Adobe LiveCycle (Archived)

kc · ‎02-09-2008

Hi all,

I have been trying to get SSO with Kerberos working on one of our servers, but when I test the connection I get the following error:

2008-09-02 11:44:59,398 INFO [com.adobe.idp.um.ui.config.ConfigAuthEditAction] This exception stack trace is due to clicking of test button on Kerberos settings page.This is to help in determining wether Kerberos configuration is working fine or not and is not due to andprogram error. The exception that occured while testing Kerberos related config is

com.wedgetail.idm.sso.ConfigException: Could not validate com.wedgetail.idm.sso.password [caused by: com.dstc.security.kerberos.KerberosError: Server not found in Kerberos database]

at com.wedgetail.idm.sso.util.MemoryKeyTab.createKeyTab(MemoryKeyTab.java:109)

at com.wedgetail.idm.sso.util.Util.getKeyTab(Util.java:137)

at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:440)

at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:105)

at com.adobe.idp.um.auth.filter.spnego.SpnegoRequestHandler.testKerberosConfigBO(SpnegoRequestHandler.java:124)

at com.adobe.idp.um.ui.config.ConfigAuthEditAction.testKerberosSettings_onClick(ConfigAuthEditAction.java:1331)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

at java.lang.reflect.Method.invoke(Method.java:585)

at com.cc.framework.adapter.struts.ActionUtil.handleFormAction(Unknown Source)

at com.cc.framework.adapter.struts.FWAction.handleFormAction(Unknown Source)

at com.cc.framework.adapter.struts.ActionUtil.execute(Unknown Source)

at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)

at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)

at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)

at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)

at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)

at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)

at com.adobe.framework.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:173)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)

at com.adobe.idp.um.auth.filter.AuthenticationFilter.doFilter(AuthenticationFilter.java:154)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)

at com.adobe.idp.um.auth.filter.PortalSSOFilter.doFilter(PortalSSOFilter.java:129)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)

at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)

at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:39)

at org.jboss.web.tomcat.s

Report · ‎04-09-2008

Kim:

Have you had any luck getting this one figured out?

kc · ‎05-09-2008

No unfortunately not - are you experiencing the same problem?

Sincerely

Kim

Report · ‎05-09-2008

Yes, some things I have read about and tried that haven't worked for me but may work for you include:

Try running your application server as the service user you have configured.

Try putting in the IP address of the Domain controller in place of the IP address that livecycle is running on for DNS IP under the kerberos settings

Open AD and verify that the computer exists for the machine where livecycle is running (filter for it by name or something so you can see the AD object)

I've not had any luck yet, but maybe one of those will work for you.

chetanm_oct · ‎06-09-2008

Hi Kim,

Can you provide more details on how did you configured the Kerberso\SPNEGO settings in the AdminUI

From the error it seems that you have not registered the servicePrincipalName (SPN) for the user you have configured with the AD server

Probably with more info only we can determine the root cause

kc · ‎08-09-2008

Hi again,

Thanks for your input.

I have used the "ktpass" command on the domain controller, but I am not sure that is what you mean Chetan? Can you elaborate?

I have followed the documentation for setting up the Kerberos SPNEGO connection available in livedocs and I believe that I have done as it prescribes. But still no luck

I will try whatever you can throw at me so just give me your best shot.

Sincerely

Kim

chetanm_oct · ‎08-09-2008

Ok Kim here we go

SPNEGO configuration is a bit tricky as it requires settings at multiple places. So pin pointing the problem may take few steps. So thanks for your patience.

First I would like to know the configuration settings done on the Kerberos Authentication Provider page. Some questions might be obvious but I just want to make sure things are correct

-- Service user - This must be of the form HTTP/...

-- Service realm

-- KDC Host - This must point to your AD server

-- What was the KTPass command you ran

-- Post the LDIF file for the user which is configured as a Service User. You can get that using any ldap browser

Once I get these then we can move forward

kc · ‎09-09-2008

Hi again Chetan,

Thank you so much for your help. I have figured it out..

The problem was that I had used my service user as the user I log into the AD with...this was wrong.

Now I changed it to HTTP/myLCServersName.domainName(Service realm), and now it seems to work perfectly.

I can get it to work in Workspace (with Internet Explorer - not in Firefox though), but not in the AdminUi or ReaderExtension pages, can you confirm this?

Once again I am so grateful for your help.

Sincerely

Kim

chetanm_oct · ‎09-09-2008

Cool so it worked for you.

Regarding your observation AdminUI and Reader Extension UI do not support this mode of authentication. Workspace, Content Services and Rights Management UI would support it

Whats the issue with Firefox. What changes you made to about:config section to enable it?

Report · ‎10-09-2008

Chetan:

Why would adminui not support SPNEGO? Is there a comprehensive list anywhere of where SPNEGO has actually been implemented? If such a list exists I can't find it in the documentation.

I think I sorted my kerberos issues out because I'm not seeing errors and the test passes successfully. I had a problem similar to Kim where I was following the documentation for administering LiveCycle that says to put in the name of the AD user not the SPN formatted login id. I'm doing the second test in the documentation browsing to http://[LiveCycleServer]:8080/um/login?um_no_redirect=true and it tells me authenticated=true&authstate=COMPLETE&assertionid=... Is that what I should be seeing?

Thank you in advance.

chetanm_oct · ‎10-09-2008

Brobble,

I do not think there is any such list. I would have it added to the help/admin docs

I checked the docs and there its incorrectly mentioned. Would get that part rectified. It should have been

"Service User: Its the SPN that you passed to the KTPass tool. So for the example it should be HTTP/lcserver.um.lc.com"

As for the output seen on accessing that url - Yes its what you should see if SPNEGO is working for you

Thanks for pointing those issues I would get them rectified soon.

kc · ‎10-09-2008

Hi again,

Thanks for solving our mysteries so fast Chetan, this makes using this forum a top priority when solving issues.

Sincerely

Kim

kc · ‎11-09-2008

Hi again,

I tried to set my Firefox about:config to the following (as described in the documentation):

network.negotiate-auth.trusted-uris :

.myLCServersName.domainName (as it appears under properties of My Computer)

Is this correct? - because I have not been successful with it...

Sincerely

Kim

chetanm_oct · ‎11-09-2008

Try setting it to

network.negotiate-auth.trusted-uris : mylcserversname.domainname

OR

network.negotiate-auth.trusted-uris : .domainname

Note - First one without the dot and second one with dot

noos76 · ‎22-10-2010

hello all, forgive me if I bring up an old debate.

I have a problem with the ktpass

in cmd of windows I get this result "DsCrackNames returned 0x2"

in the name entry for spnegodemo

help me

chetanm_oct · ‎24-10-2010

What was the exact command you ran. And by any chance is your system name is alos "spnegodemo"

noos76 · ‎25-10-2010

hello this is the command to run

ktpass -princ HTTP/192.168.12.101.adobe.demo@ADOBE.DEMO -mapuser demoservice

192.168.12.101 is server

adobe.demo is domain

demoservice is user livecycle

Adobe LiveCycle (Archived)

Single sign on

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe