How to properly configure Kerberos principal name

this is my krb5.ini file.

        default_realm = TEST.EXAMPLE.COM
        TEST.EXAMPLE.COM = {
            kdc =
            master_kdc =
            default_domain =
    [domain_realm] = EXAMPLE.COM = EXAMPLE.COM

I created a user USERA on the domain, created a credential using kinit and have my jaas.config file defined as

    example_config { required

everything seems ok as it gets authenticated.

    [JGSS_DBG_CRED] Retrieving Kerberos creds from cache for principal=userA@TEST.EXAMPLE.COM
    [JGSS_DBG_CRED] Non-interactive login; no callbacks necessary.
    [JGSS_DBG_CRED] Done retrieving Kerberos creds from cache
    [JGSS_DBG_CRED] Login successful
    [JGSS_DBG_CRED] userA@TEST.EXAMPLE.COM added to Subject
    [JGSS_DBG_CRED] Kerberos ticket for userA@TEST.EXAMPLE.COM added to Subject
    [JGSS_DBG_CRED] No keys to add to Subject for userA@TEST.EXAMPLE.COM

however now, I am trying to use a service principal name , instead of user principal. I used ktpass to create a keytab file

ktpass -out "c:\mytab.keytab" -princ "Installation1/" -mapUser "TEST\userA" -mapOp set -pass password -crypto DES-CBC-MD5 -pType KRB5_NT_PRINCIPAL +DesOnly

and then use setspn to check

  C:\>setspn -l userA
Registered ServicePrincipalNames for CN=userA,CN=Users,DC=test,DC=example,DC=com:

i change my config to

    example_config{ required
                credsType = both                
               useDefaultCcache = true     
               useDefaultKeytab = false
                useKeytab = "file:///c:/mytab.keytab"

now when i run my app, it gives

    [JGSS_DBG_CRED] Retrieving Kerberos creds from keytab for principal=Installation1/
    [JGSS_DBG_CRED] Service name=Installation1/
    [JGSS_DBG_CRED] Check for Default keytab : 
    [JGSS_DBG_CRED] No Kerberos creds in keytab for principal Installation1/
    [JGSS_DBG_CRED] No service key in keytab; login failed

What did i do wrong in the config file? or is there something i miss in the ktpass command? Installation1 is the service name (of Websphere MQ) when I go to check Control Panel -> Services. I want to autheticate userA to use Websphere MQ service. (like if i want to let user use HTTP I would put principal as HTTP/.....TEST.EXAMPLE.COM



There is nothing in MQ that performs authentication. MQ only performs authorization (permission lookup) via its OAM module.

For a default install of MQ (on any platform including z/OS), there is no effective security in MQ. You can configure MQ to use MQ SSL between a client application and the queue manager (or between 2 queue managers).

The other choice is to purchase a 3rd party MQ security solution like MQAUSX which handles authentication to various targets.

Need Your Help

How to use Razor efficiently

c# razor

I'm trying to implement this algorith in a View page using Razor, but, it does not display the expected result and I don't get any compilation errors. Any suggestion please ?

How to append to the beginning of a text fle in g++

c++ file header g++

I want to write to a file without overwriting anything. It is a text file containing records. When I delete a specific record, I do not actually remove it from the file, I just put information in...