Single sign on

View profile · 02-09-2008

Hi all,

I have been trying to get SSO with Kerberos working on one of our servers, but when I test the connection I get the following error:

2008-09-02 11:44:59,398 INFO [com.adobe.idp.um.ui.config.ConfigAuthEditAction] This exception stack trace is due to clicking of test button on Kerberos settings page.This is to help in determining wether Kerberos configuration is working fine or not and is not due to andprogram error. The exception that occured while testing Kerberos related config is

com.wedgetail.idm.sso.ConfigException: Could not validate com.wedgetail.idm.sso.password [caused by: com.dstc.security.kerberos.KerberosError: Server not found in Kerberos database]

at com.wedgetail.idm.sso.util.MemoryKeyTab.createKeyTab(MemoryKeyTab.java:109)

at com.wedgetail.idm.sso.util.Util.getKeyTab(Util.java:137)

at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:440)

at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:105)

at com.adobe.idp.um.auth.filter.spnego.SpnegoRequestHandler.testKerberosConfigBO(SpnegoRequestHandler.java:124)

at com.adobe.idp.um.ui.config.ConfigAuthEditAction.testKerberosSettings_onClick(ConfigAuthEditAction.java:1331)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

at java.lang.reflect.Method.invoke(Method.java:585)

at com.cc.framework.adapter.struts.ActionUtil.handleFormAction(Unknown Source)

at com.cc.framework.adapter.struts.FWAction.handleFormAction(Unknown Source)

at com.cc.framework.adapter.struts.ActionUtil.execute(Unknown Source)

at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)

at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)

at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)

at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)

at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)

at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)

at com.adobe.framework.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:173)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)

at com.adobe.idp.um.auth.filter.AuthenticationFilter.doFilter(AuthenticationFilter.java:154)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)

at com.adobe.idp.um.auth.filter.PortalSSOFilter.doFilter(PortalSSOFilter.java:129)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)

at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)

at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:39)

at org.jboss.web.tomcat.s

04-09-2008

Kim:

Have you had any luck getting this one figured out?

View profile · 05-09-2008

No unfortunately not - are you experiencing the same problem?

Sincerely

Kim

05-09-2008

Yes, some things I have read about and tried that haven't worked for me but may work for you include:

Try running your application server as the service user you have configured.

Try putting in the IP address of the Domain controller in place of the IP address that livecycle is running on for DNS IP under the kerberos settings

Open AD and verify that the computer exists for the machine where livecycle is running (filter for it by name or something so you can see the AD object)

I've not had any luck yet, but maybe one of those will work for you.

View profile · 06-09-2008

Hi Kim,

Can you provide more details on how did you configured the Kerberso\SPNEGO settings in the AdminUI

From the error it seems that you have not registered the servicePrincipalName (SPN) for the user you have configured with the AD server

Probably with more info only we can determine the root cause

View profile · 08-09-2008

Hi again,

Thanks for your input.

I have used the "ktpass" command on the domain controller, but I am not sure that is what you mean Chetan? Can you elaborate?

I have followed the documentation for setting up the Kerberos SPNEGO connection available in livedocs and I believe that I have done as it prescribes. But still no luck

I will try whatever you can throw at me so just give me your best shot.

Sincerely

Kim

View profile · 08-09-2008

Ok Kim here we go

SPNEGO configuration is a bit tricky as it requires settings at multiple places. So pin pointing the problem may take few steps. So thanks for your patience.

First I would like to know the configuration settings done on the Kerberos Authentication Provider page. Some questions might be obvious but I just want to make sure things are correct

-- Service user - This must be of the form HTTP/...

-- Service realm

-- KDC Host - This must point to your AD server

-- What was the KTPass command you ran

-- Post the LDIF file for the user which is configured as a Service User. You can get that using any ldap browser

Once I get these then we can move forward

View profile · 09-09-2008

Hi again Chetan,

Thank you so much for your help. I have figured it out..

The problem was that I had used my service user as the user I log into the AD with...this was wrong.

Now I changed it to HTTP/myLCServersName.domainName(Service realm), and now it seems to work perfectly.

I can get it to work in Workspace (with Internet Explorer - not in Firefox though), but not in the AdminUi or ReaderExtension pages, can you confirm this?

Once again I am so grateful for your help.

Sincerely

Kim

View profile · 09-09-2008

Cool so it worked for you.

Regarding your observation AdminUI and Reader Extension UI do not support this mode of authentication. Workspace, Content Services and Rights Management UI would support it

Whats the issue with Firefox. What changes you made to about:config section to enable it?

10-09-2008

Chetan:

Why would adminui not support SPNEGO? Is there a comprehensive list anywhere of where SPNEGO has actually been implemented? If such a list exists I can't find it in the documentation.

I think I sorted my kerberos issues out because I'm not seeing errors and the test passes successfully. I had a problem similar to Kim where I was following the documentation for administering LiveCycle that says to put in the name of the AD user not the SPN formatted login id. I'm doing the second test in the documentation browsing to http://[LiveCycleServer]:8080/um/login?um_no_redirect=true and it tells me authenticated=true&authstate=COMPLETE&assertionid=... Is that what I should be seeing?

Thank you in advance.

Replies