Expand my Community achievements bar.

July 31st AEM Gems Webinar: Elevate your AEM development to master the integration of private GitHub repositories within AEM Cloud Manager.

Kerberos SSO - working in Windows but failed in unix

Avatar

Former Community Member

Hi all,

Let me explain my current situation.

We need to enable SSO Kerberos in Windows

Server 2003 for Livecycle with Websphere.

In development environment the Application Server is installed in a Windows based machine (Windows XP/ Windows Server 2003), we test the kerberos successfully.

In client's environment, the Application Server is installed in Unix, we test the kerberos and it failed.

From what I observed,

In Windows environment, we can use any name with format HTTP/xxx with command ktpass e.g.

ktpass HTTP/1.1.1.1@DOMAIN.COM  -mappuser spnego

I put it in the Service User field and it will test successfully with Windows Environment.

(Of course, in actual configuration, I put HTTP/<lcesServerName>.domain.com)

In Unix environment, we have the exception "Server not found in kerberos database"

When I read the /etc/hosts file, I saw that the  <lcesServerName>.domain.com is mapped to 2 different IP addresses.

10.172.16.16 and 10.0.0.1 with precedence is 10.172.16.16<lcesServerName>.domain.com

i.e. if I ping <lcesServerName>.domain.com it will ping the IP 10.172.16.16.

I thought in Unix, after authenticated successfully, It tries to connect to the real lces server, i.e. <lcesServerName>.domain.com

and because internal Unix cannot connect to external IP (10.172.16.16) then it failed.

Then I tried to create another service user sso.<lcesServerName>.domain.com to map specifically to 10.0.0.1 and livecycle return me the error "No resolver supplied". The same thing happens if I map HTTP/10.0.0.1 to spnego.

The exception is (totaly not related to Livecycle):
================

10/16/09 16:29:17:816 CST] 0000015e ConfigAuthEdi A com.adobe.idp.um.ui.config.ConfigAuthEditAction testKerberosSettings_onClick TRAS0014I: The following exception was logged java.lang.IllegalArgumentException: No resolver supplied
at com.wedgetail.idm.sso.directory.ad.DefaultADConfig.<init>(DefaultADConfig.java:121)
at com.wedgetail.idm.sso.auth.FilterAuthContext.<init>(FilterAuthContext.java:260)
at com.wedgetail.idm.sso.AbstractAuthenticator.getAuthSession(AbstractAuthenticator.java:636)
at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:509)
at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:105)

=================

I'm sure that the Service User, Service Password, KDC Host and spnego user account are properly configured.

Is there any idea why test kerberos fails in Unix or is it because of Unix or the AD server?

Thank you,

Tuan Anh

23 Replies

Avatar

Former Community Member

I post the exception in this post:

Server not found in Kerberos database exception:

[10/16/09 17:30:55:483 CST] 00000217 ConfigAuthEdi A com.adobe.idp.um.ui.config.
ConfigAuthEditAction testKerberosSettings_onClick This exception stack trace is
due to clicking of test button on Kerberos settings page.This is to help in dete
rmining wether Kerberos configuration is working fine or not and is not due to a
ndprogram error. The exception that occured while testing Kerberos related confi
g is
[10/16/09 17:30:55:487 CST] 00000217 ConfigAuthEdi A com.adobe.idp.um.ui.config.
ConfigAuthEditAction testKerberosSettings_onClick TRAS0014I: The following excep
tion was logged com.wedgetail.idm.sso.ConfigException: Could not validate com.we
dgetail.idm.sso.password [caused by: com.dstc.security.kerberos.KerberosError: S
erver not found in Kerberos database]
        at com.wedgetail.idm.sso.util.MemoryKeyTab.createKeyTab(MemoryKeyTab.jav
a:109)
        at com.wedgetail.idm.sso.util.Util.getKeyTab(Util.java:137)
        at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(Abstrac
tAuthenticator.java:440)
        at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:105)
        at com.adobe.idp.um.auth.filter.spnego.SpnegoRequestHandler.testKerberos
ConfigBO(SpnegoRequestHandler.java:124)
        at com.adobe.idp.um.ui.config.ConfigAuthEditAction.testKerberosSettings_
onClick(ConfigAuthEditAction.java:1331)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:79)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:618)
        at com.cc.framework.adapter.struts.ActionUtil.handleFormAction(Unknown S
ource)
        at com.cc.framework.adapter.struts.FWAction.handleFormAction(Unknown Sou
rce)
        at com.cc.framework.adapter.struts.ActionUtil.execute(Unknown Source)
        at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)
        at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)
        at org.apache.struts.action.RequestProcessor.processActionPerform(Reques
tProcessor.java:431)
        at org.apache.struts.action.RequestProcessor.process(RequestProcessor.ja
va:236)
        at org.apache.struts.action.ActionServlet.process(ActionServlet.java:119
6)
        at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
        at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper
.java:1146)
        at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper
.java:1087)
        at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilte
rChain.java:145)
        at com.adobe.framework.SetCharacterEncodingFilter.doFilter(SetCharacterE
ncodingFilter.java:173)
        at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterI
nstanceWrapper.java:190)
        at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilte
rChain.java:130)
        at com.adobe.idp.um.auth.filter.AuthenticationFilter.doFilter(Authentica
tionFilter.java:154)
        at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterI
nstanceWrapper.java:190)
        at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilte
rChain.java:130)
        at com.adobe.idp.um.auth.filter.PortalSSOFilter.doFilter(PortalSSOFilter
.java:113)
        at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterI
nstanceWrapper.java:190)
        at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilte
rChain.java:130)
        at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilt
erChain.java:87)
        at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFil
terManager.java:837)
        at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFil
terManager.java:680)
        at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletW
rapper.java:588)
        at com.ibm.ws.wswebcontainer.servlet.ServletWrapper.handleRequest(Servle
tWrapper.java:524)
        at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(Cac
heServletWrapper.java:90)
        at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:
751)
        at com.ibm.ws.wswebcontainer.WebContainer.handleRequest(WebContainer.jav
a:1478)
        at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.jav
a:125)
        at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimina
tion(HttpInboundLink.java:458)
        at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInforma
tion(HttpInboundLink.java:387)
        at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(Htt
pICLReadCallback.java:102)
        at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted
(AioReadCompletionListener.java:165)
        at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFutu
re.java:217)
        at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChanne
lFuture.java:161)
        at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:136)
        at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:196)
        at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.j
ava:751)
        at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:881)
