iCal Client won't log in

Question

Level 1

40 points

iCal Client won't log in

Hi All.

Ok after other probs with 10.5 Server I ended up doing a full wipe/install. I install in standalone (noddy) mode so that OD was auto setup, as well as ical etc. Only converting to Server Admin (Advanced mode) when up and running (and software update had all new versions) in order to get FTP etc.

For the fist time ever I got a message on my client saying it had found a server and I could set the client up to us it (including it's apps). So I did this.

Now iCal Server is running and on the client in ical prefs the web dav account was auto filled in by leopard. But on boot ical client it pops up with the password box (for connecting to server) and on entering password I get told it's incorrect.

Now there is only one user account on the server lets say Fred Bloggs with a password of fred. This works for APF login on to server with everything else. in iCal Client the password box dispalys fredbloggs and pasword is fred but no joy ( I have also tried changing user name to 'Fred Bloggs' instead of the default 'fredbloggs' but no joy

Any advice

Cheers
Steve

MacPro + PB G4 + G4, Mac OS X (10.4.10)

Posted on Apr 23, 2008 2:08 AM

Reply

Answer 1

Apr 23, 2008 7:42 AM in response to Cacus

What appears in the iCalServer's error log when you try to login?

Reply

Answer 2

Cacus Author

Level 1

40 points

Apr 23, 2008 9:34 AM in response to Cyrus Daboo

This is what I get if I boot ical thats on the server (it still asks for password and rejects me like clients):

2008-04-23 17:30:50+0100 [-] [caldav-8009] [AMP,client] Unauthenticated users not enabled with the 'calendar' SACL
2008-04-23 17:30:50+0100 [-] [caldav-8009] [NegotiateCredentialFactory] authGSSServerInit: Unspecified GSS failure. Minor code may provide more information(No principal in keytab matches desired name)
2008-04-23 17:30:55+0100 [-] [caldav-8009] [AMP,client] Unauthenticated users not enabled with the 'calendar' SACL
2008-04-23 17:30:55+0100 [-] [caldav-8009] [NegotiateCredentialFactory] authGSSServerInit: Unspecified GSS failure. Minor code may provide more information(No principal in keytab matches desired name)
2008-04-23 17:31:03+0100 [-] [caldav-8009] [AMP,client] Unauthenticated users not enabled with the 'calendar' SACL
2008-04-23 17:31:03+0100 [-] [caldav-8009] [NegotiateCredentialFactory] authGSSServerInit: Unspecified GSS failure. Minor code may provide more information(No principal in keytab matches desired name)

May as well be in French to me!

lol

Reply

Answer 3

Cacus Author

Level 1

40 points

Apr 28, 2008 12:20 PM in response to Cacus

Just to point out that I have done all required in the following doc

http://docs.info.apple.com/article.html?path=ServerAdmin/10.5/en/c2cs27.html

To ensure SACL is working but still no joy it always asks for password when booting up ical on the client mac and rejects the password when entered

Any thoughs

Reply

Answer 4

Apr 30, 2008 7:33 AM in response to Cacus

There is a problem with your Kerberos setup. First try setting the server to allow "All" authentication types via Server Admin, then try logging in from iCal without enabling Kerberos in iCal.

If that works, and you really want Kerberos to work, we will need to look more closely at your configuration to see why Kerberos is not starting on the server.

Reply

Answer 5

Cacus Author

Level 1

40 points

Apr 30, 2008 2:38 PM in response to Cyrus Daboo

Hi

Turning of Kerberos has done the trick.

So what do we do next

Sorry idea about Kerberos

Reply

Answer 6

May 2, 2008 7:03 AM in response to Cacus

In Terminal.app do:

sudo klist -k

and paste the output of that for all thr "http/" and "HTTP/" entries.

Also, look in the /etc/caldavd/caldavd.plist file and post the contents of the ServerHostName and Kerberos items.

Reply

Answer 7

Cacus Author

Level 1

40 points

May 5, 2008 10:09 AM in response to Cyrus Daboo

Will be a week or so before I can run up server and send detail.

Will up the info when I have it

Cheers

Reply

Answer 8

May 30, 2008 11:55 AM in response to Cacus

So I have this same issue happening to me. Turning off Kerberos authentication does work, but would like to know why having kerberos authentication turned on doesn't work.

Everything I use on this server (files, mail, dns, iChat, AFP, OD) all use kerberos and I have no problems. iCal is the only service giving problems.

10.5.3 on the server and clients don't fix this issue either.

Anyone run into this? Find a fix for it? Can enlighten me?

Thanks,
-Jessee

Reply

Answer 9

May 30, 2008 3:41 PM in response to Oranges2Apples

I was experiencing this issue a couple months back when initially setting up two of our new servers. I found that iCal ssl would work with Kerberos using the default self signed certificate but not with any other cert (In my case I use a Godaddy cert on these systems).

