Kerberous authentication

Hi,

I'm trying to configure Weblogic 8.1 to use SPNEGO with AD 2003. The Weblogic server is installed in Windows machine (separate machine from KDC).

I've configured AD according to BEA documentation "Configuring Single Sign-On with Microsoft Clients" (http://e-docs.bea.com/wls/docs81/secmanage/sso.html):

1) Created appropriate user and set SPNs using setspn untility

2) created keytab file on AD server

3) added principal to keytab file using ktab utility.

4) Added krb5.ini file to c:\winnt folder on Weblogic machine (according to documentation)

When I try to execute

"kinit -k -t keytab-file account-name"

in order to test kerberous configuration I get following exception:

Exception: krb_error 0 Cannot get kdc for realm EVENCION.LOCAL No error

KrbException: Cannot get kdc for realm EVENCION.LOCAL

at sun.security.krb5.KrbKdcReq.send(DashoA12275:133)

at sun.security.krb5.KrbKdcReq.send(DashoA12275:106)

at sun.security.krb5.internal.tools.Kinit.<init>(DashoA12275:241)

at sun.security.krb5.internal.tools.Kinit.main(DashoA12275:106)

The krb5.ini file is:

[libdefaults]

default_realm=DOMAIN.COM

default_tkt_enctypes=des-cbc-crc

default_tgs_enctypes=des-cbc-crc

ticket_lifetime=600

dns_lookup_kdc=true

[realms]

DOMAIN.COM = {

kdc=server.DOMAIN.COM:88

admin_server=server.DOMAIN.COM

default_domain=DOMAIN.COM

[domain_realm]

.domain.com=DOMAIN.COM

[appdefaults]

autologin = true

forward = true

forwardable = true

encrypt = true

I checked with file monitor and I saw that when i execute kinit, it access krb5.ini and reads it. The server and domain names are correct and it is directly accessible directly from Weblogic machine (no proxy or firewall).

What can be wrong?

Thanks,

Gil

[1931 byte] By [GilM.a] at [2007-9-24]