        at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1497)
Caused by: com.dstc.security.kerberos.KerberosError: Server not found in Kerbero
s database
        at com.dstc.security.kerberos.Kerberos.getKrbASRepFromKDC(Kerberos.java:
1165)
        at com.dstc.security.kerberos.Kerberos.requestInitialTicket(Kerberos.jav
a:914)
        at com.wedgetail.idm.sso.util.MemoryKeyTab.createKeyTab(MemoryKeyTab.jav
a:83)
        ... 52 more
Caused by: com.dstc.security.kerberos.KerberosError: Server not found in Kerbero
s database
        at com.dstc.security.kerberos.Kerberos.getKrbASRepFromKDC(Kerberos.java:
1165)
        at com.dstc.security.kerberos.Kerberos.requestInitialTicket(Kerberos.jav
a:914)
        at com.wedgetail.idm.sso.util.MemoryKeyTab.createKeyTab(MemoryKeyTab.jav
a:83)
        at com.wedgetail.idm.sso.util.Util.getKeyTab(Util.java:137)
        at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(Abstrac
tAuthenticator.java:440)
        at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:105)
        at com.adobe.idp.um.auth.filter.spnego.SpnegoRequestHandler.testKerberos
ConfigBO(SpnegoRequestHandler.java:124)
        at com.adobe.idp.um.ui.config.ConfigAuthEditAction.testKerberosSettings_
onClick(ConfigAuthEditAction.java:1331)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:79)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:618)
        at com.cc.framework.adapter.struts.ActionUtil.handleFormAction(Unknown S
ource)
        at com.cc.framework.adapter.struts.FWAction.handleFormAction(Unknown Sou
rce)
        at com.cc.framework.adapter.struts.ActionUtil.execute(Unknown Source)
        at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)
        at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)
        at org.apache.struts.action.RequestProcessor.processActionPerform(Reques
tProcessor.java:431)
        at org.apache.struts.action.RequestProcessor.process(RequestProcessor.ja
va:236)
        at org.apache.struts.action.ActionServlet.process(ActionServlet.java:119
6)
        at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
        at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper
.java:1146)
        at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper
.java:1087)
        at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilte
rChain.java:145)
        at com.adobe.framework.SetCharacterEncodingFilter.doFilter(SetCharacterE
ncodingFilter.java:173)
        at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterI
nstanceWrapper.java:190)
        at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilte
rChain.java:130)
        at com.adobe.idp.um.auth.filter.AuthenticationFilter.doFilter(Authentica
tionFilter.java:154)
        at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterI
nstanceWrapper.java:190)
        at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilte
rChain.java:130)
        at com.adobe.idp.um.auth.filter.PortalSSOFilter.doFilter(PortalSSOFilter
.java:113)
        at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterI
nstanceWrapper.java:190)
        at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilte
rChain.java:130)
        at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilt
erChain.java:87)
        at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFil
terManager.java:837)
        at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFil
terManager.java:680)
        at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletW
rapper.java:588)
        at com.ibm.ws.wswebcontainer.servlet.ServletWrapper.handleRequest(Servle
tWrapper.java:524)
        at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(Cac
heServletWrapper.java:90)
        at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:
751)
        at com.ibm.ws.wswebcontainer.WebContainer.handleRequest(WebContainer.jav
a:1478)
        at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.jav
a:125)
        at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimina
tion(HttpInboundLink.java:458)
        at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInforma
tion(HttpInboundLink.java:387)
        at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(Htt
pICLReadCallback.java:102)
        at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted
(AioReadCompletionListener.java:165)
        at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFutu
re.java:217)
        at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChanne
lFuture.java:161)
        at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:136)
        at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:196)
        at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.j
ava:751)
        at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:881)
        at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1497)
.


