Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.

Single sign on

Avatar

Level 8
Level 8
Hi all,



I have been trying to get SSO with Kerberos working on one of our servers, but when I test the connection I get the following error:



2008-09-02 11:44:59,398 INFO [com.adobe.idp.um.ui.config.ConfigAuthEditAction] This exception stack trace is due to clicking of test button on Kerberos settings page.This is to help in determining wether Kerberos configuration is working fine or not and is not due to andprogram error. The exception that occured while testing Kerberos related config is

com.wedgetail.idm.sso.ConfigException: Could not validate com.wedgetail.idm.sso.password [caused by: com.dstc.security.kerberos.KerberosError: Server not found in Kerberos database]

at com.wedgetail.idm.sso.util.MemoryKeyTab.createKeyTab(MemoryKeyTab.java:109)

at com.wedgetail.idm.sso.util.Util.getKeyTab(Util.java:137)

at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:440)

at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:105)

at com.adobe.idp.um.auth.filter.spnego.SpnegoRequestHandler.testKerberosConfigBO(SpnegoRequestHandler.java:124)

at com.adobe.idp.um.ui.config.ConfigAuthEditAction.testKerberosSettings_onClick(ConfigAuthEditAction.java:1331)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

at java.lang.reflect.Method.invoke(Method.java:585)

at com.cc.framework.adapter.struts.ActionUtil.handleFormAction(Unknown Source)

at com.cc.framework.adapter.struts.FWAction.handleFormAction(Unknown Source)

at com.cc.framework.adapter.struts.ActionUtil.execute(Unknown Source)

at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)

at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)

at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)

at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)

at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)

at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)

at com.adobe.framework.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:173)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)

at com.adobe.idp.um.auth.filter.AuthenticationFilter.doFilter(AuthenticationFilter.java:154)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)

at com.adobe.idp.um.auth.filter.PortalSSOFilter.doFilter(PortalSSOFilter.java:129)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)

at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)

at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:39)

at org.jboss.web.tomcat.s
16 Replies

Avatar

Former Community Member
Kim:



Have you had any luck getting this one figured out?

Avatar

Level 8
Level 8
No unfortunately not - are you experiencing the same problem?



Sincerely

Kim

Avatar

Former Community Member
Yes, some things I have read about and tried that haven't worked for me but may work for you include:



Try running your application server as the service user you have configured.



Try putting in the IP address of the Domain controller in place of the IP address that livecycle is running on for DNS IP under the kerberos settings



Open AD and verify that the computer exists for the machine where livecycle is running (filter for it by name or something so you can see the AD object)



I've not had any luck yet, but maybe one of those will work for you.

Avatar

Level 4
Hi Kim,



Can you provide more details on how did you configured the Kerberso\SPNEGO settings in the AdminUI



From the error it seems that you have not registered the servicePrincipalName (SPN) for the user you have configured with the AD server



Probably with more info only we can determine the root cause

Avatar

Level 8
Level 8
Hi again,



Thanks for your input.



I have used the "ktpass" command on the domain controller, but I am not sure that is what you mean Chetan? Can you elaborate?



I have followed the documentation for setting up the Kerberos SPNEGO connection available in livedocs and I believe that I have done as it prescribes. But still no luck



I will try whatever you can throw at me so just give me your best shot.



Sincerely

Kim

Avatar

Level 4
Ok Kim here we go



SPNEGO configuration is a bit tricky as it requires settings at multiple places. So pin pointing the problem may take few steps. So thanks for your patience.



First I would like to know the configuration settings done on the Kerberos Authentication Provider page. Some questions might be obvious but I just want to make sure things are correct



-- Service user - This must be of the form HTTP/...

-- Service realm

-- KDC Host - This must point to your AD server

-- What was the KTPass command you ran

-- Post the LDIF file for the user which is configured as a Service User. You can get that using any ldap browser



Once I get these then we can move forward

Avatar

Level 8
Level 8
Hi again Chetan,



Thank you so much for your help. I have figured it out..



The problem was that I had used my service user as the user I log into the AD with...this was wrong.



Now I changed it to HTTP/myLCServersName.domainName(Service realm), and now it seems to work perfectly.



I can get it to work in Workspace (with Internet Explorer - not in Firefox though), but not in the AdminUi or ReaderExtension pages, can you confirm this?



Once again I am so grateful for your help.



Sincerely

Kim

Avatar

Level 4
Cool so it worked for you.

Regarding your observation AdminUI and Reader Extension UI do not support this mode of authentication. Workspace, Content Services and Rights Management UI would support it



Whats the issue with Firefox. What changes you made to about:config section to enable it?

Avatar

Former Community Member
Chetan:



Why would adminui not support SPNEGO? Is there a comprehensive list anywhere of where SPNEGO has actually been implemented? If such a list exists I can't find it in the documentation.



I think I sorted my kerberos issues out because I'm not seeing errors and the test passes successfully. I had a problem similar to Kim where I was following the documentation for administering LiveCycle that says to put in the name of the AD user not the SPN formatted login id. I'm doing the second test in the documentation browsing to http://[LiveCycleServer]:8080/um/login?um_no_redirect=true and it tells me authenticated=true&authstate=COMPLETE&assertionid=... Is that what I should be seeing?



Thank you in advance.

Avatar

Level 4
Brobble,



I do not think there is any such list. I would have it added to the help/admin docs



I checked the docs and there its incorrectly mentioned. Would get that part rectified. It should have been



"Service User: Its the SPN that you passed to the KTPass tool. So for the example it should be HTTP/lcserver.um.lc.com"



As for the output seen on accessing that url - Yes its what you should see if SPNEGO is working for you



Thanks for pointing those issues I would get them rectified soon.

Avatar

Level 8
Level 8
Hi again,



Thanks for solving our mysteries so fast Chetan, this makes using this forum a top priority when solving issues.



Sincerely

Kim

Avatar

Level 8
Level 8
Hi again,



I tried to set my Firefox about:config to the following (as described in the documentation):



network.negotiate-auth.trusted-uris :

.myLCServersName.domainName (as it appears under properties of My Computer)



Is this correct? - because I have not been successful with it...



Sincerely

Kim

Avatar

Level 4
Try setting it to



network.negotiate-auth.trusted-uris : mylcserversname.domainname

OR

network.negotiate-auth.trusted-uris : .domainname



Note - First one without the dot and second one with dot

Avatar

Level 4

hello all, forgive me if I bring up an old debate.

I have a problem with the ktpass


in cmd of windows I get this result    "DsCrackNames returned 0x2"


in the name entry for spnegodemo

help me

Avatar

Level 4

What was the exact command you ran. And by any chance is your system name is alos "spnegodemo"

Avatar

Level 4

hello this is the command to run

ktpass -princ HTTP/192.168.12.101.adobe.demo@ADOBE.DEMO -mapuser demoservice

192.168.12.101 is server

adobe.demo is domain

demoservice is user livecycle