cancel
Showing results for 
Search instead for 
Did you mean: 

At Wit's End - AD Integration w/Kerberos

Former Member
0 Kudos

Uninstalled CRS2008 v0 and installed CRS2008 v1 (an upgrade sure would have been nice instead of an uninstall/new install). Now, trying to configure AD Integration, which worked with v0. No SPs have been applied.

Can log in with AD credentials on client tools, but InfoView on Tomcat is consistently returning "Account Information is not recognized" error.

I've done pretty much everything I can find/think of:

  • I run KINIT and get a "ticket"

  • However, stdout.log returns "[Krb5LoginModule] authentication failed Cannot get kdc for realm OFFICE"

krb5.ini

[libdefaults]

default_realm = domain.COM

dns_lookup_kdc = true

dns_lookup_realm = true

udp_preference_limit = 1

[realms]

domain.COM = {

kdc = SG-OPS.domain.COM

default_domain = domain.COM

}

(domain replacing the customer's name)

I replaced the SG-OPS PDC with the machine returned in the SET LOGONSERVER variable. I can ping both. No help.

The only thing that looks slightly funny to me here is that the message in stdout.log refers to the default OFFICE domain that all this stuff is using, even though the OFFICE domain isn't referenced anywhere in krb5.ini.

I'm out of ideas. What little hair I had before is now pulled out.

- George Peck -

Accepted Solutions (1)

Accepted Solutions (1)

BasicTek
Advisor
Advisor
0 Kudos

Cannot get kdc for realm OFFICE office is coming from the value entered in the CMC > authentication > default domain. It must match the default realm in the krb5.ini in all caps, a work around would be to enter the realm for each logon (user @REALM.COMwhich you don't want to do).

Regards,

Tim

Former Member
0 Kudos

Tim,

Thanks!

As you surmise, the default domain in the AD Configuration Screen in the CMC is OFFICE. Hence, I can log in to CRS with gpeck, instead of OFFICE\gpeck.

But, making the following changes to krb5.ini and restarting Tomcat doesnt' fix the problem:

[libdefaults]

default_realm = OFFICE.<CUSTOMERDOMAIN>.COM

dns_lookup_kdc = true

dns_lookup_realm = true

udp_preference_limit = 1

[realms]

OFFICE.<CUSTOMERDOMAIN>.COM = {

kdc = SG-OPS.<CUSTOMERDOMAIN>.COM

default_domain = OFFICE.<CUSTOMERDOMAIN>.COM

}

What am I still missing?

THANKS!!!!! - George -

BasicTek
Advisor
Advisor
0 Kudos

the krb5.ini was working for kinit, there was no reason to change it. Only the value in the CMC should have been changed. Also with java you can never login with domain\user this is not allowed at any time. every logon has to be user @REALM.COM where REALM.COM is the default value in the krb5.ini and the default domain in the CMC. If you have multiple domains then the REALM.COM must be entered for all users not in the default.

Regards,

Tim

Former Member
0 Kudos

OK... many hours of putzing around. Indeed, "REALM.COM" was placed in the default domain field in the CMC in place of "single-word domain" and that did the trick. Everything was working client side (client logins, getting AD groups, etc.) with the single-word domain. But, I finally got AD integration to work by changing it.

NOTE TO SELF: PRINT A COPY of the CMC AD Screen before uninstalling/reinstalling!

Appreciate your help very much!

- George -

Answers (0)