Identity Management Products: Possible errors while configuring Windows Desktop SSO feature.

Wednesday, March 24, 2010

Possible errors while configuring Windows Desktop SSO feature.

************
Problem-1:
************
Type:
-----
ktpass configuration on Windows Domain Controller.

Error:
-------
ktpass command gives error "Failed to retrieve user info if you configure it in two stages"

Solution:
----------
Use the following syntax to do both mapping and keytab generation in one step:

C:\userData\lakshman>ktpass /princ HTTP/avatar.red.iplanet.com@SUST.IDM.COM /pas
s Password123 +DesOnly /crypto DES-CBC-CRC /ptype KRB5_NT_PRINCIPAL /mapuser avata
r /out avatar.HTTP.keytab
Targeting domain controller: parrot.SUST.IDM.COM
Successfully mapped HTTP/avatar.red.iplanet.com to avatar.
Key created.
Output keytab to avatar.HTTP.keytab:
Keytab version: 0x502
keysize 67 HTTP/avatar.red.iplanet.com@SUST.IDM.COM ptype 1 (KRB5_NT_PRINCIPAL)
vno 3 etype 0x1 (DES-CBC-CRC) keylength 8 (0x98628cd615045bc8)
Account avatar has been set for DES-only encryption.

************
Problem-2:
************
Type:
-----
ktpass configuration on Windows Domain Controller.

Error:
-------
Executing ktpass command gives "DnsCrack error"

Solution:
---------
Do not have spaces in user name that you are trying to map. Make sure "Full Name" and Logon name does not have any spaces.

************
Problem-3:
************
Type:
-----
Specifying correct algorithm while running ktpass command.

Solution:
---------
If AM is using Java 1.5_08 or below, must use DesOnly and crypto as DES-CBC-CRC.
To avoid running into this algorith problems, always use DesOnly and DES-CBC-CRC for testing. This is supported on all java versions above and below 1.5_08.

************
Problem-4:
************
Type:
-----
Domain name on AD is not all capital letters like SUST.IDM.COM Instead it is sust.idm.com

Solution:
---------
This is acceptable and will work. Use capital letters as in example below while running ktpass command if domain name is small letters.
C:\userData\lakshman>ktpass /princ HTTP/avatar.red.iplanet.com@SUST.IDM.COM /pas
s Password123 +DesOnly /crypto DES-CBC-CRC /ptype KRB5_NT_PRINCIPAL /mapuser avata
r /out avatar.HTTP.keytab

Identity Management Products

Wednesday, March 24, 2010

Possible errors while configuring Windows Desktop SSO feature.

No comments:

Post a Comment

Blog Archive

My Other Blogs

About Me

SSL

OIM - 9x/11g

OIM Configuration Help

OIM 11g Documents

OIM 9x Documents

OIM code snippets

OIM - Downloads

OAM 11g

OAM - 10g (formerly Oblix Netpoint) documentation

OpenSSO docs

AM 7.1 docs

AM 7.0 Docs

Sun policy Agents

Windows Desktop SSO

LDAP docs

Glassfish

SAML

IdM Blogs

Tools

Tools Blogs

Unix KDC administration

Browser

OAuth Standard

UTF-8 / ASCII

Coding help

SQL Tutorials

Downloads

Followers