Is there any more detailed documentation for setting up kerberos authentication in SOAtest?
The only documentation I could find is this - https://docs.parasoft.com/display/SOA20212/Additional+Preference+Settings so I simply filled out the Security preference but clicking on Check Ticket gives me the error shown. I've tried different formats in different ways for the service principal, kerberos realm, and KDC server but no luck. What am I missing? Are there more steps involved not documented? I purposely blocked the fields so government doesn't get mad at me submitting security information but here's the basic format I used:
Service Principal: 12345@A.B.SSA.GOV (where 12345 is the service account PIN)
Kerberos realm: A.B.SSA.GOV
KDC server: a.b.ssa.gov
Answers
-
Your system is missing a TGT (ticket granting ticket). From docs:
The ticket that is received upon initial authentication is known as a Ticket Granting Ticket, or TGT. For example, in a Windows environment, the TGT is generated when first logging on to the workstation in the morning.
Java for Windows also provides a "kinit" command that can be used to obtain and cache a TGT that can be read by other Java applications such as SOAtest. You can find "kinit.exe" in the JDK that ships with SOAtest under "plugins\com.parasoft.ptest.jdk.eclipse.core.web.win32.x86_64_{ver}\jdk\bin". Typically you would run something like "kinit user@domain". You can then use "klist" command to list any cached TGTs.
See:
https://docs.oracle.com/javase/8/docs/technotes/tools/windows/kinit.html
https://docs.oracle.com/javase/8/docs/technotes/tools/windows/klist.htmlKerberos tooling, including kinit, also assumes your system has a Kerberos configuration file which is a krb5.ini file in your C:\Windows installation directory (or /etc/krb5.conf on Linux).
See:
https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html
https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html - includes an example at the bottom1 -
Hi. I am able to use the kinit and klist tool to successfully verify the TGT is valid and working. However, I have my custom kerb5.ini file, but am unclear where to place it.
I have tried placing the kerb5.ini in the Windows directory, as well as the C:\Program Files\Parasoft\SOAtest & Virtualize\2021.2\plugins\com.parasoft.ptest.jdk.eclipse.core.web.win32.x86_64_{ver}\jdk\jre\lib\security directory. All attempts produce the following error:
Error Message:
No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)
Additional Details:
Fail to create credential. (63) - No service credsAny further insight would be greatly appreciated. Thanks.
0 -
Hi. I am able to use the kinit and klist tool to successfully verify the TGT is valid and working. However, I have my custom kerb5.ini file, but am unclear where to place it.
As I mentioned, kinit requires your Kerberos config file has already been set up. It defines various things including realms and the KDC hosts for each one.
As I mentioned, the Kerberos configuration file is a krb5.ini file in your C:\Windows installation directory (or /etc/krb5.conf on Linux). That is where it goes.
1 -
So when you say 'C:\Windows installation directory', do you mean:
C:\Windows
C:\Program Files\Parasoft\SOAtest & Virtualize\2021.2
Something completely different?0 -
After putting the kerb5.inf in the 2021.2 folder, we've now moved to a new error:
Error Message:
No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))Additional Details:
Identifier doesn't match expected value (906)0 -
So when you say 'C:\Windows installation directory', do you mean
C:\Windows means just that.
It is the directory where your Windows operating system is installed.After putting the kerb5.inf in the 2021.2 folder
No. It goes in C:\Windows.
No valid credentials provided (Mechanism level: Server not found in Kerberos database (7))
You probably have a TGT for the wrong server.
0 -
Getting closer - do you have a sample kerb5.conf you can share?
0 -
do you have a sample kerb5.conf you can share?
Here is the example I mentioned earlier:
https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html#sample-krb5-conf-filePlease also check that you use the correct file name. On Windows it is C:\Windows\krb5.ini and on Linux it is /etc/krb5.conf.
0