It's all about the answers!

Ask a question

Trying to configure SPNEGO with IBM ELM 7, fails at kinit -k -t /etc/krb5.keytab HTTP/elm.corp.demo.com


Victor Polo de Gyves Montero (1316) | asked Sep 24 '20, 2:15 p.m.
edited Sep 24 '20, 2:39 p.m.

I am trying to configure SPNEGO with Active Directory and IBM ELM 7.0 by following the instructions at:



When I reach the step to verify with kinit from IBM:

PS C:\windows> C:\Users\victor\IBM\JazzTeamServer\server\jre\bin\kinit -k -t krb5.keytab HTTP/elm.corp.demo.com
java.util.MissingResourceException: Can't find resource for bundle java.util.PropertyResourceBundle, key com.ibm.securit
y.jgss.i18n.exception.UnableLocRealm
PS C:\windows>
I have been googling around for this exception but I did not found additional information, so I've tried with kinit from OpenJDK 8 to get more info:

PS C:\windows> C:\Users\elmHttp\Downloads\openjdk-8u41-b04-windows-i586-14_jan_2020\java-se-8u41-ri\bin\kinit -k -t krb5
.keytab HTTP/elm.corp.koneksys.com
Exception: Connection refused: connect
java.net.ConnectException: Connection refused: connect
        at java.net.DualStackPlainSocketImpl.waitForConnect(Native Method)
        at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:85)
        at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:345)
        at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
        at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
        at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172)
        at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
        at java.net.Socket.connect(Socket.java:589)
        at sun.security.krb5.internal.TCPClient.<init>(NetClient.java:63)
        at sun.security.krb5.internal.NetClient.getInstance(NetClient.java:43)
        at sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:393)
        at sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:364)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.krb5.KdcComm.send(KdcComm.java:348)
        at sun.security.krb5.KdcComm.sendIfPossible(KdcComm.java:253)
        at sun.security.krb5.KdcComm.send(KdcComm.java:229)
        at sun.security.krb5.KdcComm.send(KdcComm.java:200)
        at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
        at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
        at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:219)
        at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:113)
PS C:\windows>

I have just followed what the instructions say but it fails to connect. Does anyone knows how to solve this issue?

My krb5.ini file:
[libdefaults]
          default_realm = WINSERVER2016FO.CORP.DEMO.COM
          default_keytab_name = FILE:c:\Windows\krb5.keytab
          default_tkt_enctypes = rc4-hmac
          default_tgs_enctypes = rc4-hmac
          forwardable  = true
          renewable  = true
          noaddresses = true
          clockskew  = 300
          udp_preference_limit = 1
[realms]
          CORP.DEMO.COM = {
                kdc = winserver2016fo.corp.demo.com:88
                default_domain = corp.demo.com
}
[domain_realm]
        corp.demo.com = CORP.DEMO.COM
And this is how I created the krb5.keytab file:

PS C:\Users\demouser> ktpass -out krb5.keytab -princ HTTP/elm.corp.demo.com@WINSERVER2016FO.CORP.DEMO.COM -m
apUser elmHttp -mapOp set -pass security -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL
Targeting domain controller: WinServer2016Fo.corp.demo.com
Using legacy password setting method
Successfully mapped HTTP/elm.corp.demo.com to elmHttp.
Key created.
Output keytab to krb5.keytab:
Keytab version: 0x502
keysize 95 HTTP/elm.corp.demo.com@WINSERVER2016FO.CORP.DEMO.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x17 (RC
4-HMAC) keylength 16 (0xd5e9e0db50ba46b948853221be26da2b)
PS C:\Users\demouser>

Product version: 

IBM ELM Version: 7.0.2
First test: IBM JDK: java version "1.8.0_191", IBM J9
Second test: OpenJDK 8, java version: 1.8u41
Active Directory OS: Windows Server 2016 at winserver2016fo.corp.demo.com
IBM ELM OS: Windows Server 2016 at elm.corp.demo.com

Thanks in advance!

Be the first one to answer this question!


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.