Configuring SPNEGO SSO With AD



Can anyone answer a SPNEGO SSO question.

We have created a user in AD as described in SPNEGO SSO Active Directory Setup Guide (http://bofriis.dk/files/doc/spnego-activedirectory-configuration-.pdf). We have created the Keytab file using the KTPASS command. We then did the Configuring SPNEGO in the LiveCycle Admin Console as described in the Administering LiveCycle ES v 8.2 guide but we still can not seem to get SSO working. We have loaded LiveCycle ES 8.2 on a box running WebSphere.

This is the information in the log file.

[1/20/09 15:00:00:056 CST] 0000003b Reference I org.apache.xml.security.signature.Reference verify Verification successful for URI "#a084c894220aa09181e9fb0a79e910cc"

[1/20/09 15:00:00:088 CST] 0000003c Reference I org.apache.xml.security.signature.Reference verify Verification successful for URI "#a084c894220aa09181e9fb0a79e910cc"

[1/20/09 15:00:14:494 CST] 0000007a SpnegoRequest W com.adobe.idp.um.auth.filter.spnego.SpnegoRequestHandler doSpnego Error occured while authenticating using Kerberos config kdcHost = : dnsIp = : serviceRealm = my.comp.info : serviceUser = HTTP/xxxxxxx.my.comp.info

[1/20/09 15:00:14:494 CST] 0000007a SpnegoRequest W com.adobe.idp.um.auth.filter.spnego.SpnegoRequestHandler doSpnego TRAS0014I: The following exception was logged com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: org.ietf.jgss.GSSException, major code: 11, minor code: -1

major string: General failure, unspecified at GSSAPI level

minor string: com.dstc.security.kerberos.KerberosException: Could not decrypt service ticket with Key type 23, KVNO 6, Principal "HTTP/xxxxxxx.my.comp.info@my.comp.info" using key:

Principal: HTTP/xxxxxxx.my.comp.info@my.comp.info

Type: 1

TimeStamp: Tue Jan 20 14:55:04 CST 2009

KVNO: -1

Key: [23, 7c af 20 96 b7 b6 71 a0 da 70 15 5 1b c7 79 f6 ]

Exception for this key was: com.dstc.security.kerberos.CryptoException: Integrity check failure[Note: principal names are different; this may or may not be a problem]

[Note: KVNO used wildcard match, not exact match; perhaps the password used to generate this key is not the most recent password?]

at com.wedgetail.idm.sso.AbstractAuthenticator.processSpnego(AbstractAuthenticator.java:1221)

at com.wedgetail.idm.sso.MechChecker.authenticate(MechChecker.java:205)

at com.wedgetail.idm.sso.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:1060)

at com.wedgetail.idm.sso.AbstractAuthenticator.authenticateServiceTicket(AbstractAuthenticator.java:998)

at com.wedgetail.idm.sso.AbstractAuthenticator.checkAuthentication(AbstractAuthenticator.java:953)

at com.wedgetail.idm.sso.AuthFilter.doFilter(AuthFilter.java:122)

at com.adobe.idp.um.auth.filter.spnego.SpnegoRequestHandler.doSpnego(SpnegoRequestHandler.java:208)

at com.adobe.idp.um.auth.filter.SSOFilter.doFilter(SSOFilter.java:195)

at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:190)

at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:130)

at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilterChain.java:87)

at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:832)

at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:679)

at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:565)

at com.ibm.ws.wswebcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:478)

at com.ibm.wsspi.webcontainer.servlet.GenericServletWrapper.handleRequest(GenericServletWrapper.java:122)

at com.ibm.ws.jsp.webcontainerext.AbstractJSPExtensionServletWrapper.handleRequest(AbstractJSPExtensionServletWrapper.java:226)

at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:90)

at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.ja





This seems to be working now at least on the development side. The only thing I could figure out was that the Automatic Directory Synchronization needed to run even though I ran it myself, the server was not re-booted so I just dont know.

But I could never get it to work with a generic user, I had wanted to have a user name like esforms-f but I ended up making the user name specific to the server name

(user name is nameofESserver).

Configured Kerberos like this

Authentication Provider : Kerberos

DNS IP: IP.add.of.ES

KDC Host: IP.add.of.AD

Service User: HTTP/nameofESserver.my.comp.com

Service Realm: my.comp.com

Service Password: what_ever_password_is_of_user_name

enable SPNEGO checked

But if I use the same user on my production system (changing the DNS IP) it does not work. Do I need to have a specific user for both development and production? Or did I miss a step in the SPNEGO documentation?

Steps that were done: Created user in AD, set password never expires, clicked finish, selected user, added to Account options: Use DES encryption types for this account, reset password.

Ran the ktpass command.

Done Go configure ES



For SPNEGO to work you can use the same user. Just need to take care of the following

-- In ktpass command use any name starting with "HTTP/" e.g. HTTP/nameofESserver.my.comp.com

ktpass -princ HTTP/nameofESserver.my.comp.com@my.comp.com -mapuser spnegouserid

-- Refer to that name in your Kerberos config page HTTP/nameofESserver.my.comp.com

-- Now register servicePrincipalName for each DNS name that would be used to connect to the server

So if same user is used for different server and there DNS names are like



Then add two SPN for each such DNS name

setspn -A server1.my.comp.com spnegouserid

setspn -A server1 spnegouserid

setspn -A server2.my.comp.com spnegouserid

setspn -A server2 spnegouserid

The spnegouserid is the same user referred in ktpass

Now from the browser if you access the servers using any of the above registered url SPNEGO would work for you(Provided necessary configurations are done in browser)




Thanks for answering my original question that worked. Now I have an extra question and it’s probably dumb but I’m going to ask it anyway.

So I did the setspn for each server similar to

setspn -A HTTP/1stESServer.something.somethingelse username

setspn -A HTTP/1stESServer username

setspn -A HTTP/2ndESServer.something.somethingelse username

setspn -A HTTP/2ndESServer username

But I also want to use an alias for our server, so lets say that on my 2ndESServer when I open it up to my users I give them a url that looks something like http://adobeeseform/fm/.

Do I now need to do another setspn command for the alias like this setspn -A HTTP/adobeeseform username?

Or am I covered because I've already did the above for the 2ndESServer