Daks
        Giri_Daks
        99 Posts
        ACCEPTED ANSWER

        Re: WebSEAL, SPNEGO and keytab problem

        ‏2010-11-25T11:02:09Z  in response to bakup
        I am also facing the similar error, but i can start the webseal if i try to restart after some time..
        Is there any permanent fix for this issue?
      • pkh
        pkh
        10 Posts
        ACCEPTED ANSWER

        Re: WebSEAL, SPNEGO and keytab problem

        ‏2013-10-03T07:18:24Z  in response to bakup

        Dear All,

        I am facing the same issue while enabling SPNEGO with TAM 6.0 WebSEAL. I would really appreciate if anybody can suggest a solution here

         

        2013-10-03-11:10:57.649+05:30I----- 0x38CF0156 webseald WARNING wwa server config.cpp 1936 0x00000001
        DPWWA0342W   The configuration data for this WebSEAL instance has been logged in '/logs/DPW/logs/config_data__dsso-ucc-webseald-CNDAFXCSAPZP33.log'
        2013-10-03-11:12:17.931+05:30I----- 0x38CF0969 webseald WARNING wwa spnego authn-spnego.cpp 303 0x00000001
        DPWWA2409W   Reverse lookup for host 'easyaccessucc' returned an alternate host name 'easyaccessucc.AIRTELUCC.COM'.  This might prevent SPNEGO authentication fr
        om functioning properly.
        2013-10-03-11:12:58.057+05:30I----- 0x30923082 webseald ERROR bst general amstli.c 2191 0x00000001
        HPDST0130E   The security service function gss_acquire_cred returned the error 'Miscellaneous failure' (code 0x000d0000/851968).
        2013-10-03-11:12:58.057+05:30I----- 0x30923082 webseald ERROR bst general amstli.c 2209 0x00000001
        HPDST0130E   The security service function gss_acquire_cred returned the error 'No principal in keytab matches desired name' (code 0x1cff2901/486484225).
        2013-10-03-11:12:58.058+05:30I----- 0x13212064 webseald ERROR ias general ivpam.c 613 0x00000001
        HPDIA0100E   An internal error has occurred.
        2013-10-03-11:12:58.058+05:30I----- 0x13212064 webseald WARNING ias general pdauthn.cpp 1800 0x00000001
        HPDIA0100E   An internal error has occurred.
        2013-10-03-11:12:58.058+05:30I----- 0x38CF096A webseald ERROR wwa spnego authn-spnego.cpp 383 0x00000001
        DPWWA2410E   Initialization of Kerberos authentication for server principal 'HTTP@easyaccessucc' failed.
        2013-10-03-11:12:58.064+05:30I----- 0x38AD50A4 webseald WARNING wiv general IVServer.cpp 1034 0x00000001
        DPWIV0164W   Could not start background process
        ~
         

        • RanjithKoppu
          RanjithKoppu
          5 Posts
          ACCEPTED ANSWER

          Re: WebSEAL, SPNEGO and keytab problem

          ‏2014-12-29T22:19:57Z  in response to pkh

          Hello,

          I also have a similar problem due to which my production environment is down. Can any one please suggest me with a resolution ?

          Regards,

          RK