Kerberos does not work and vIDM is requesting for the password.
search cancel

Kerberos does not work and vIDM is requesting for the password.

book

Article ID: 314593

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

Symptoms:

  • Kerberos is not working and it prompts the user for credentials.
  • VMware Identity Manager (vIDM) is unable to process the Kerberos authentication
  •  Local admin account works fine but the domain logins on vIDM fails with error - "The page you were looking for is not available. You may need to contact your administrator with this error: 404 Page Not Found."

  • Below events can be seen in /opt/vmware/horizon/workspace/logs/connector.log:
Caused by: java.lang.IllegalStateException: login failed due to unexpected exception at com.vmware.horizon.directory.ldap.dc.service.KerberosConnectServiceWithSystemControlledKDCLookup.resetKrbConfigForAutoKdcLookup(KerberosConnectServiceWithSystemControlledKDCLookup.java:51) ~[adapter-ldap-0.1.jar:3.3.7.0 Build 24863103] at com.vmware.horizon.directory.ldap.dc.service.KerberosConnectServiceWithSystemControlledKDCLookup.getKerberosAuthenticatedSubject(KerberosConnectServiceWithSystemControlledKDCLookup.java:68) ~[adapter-ldap-0.1.jar:3.3.7.0 Build 24863103] at com.vmware.horizon.directory.ldap.dc.service.DirectoryConnectService.getLdapContextForIwaDirectoryWithoutProvidedADHost(DirectoryConnectService.java:97) ~[adapter-ldap-0.1.jar:3.3.7.0 Build 24863103]

Caused by: sun.security.krb5.KrbException: krb5.conf loading failed at sun.security.krb5.Config.<init>(Unknown Source) ~[java.security.jgss:?] at sun.security.krb5.Config.refresh(Unknown Source) ~[java.security.jgss:?] at com.vmware.horizon.directory.ldap.dc.service.KerberosConnectServiceWithSystemControlledKDCLookup.resetKrbConfigForAutoKdcLookup(KerberosConnectServiceWithSystemControlledKDCLookup.java:48) ~[adapter-ldap-0.1.jar:3.3.7.0 Build 24863103]

 

Environment

VMware Identity Manager 3.3.x

Cause

Missing or incorrect permission on krb5 files. Refer below:

root@hostname [ /etc ]# ls -al | grep krb
-rw-r--r-- 1 root    root      1946 Jun 9 13:59 krb5.conf
-rw-r----- 1 root    root         0 Jun 9 13:59  krb5.conf.lwidentity.orig
-rw------- 1 horizon root      2680 Jun 9 13:59 krb5.keytab

Resolution

  • Take a non-memory snapshot of the appliance prior to making any o/s level edits.
  • Correct the permission on all 3 krb files as below:          
root@Hostname [ /etc ]# chmod 664 /etc/krb*
root@Hostname [ /etc ]# ls -al | grep krb
-rw-rw-r-- 1 root    root      1946 Jun 9 13:59 krb5.conf
-rw-rw-r-- 1 root    root         0 Jun 9 13:59  krb5.conf.lwidentity.orig
-rw-rw-r-- 1 horizon root      2680 Jun 9 13:59 krb5.keytab

 

Powered by Wolken Software