Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

Single sign on

kc
Level 8
Level 8
Hi all,



I have been trying to get SSO with Kerberos working on one of our servers, but when I test the connection I get the following error:



2008-09-02 11:44:59,398 INFO [com.adobe.idp.um.ui.config.ConfigAuthEditAction] This exception stack trace is due to clicking of test button on Kerberos settings page.This is to help in determining wether Kerberos configuration is working fine or not and is not due to andprogram error. The exception that occured while testing Kerberos related config is

com.wedgetail.idm.sso.ConfigException: Could not validate com.wedgetail.idm.sso.password [caused by: com.dstc.security.kerberos.KerberosError: Server not found in Kerberos database]

at com.wedgetail.idm.sso.util.MemoryKeyTab.createKeyTab(MemoryKeyTab.java:109)

at com.wedgetail.idm.sso.util.Util.getKeyTab(Util.java:137)

at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:440)

at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:105)

at com.adobe.idp.um.auth.filter.spnego.SpnegoRequestHandler.testKerberosConfigBO(SpnegoRequestHandler.java:124)

at com.adobe.idp.um.ui.config.ConfigAuthEditAction.testKerberosSettings_onClick(ConfigAuthEditAction.java:1331)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

at java.lang.reflect.Method.invoke(Method.java:585)

at com.cc.framework.adapter.struts.ActionUtil.handleFormAction(Unknown Source)

at com.cc.framework.adapter.struts.FWAction.handleFormAction(Unknown Source)

at com.cc.framework.adapter.struts.ActionUtil.execute(Unknown Source)

at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)

at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)

at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)

at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)

at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)

at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)

at com.adobe.framework.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:173)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)

at com.adobe.idp.um.auth.filter.AuthenticationFilter.doFilter(AuthenticationFilter.java:154)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)

at com.adobe.idp.um.auth.filter.PortalSSOFilter.doFilter(PortalSSOFilter.java:129)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)

at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)

at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:39)

at org.jboss.web.tomcat.s
16 Replies
Not applicable
Kim:



Have you had any luck getting this one figured out?
kc
Level 8
Level 8
No unfortunately not - are you experiencing the same problem?



Sincerely

Kim
Not applicable
Yes, some things I have read about and tried that haven't worked for me but may work for you include:



Try running your application server as the service user you have configured.



Try putting in the IP address of the Domain controller in place of the IP address that livecycle is running on for DNS IP under the kerberos settings



Open AD and verify that the computer exists for the machine where livecycle is running (filter for it by name or something so you can see the AD object)



I've not had any luck yet, but maybe one of those will work for you.
chetanm_oct
Level 4
Level 4
Hi Kim,



Can you provide more details on how did you configured the Kerberso\SPNEGO settings in the AdminUI



From the error it seems that you have not registered the servicePrincipalName (SPN) for the user you have configured with the AD server



Probably with more info only we can determine the root cause
kc
Level 8
Level 8
Hi again,



Thanks for your input.



I have used the "ktpass" command on the domain controller, but I am not sure that is what you mean Chetan? Can you elaborate?



I have followed the documentation for setting up the Kerberos SPNEGO connection available in livedocs and I believe that I have done as it prescribes. But still no luck



I will try whatever you can throw at me so just give me your best shot.



Sincerely

Kim
chetanm_oct
Level 4
Level 4
Ok Kim here we go



SPNEGO configuration is a bit tricky as it requires settings at multiple places. So pin pointing the problem may take few steps. So thanks for your patience.



First I would like to know the configuration settings done on the Kerberos Authentication Provider page. Some questions might be obvious but I just want to make sure things are correct



-- Service user - This must be of the form HTTP/...

-- Service realm

-- KDC Host - This must point to your AD server

-- What was the KTPass command you ran

-- Post the LDIF file for the user which is configured as a Service User. You can get that using any ldap browser



Once I get these then we can move forward
kc
Level 8
Level 8
Hi again Chetan,



Thank you so much for your help. I have figured it out..



The problem was that I had used my service user as the user I log into the AD with...this was wrong.



Now I changed it to HTTP/myLCServersName.domainName(Service realm), and now it seems to work perfectly.



I can get it to work in Workspace (with Internet Explorer - not in Firefox though), but not in the AdminUi or ReaderExtension pages, can you confirm this?



Once again I am so grateful for your help.



Sincerely

Kim
chetanm_oct
Level 4
Level 4
Cool so it worked for you.

Regarding your observation AdminUI and Reader Extension UI do not support this mode of authentication. Workspace, Content Services and Rights Management UI would support it



Whats the issue with Firefox. What changes you made to about:config section to enable it?
Not applicable
Chetan:



Why would adminui not support SPNEGO? Is there a comprehensive list anywhere of where SPNEGO has actually been implemented? If such a list exists I can't find it in the documentation.



I think I sorted my kerberos issues out because I'm not seeing errors and the test passes successfully. I had a problem similar to Kim where I was following the documentation for administering LiveCycle that says to put in the name of the AD user not the SPN formatted login id. I'm doing the second test in the documentation browsing to http://[LiveCycleServer]:8080/um/login?um_no_redirect=true and it tells me authenticated=true&authstate=COMPLETE&assertionid=... Is that what I should be seeing?



Thank you in advance.
chetanm_oct
Level 4
Level 4
Brobble,



I do not think there is any such list. I would have it added to the help/admin docs



I checked the docs and there its incorrectly mentioned. Would get that part rectified. It should have been



"Service User: Its the SPN that you passed to the KTPass tool. So for the example it should be HTTP/lcserver.um.lc.com"



As for the output seen on accessing that url - Yes its what you should see if SPNEGO is working for you



Thanks for pointing those issues I would get them rectified soon.
kc
Level 8
Level 8
Hi again,



Thanks for solving our mysteries so fast Chetan, this makes using this forum a top priority when solving issues.



Sincerely

Kim
kc
Level 8
Level 8
Hi again,



I tried to set my Firefox about:config to the following (as described in the documentation):



network.negotiate-auth.trusted-uris :

.myLCServersName.domainName (as it appears under properties of My Computer)



Is this correct? - because I have not been successful with it...



Sincerely

Kim
chetanm_oct
Level 4
Level 4
Try setting it to



network.negotiate-auth.trusted-uris : mylcserversname.domainname

OR

network.negotiate-auth.trusted-uris : .domainname



Note - First one without the dot and second one with dot
noos76
Level 4
Level 4

hello all, forgive me if I bring up an old debate.

I have a problem with the ktpass


in cmd of windows I get this result    "DsCrackNames returned 0x2"


in the name entry for spnegodemo

help me

chetanm_oct
Level 4
Level 4

What was the exact command you ran. And by any chance is your system name is alos "spnegodemo"

noos76
Level 4
Level 4

hello this is the command to run

ktpass -princ HTTP/192.168.12.101.adobe.demo@ADOBE.DEMO -mapuser demoservice

192.168.12.101 is server

adobe.demo is domain

demoservice is user livecycle