Single Sign-on (SSO) stopped working after the ktpass command was issued again. The new keytab file was placed on the Foglight Management Server (FMS) host but a blank page was displayed when users attempted to access the Foglight console using SSO.
The following type of errors may be reported when the FMS was started with debug switches ( -Dquest.debug=1 -Dsun.security.krb5.debug=true -Dsun.security.spnego.debug=true).
ERROR [forge-startup] com.quest.nitro.service.security.krb5.Krb5AuthenticationService - Acquire server credential failed.
javax.security.auth.login.LoginException: No CallbackHandler available to garner authentication information from the user
ERROR [forge-startup] com.quest.nitro.service.security.krb5.Krb5AuthenticationService - Acquire server credential failed.
javax.security.auth.login.LoginException: Pre-authentication information was invalid (24)
CAUSE 1
When the FMS starts the Krb5AuthenticationService the server acquires the credential from the keytab file. The message indicates the keytab file was not created correctly.
The ktpass command had been run without substituting in the actual REALM for the string "REALM" in the following command so the credentials were not working.
CAUSE 2
The ktpass command has been run with the -setpass and -setupn parameters which could cause mismatch with the account credentials or the key version number (kvno).
CAUSE 3
Kerberos encryption type used in the keytab file (E.g. RC4-HMAC) has been disabled by default in newer releases of Java.
Debug logging can show error an authentication failure due to Encryption type RC4 with HMAC is not supported/enabled
.
RESOLUTION 1
Run the ktpass command with the actual REALM in place of the string "REALM" and then replace the current keytab file on the FMS host with the newly created keytab file.
ktpass -princ HTTP/@REALM -mapuser "\" -pass -out
For example, if the FMS host is "fmshost.example.com", the REALM is EXAMPLE.COM, the user is sso_foglight and the keytab file is written to "c:\keytab_file" the ktpass command would appear as follows:
ktpass -princ HTTP/fmshost.example.com@EXAMPLE.COM -mapuser example.com\sso_foglight -pass [password] -out [keytabFilePath]
RESOLUTION 2
Run the ktpass command without the -setpass
and -setupn
parameters; for example:
ktpass -princ HTTP/fmshost.example.com@EXAMPLE.COM -mapuser [user] -pass [password] -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1 -out [keytabFilePath]
RESOLUTION 3
Run the ktpass command with the -crypto
parameter; for example using AES256-SHA1:
ktpass -princ HTTP/fmshost.example.com@EXAMPLE.COM -mapuser [user] -pass [password] -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1 -out [keytabFilePath]
Notes: The account option "This account supports Kerberos AES 256 bit encryption" may need to be enabled for the mapped domain account.
© 2025 Quest Software Inc. ALL RIGHTS RESERVED. 使用条款 隐私 Cookie Preference Center