Same GoDaddy cert worked on all other services except iCal, as in your case. Try using the "default" cert and restart cal service then see if it works? I am using kerberos on all of our iCal clients without an issue. Note: The first time you connect you'll need to check the box to "always trust this certificate" under certificate details to avoid being prompted at every login. On the bright side, iCal isn't a customer facing app for us so having them used the default self signed cert isn't a big deal until Apple works this issue out.

Reply

Answer 10

Jun 3, 2008 9:45 AM in response to Shane Depner1

Yeah seems to work for me as well with SSL using the default certificate and Kerberos Login.

I guess that works for me too. Didn't test a 3rd Party SSL certificate though since I don't have one to test with and don't need one for this server.

Thanks for the heads up Shane.

Not certain why non-SSL Kerberos won't work, but oh well.

-Jessee

Reply

Answer 11

agaldes

Level 1

0 points

Jun 10, 2008 10:16 PM in response to Oranges2Apples

I have the same trouble. Here is a log entry:

2008-06-11 14:42:37+0930 [-] [caldav-8009] [NegotiateCredentialFactory] authGSSServerInit: Unspecified GSS failure. Minor code may provide more information(No principal in keytab matches desired name)
2008-06-11 14:43:12+0930 [-] [caldav-8009] [AMP,client] Unauthenticated users not enabled with the 'calendar' SACL
2008-06-11 14:43:12+0930 [-] [caldav-8009] [AMP,client] "Directory service <SudoDirectoryService '/Search': FilePath('/etc/caldavd/sudoers.plist')> has no GUID; generating service GUID from realm name."

Reply

Answer 12

Jun 17, 2008 7:43 AM in response to agaldes

Kerberos is not properly setup on your server. Try switching authentication to Digest in Server Admin for iCal Server and see if that works. If it does (and it should) then we need to look more closely at your Kerberos setup.

Reply

Answer 13

Macfreqk

Level 1

0 points

Aug 18, 2008 12:21 PM in response to Cyrus Daboo

I'm having the same problem with iCal client. The user can login with a SSL connection but can't authenticate with Kerberos, and I want to know why. Other services seem to work with Kerberos, just not iCal.

What things do you need to look at the Kerberos setup?

here are the entries from klist command

3 http/studio.sticky.tv@STUDIO.STICKY.TV
3 http/studio.sticky.tv@STUDIO.STICKY.TV
3 http/studio.sticky.tv@STUDIO.STICKY.TV
3 HTTP/studio.sticky.tv@STUDIO.STICKY.TV
3 HTTP/studio.sticky.tv@STUDIO.STICKY.TV
3 HTTP/studio.sticky.tv@STUDIO.STICKY.TV

and here is the caldadv.plist file

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AccessLogFile</key>
<string>/var/log/caldavd/access.log</string>
<key>AdminPrincipals</key>
<array/>
<key>Authentication</key>
<dict>
<key>Basic</key>
<dict>
<key>Enabled</key>
<false/>
</dict>
<key>Digest</key>
<dict>
<key>Algorithm</key>
<string>md5</string>
<key>Enabled</key>
<true/>
<key>Qop</key>
<string></string>
</dict>
<key>Kerberos</key>
<dict>
<key>Enabled</key>
<true/>
<key>ServicePrincipal</key>
<string></string>
</dict>
</dict>
<key>BindAddresses</key>
<array/>
<key>BindHTTPPorts</key>
<array/>
<key>BindSSLPorts</key>
<array/>
<key>ControlSocket</key>
<string>/var/run/caldavd.sock</string>
<key>DataRoot</key>
<string>/var/run/caldavd</string>
<key>DirectoryService</key>
<dict>
<key>params</key>
<dict>
<key>node</key>
<string>/Search</string>
<key>requireComputerRecord</key>
<true/>
</dict>
<key>type</key>
<string>twistedcaldav.directory.appleopendirectory.OpenDirectoryService</string >
</dict>
<key>DocumentRoot</key>
<string>/Library/CalendarServer/Documents</string>
<key>EnableDropBox</key>
<true/>
<key>EnableNotifications</key>
<true/>
<key>EnableProxyPrincipals</key>
<true/>
<key>EnableSACLs</key>
<true/>
<key>ErrorLogFile</key>
<string>/var/log/caldavd/error.log</string>
<key>GroupName</key>
<string>calendar</string>
<key>HTTPPort</key>
<integer>8008</integer>
<key>MaximumAttachmentSize</key>
<integer>1048576</integer>
<key>MultiProcess</key>
<dict>
<key>ProcessCount</key>
<integer>0</integer>
</dict>
<key>PIDFile</key>
<string>/var/run/caldavd.pid</string>
<key>ProcessType</key>
<string>Combined</string>
<key>ResponseCompression</key>
<true/>
<key>RotateAccessLog</key>
<false/>
<key>SSLAuthorityChain</key>
<string></string>
<key>SSLCertificate</key>
<string>/etc/certificates/Default.crt</string>
<key>SSLPort</key>
<integer>8443</integer>
<key>SSLPrivateKey</key>
<string>/etc/certificates/Default.key</string>
<key>ServerHostName</key>
<string>studio.sticky.tv</string>
<key>ServerStatsFile</key>
<string>/var/run/caldavd/stats.plist</string>
<key>SudoersFile</key>
<string>/etc/caldavd/sudoers.plist</string>
<key>UserName</key>
<string>calendar</string>
<key>UserQuota</key>
<integer>104857600</integer>
<key>Verbose</key>
<false/>
</dict>
</plist>

