Hello Everyone,
One of our customer would like to have SSO for tm1web on mode 3. I am working on setting up the Kerberos authentication for tm1web for SSO in my local.
Followed the below link for reference:
https://www.ibm.com/support/knowledgece ... pnego.html
But kinit command >kinit -k -t -J-Dcom.ibm.security.krb5.Krb5Debug=all ..\..\krb5.keytab HTTP/host.xyzdomain.local
throws error as
[KRB_DBG_KDC] KdcComm: main: >>> KdcAccessibility: remove xyzdomain.local: 88
[KRB_DBG_CFG] KDCRep: main: >>> KDCRep: init () encoding tag is 126 req type is 11
[KRB_DBG_KDC] KRBError: main: >>> KRBError:
[KRB_DBG_KDC] KRBError: main: sTime is Tue Nov 19 14:48:30 CET 2019 1574171310000
[KRB_DBG_KDC] KRBError: main: suSec is 956052
[KRB_DBG_KDC] KRBError: main: error code is 14
[KRB_DBG_KDC] KRBError: main: error The message is KDC does not support the encryption type
[KRB_DBG_KDC] KRBError: main: sname is krbtgt/XYZDOMAIN.LOCAL@XYZDOMAIN.LOCAL
[KRB_DBG_KDC] KRBError: main: eData is provided.
[KRB_DBG_KDC] KRBError: main: msgType is 30
[KRB_DBG_KDC] KRBError: main: Unknown eData field of KRB ERROR:
0000: 30 21 30 09 a1 03 02 01 02 a2 02 04 00 30 09 a1 0.0 .......... 0 ..
0010: 03 02 01 10 a2 02 04 00 30 09 a1 03 02 01 0f a2 ........ 0 .......
0020: 02 04 00 ...
com.ibm.security.krb5.KrbException, status code: 14
Message: KDC does not support the encryption type
Anybody having any idea/suggestion about the problem to slove.
Thanks buddies.
kinit error - Tm1web SSO with Kerberos authentication
-
- Community Contributor
- Posts: 180
- Joined: Sat May 05, 2018 11:48 am
- OLAP Product: tm1
- Version: 10.3.10100.8
- Excel Version: 14
-
- Posts: 13
- Joined: Mon Mar 09, 2015 11:54 pm
- OLAP Product: TM1
- Version: 9.1 to 10.2.2
- Excel Version: Office 2010
Re: kinit error - Tm1web SSO with Kerberos authentication
This can be a lot of things but I can vaguely rememeber two things that did:
1. On the Account tab in Active Directory, I believe the user name should be something like HTTP/username.domain
When you create the SPN this is automatically done, but sometime it doesn't work right for whatever reason.
2. Double-check the case sensitivity of everything. I believe there are a few mistakes on the IBM blog post but you can Google generic instructions for proper case settings.
Additionally, if you follow the IBM guide exactly, you will have some minor errors during the kinit step but it will still work
1. On the Account tab in Active Directory, I believe the user name should be something like HTTP/username.domain
When you create the SPN this is automatically done, but sometime it doesn't work right for whatever reason.
2. Double-check the case sensitivity of everything. I believe there are a few mistakes on the IBM blog post but you can Google generic instructions for proper case settings.
Additionally, if you follow the IBM guide exactly, you will have some minor errors during the kinit step but it will still work