Trying to configure SPNEGO with IBM ELM 7, fails at kinit -k -t /etc/krb5.keytab HTTP/elm.corp.demo.com
I am trying to configure SPNEGO with Active Directory and IBM ELM 7.0 by following the instructions at:
When I reach the step to verify with kinit from IBM:
PS C:\windows> C:\Users\victor\IBM\JazzTeamServer\server\jre\bin\kinit -k -t krb5.keytab HTTP/elm.corp.demo.com
java.util.MissingResourceException: Can't find resource for bundle java.util.PropertyResourceBundle, key com.ibm.securit
y.jgss.i18n.exception.UnableLocRealm
PS C:\windows>
I have been googling around for this exception but I did not found additional information, so I've tried with kinit from OpenJDK 8 to get more info:
PS C:\windows> C:\Users\elmHttp\Downloads\openjdk-8u41-b04-windows-i586-14_jan_2020\java-se-8u41-ri\bin\kinit -k -t krb5
.keytab HTTP/elm.corp.koneksys.com
Exception: Connection refused: connect
java.net.ConnectException: Connection refused: connect
at java.net.DualStackPlainSocketImpl.waitForConnect(Native Method)
at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:85)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:345)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at sun.security.krb5.internal.TCPClient.<init>(NetClient.java:63)
at sun.security.krb5.internal.NetClient.getInstance(NetClient.java:43)
at sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:393)
at sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:364)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.krb5.KdcComm.send(KdcComm.java:348)
at sun.security.krb5.KdcComm.sendIfPossible(KdcComm.java:253)
at sun.security.krb5.KdcComm.send(KdcComm.java:229)
at sun.security.krb5.KdcComm.send(KdcComm.java:200)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
PS C:\windows>
I have just followed what the instructions say but it fails to connect. Does anyone knows how to solve this issue?
My krb5.ini file:
[libdefaults]
default_realm = WINSERVER2016FO.CORP.DEMO.COM
default_keytab_name = FILE:c:\Windows\krb5.keytab
default_tkt_enctypes = rc4-hmac
default_tgs_enctypes = rc4-hmac
forwardable = true
renewable = true
noaddresses = true
clockskew = 300
udp_preference_limit = 1
[realms]
CORP.DEMO.COM = {
kdc = winserver2016fo.corp.demo.com:88
default_domain = corp.demo.com
}
[domain_realm]
corp.demo.com = CORP.DEMO.COM
And this is how I created the krb5.keytab file:
PS C:\Users\demouser> ktpass -out krb5.keytab -princ HTTP/elm.corp.demo.com@WINSERVER2016FO.CORP.DEMO.COM -m
apUser elmHttp -mapOp set -pass security -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL
Targeting domain controller: WinServer2016Fo.corp.demo.com
Using legacy password setting method
Successfully mapped HTTP/elm.corp.demo.com to elmHttp.
Key created.
Output keytab to krb5.keytab:
Keytab version: 0x502
keysize 95 HTTP/elm.corp.demo.com@WINSERVER2016FO.CORP.DEMO.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x17 (RC
4-HMAC) keylength 16 (0xd5e9e0db50ba46b948853221be26da2b)
PS C:\Users\demouser>
Product version:
IBM ELM Version: 7.0.2
First test: IBM JDK: java version "1.8.0_191", IBM J9
Second test: OpenJDK 8, java version: 1.8u41
Active Directory OS: Windows Server 2016 at winserver2016fo.corp.demo.com
IBM ELM OS: Windows Server 2016 at elm.corp.demo.com
Thanks in advance!