Reply

Answer 14

Aug 25, 2008 7:29 AM in response to Macfreqk

What do you see in the error.log file of the calendar server when it starts up? If Kerberos was correctly configured for the server you ought to see "Setting up scheme: kerberos" in the log. If you do not see that, what error appears? If kerberos was setup properly, what error do you see when the iCal client tries to connect?

Reply

Answer 15

Macfreqk

Level 1

0 points

Aug 26, 2008 12:23 PM in response to Cyrus Daboo

Here's the iCal Server startup errors

2008-08-20 11:27:57-0700 [-] [caldav-8012] [startup] Setting up calendar collection: <class 'twistedcaldav.static.CalendarHomeProvisioningFile'>
2008-08-20 11:27:57-0700 [-] [caldav-8011] [KerberosCredentialFactoryBase] getServerPrincipalDetails: ('Principal not found in keytab', -1)
2008-08-20 11:27:57-0700 [-] [caldav-8011] [startup] Could not start Kerberos
2008-08-20 11:27:57-0700 [-] [caldav-8011] [startup] Setting up scheme: digest
2008-08-20 11:27:57-0700 [-] [caldav-8012] [startup] Setting up root resource: <class 'twistedcaldav.root.RootResource'>
2008-08-20 11:27:57-0700 [-] [caldav-8011] [-] Configuring authentication wrapper
2008-08-20 11:27:57-0700 [-] [caldav-8011] [-] Setting up service
2008-08-20 11:27:57-0700 [-] [caldav-8011] [startup] Configuring log observer: <twistedcaldav.logging.AMPCommonAccessLoggingObserver object at 0x146dbb0>
2008-08-20 11:27:57-0700 [-] [caldav-8013] [OpenDirectoryService] Reloading resources record cache
2008-08-20 11:27:57-0700 [-] [caldav-8011] [startup] Adding server at 127.0.0.1:8011
2008-08-20 11:27:57-0700 [-] [caldav-8012] [startup] Setting up default ACEs on root resource
2008-08-20 11:27:57-0700 [-] [caldav-8012] [-] Setting up AdminPrincipals
2008-08-20 11:27:57-0700 [-] [caldav-8012] [-] Setting root ACL
2008-08-20 11:27:57-0700 [-] [caldav-8011] [-] twisted.web2.channel.http.HTTPFactory starting on 8011
2008-08-20 11:27:57-0700 [-] [caldav-8011] [-] Starting factory <twisted.web2.channel.http.HTTPFactory instance at 0x1469800>
2008-08-20 11:27:57-0700 [-] [caldav-8012] [startup] Setting up Timezone Cache
2008-08-20 11:27:57-0700 [-] [caldav-8012] [startup] Configuring authentication for realm: /Search
2008-08-20 11:27:57-0700 [-] [caldav-8012] [startup] Setting up scheme: kerberos
2008-08-20 11:27:57-0700 [-] [caldav-8010] [startup] Configuring SudoDirectoryService with file: /etc/caldavd/sudoers.plist
2008-08-20 11:27:57-0700 [-] [caldav-8010] [startup] Setting up document root at: /Library/CalendarServer/Documents
2008-08-20 11:27:57-0700 [-] [caldav-8010] [startup] Setting up principal collection: <class 'twistedcaldav.directory.principal.DirectoryPrincipalProvisioningResource'>
2008-08-20 11:27:57-0700 [-] [caldav-8012] [KerberosCredentialFactoryBase] getServerPrincipalDetails: ('Principal not found in keytab', -1)
2008-08-20 11:27:57-0700 [-] [caldav-8012] [startup] Could not start Kerberos
2008-08-20 11:27:57-0700 [-] [caldav-8012] [startup] Setting up scheme: digest

On the client side, when I try to add the account and check the Kerberos box, it says that the server rejected the password and won't add the account. If I uncheck the box, the account is added without a problem.

Reply