=========================================================

No resolver supplied error:

[10/16/09 16:19:56:369 CST] 00000240 DiscoveryServ W   DCSV1036W: DCS Stack DefaultCoreGroup at Member dcssys2Cell01\dcssys2Node02\GIPAppSrv: An unusual connectivity state occured with member dcssys2Cell01\dcssys2Node01\ASAAppSrv, details: alarm(): Closing the connection because members did not manage to connect.
[10/16/09 16:19:56:930 CST] 00000159 Reference     I org.apache.xml.security.signature.Reference verify Verification successful for URI "#a95c3d350a4d248743d84634d5cef871"
[10/16/09 16:19:57:059 CST] 00000239 Reference     I org.apache.xml.security.signature.Reference verify Verification successful for URI "#a95c3d350a4d248743d84634d5cef871"
[10/16/09 16:19:58:368 CST] 0000015b Reference     I org.apache.xml.security.signature.Reference verify Verification successful for URI "#a95c3d350a4d248743d84634d5cef871"
[10/16/09 16:19:58:382 CST] 00000159 Reference     I org.apache.xml.security.signature.Reference verify Verification successful for URI "#a95c3d350a4d248743d84634d5cef871"
[10/16/09 16:20:00:103 CST] 00000239 Reference     I org.apache.xml.security.signature.Reference verify Verification successful for URI "#a95c3d350a4d248743d84634d5cef871"
[10/16/09 16:20:00:323 CST] 00000239 ConfigAuthEdi A com.adobe.idp.um.ui.config.ConfigAuthEditAction testKerberosSettings_onClick This exception stack trace is due to clicking of test button on Kerberos settings page.This is to help in determining wether Kerberos configuration is working fine or not and is not due to andprogram error. The exception that occured while testing Kerberos related config is
[10/16/09 16:20:00:335 CST] 00000239 ConfigAuthEdi A com.adobe.idp.um.ui.config.ConfigAuthEditAction testKerberosSettings_onClick TRAS0014I: The following exception was logged java.lang.IllegalArgumentException: No resolver supplied
at com.wedgetail.idm.sso.directory.ad.DefaultADConfig.<init>(DefaultADConfig.java:121)
at com.wedgetail.idm.sso.auth.FilterAuthContext.<init>(FilterAuthContext.java:260)
at com.wedgetail.idm.sso.AbstractAuthenticator.getAuthSession(AbstractAuthenticator.java:636)
at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:509)
at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:105)
at com.adobe.idp.um.auth.filter.spnego.SpnegoRequestHandler.testKerberosConfigBO(SpnegoRequestHandler.java:124)
at com.adobe.idp.um.ui.config.ConfigAuthEditAction.testKerberosSettings_onClick(ConfigAuthEditAction.java:1331)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:618)
at com.cc.framework.adapter.struts.ActionUtil.handleFormAction(Unknown Source)
at com.cc.framework.adapter.struts.FWAction.handleFormAction(Unknown Source)
at com.cc.framework.adapter.struts.ActionUtil.execute(Unknown Source)
at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)
at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1146)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1087)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:145)
at com.adobe.framework.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:173)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:190)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:130)
at com.adobe.idp.um.auth.filter.AuthenticationFilter.doFilter(AuthenticationFilter.java:154)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:190)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:130)
at com.adobe.idp.um.auth.filter.PortalSSOFilter.doFilter(PortalSSOFilter.java:113)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:190)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:130)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilterChain.java:87)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:837)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:680)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:588)
at com.ibm.ws.wswebcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:524)
at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:90)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:751)
at com.ibm.ws.wswebcontainer.WebContainer.handleRequest(WebContainer.java:1478)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:125)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:458)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:387)
at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:102)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:136)
at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:196)
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:751)
at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:881)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1497)
.
[10/16/09 16:20:00:483 CST] 0000015b Reference     I org.apache.xml.security.signature.Reference verify Verification successful for URI "#cb7bd1fd5dfe83df3593990cf9485360"
[10/16/09 16:20:00:489 CST] 00000159 Reference     I org.apache.xml.security.signature.Reference verify Verification successful for URI "#cb7bd1fd5dfe83df3593990cf9485360"
[10/16/09 16:20:00:491 CST] 00000239 Reference     I org.apache.xml.security.signature.Reference verify Verification successful for URI "#cb7bd1fd5dfe83df3593990cf9485360"
[10/16/09 16:20:32:658 CST] 00000287 DiscoveryServ W   DCSV1036W: DCS Stack DefaultCoreGroup at Member dcssys2Cell01\dcssys2Node02\GIPAppSrv: An unusual connectivity state occured with member dcssys2Cell01\dcssys2CellManager01\dmgr, details: alarm(): Closing the connection because members did not manage to connect.
[10/16/09 16:21:00:552 CST] 0000029c Reference     I org.apache.xml.security.signature.Reference verify Verification successful for URI "#a95c3d350a4d248743d84634d5cef871"
[10/16/09 16:21:00:717 CST] 0000029c ConfigAuthEdi A com.adobe.idp.um.ui.config.ConfigAuthEditAction testKerberosSettings_onClick This exception stack trace is due to clicking of test button on Kerberos settings page.This is to help in determining wether Kerberos configuration is working fine or not and is not due to andprogram error. The exception that occured while testing Kerberos related config is
[10/16/09 16:21:00:721 CST] 0000029c ConfigAuthEdi A com.adobe.idp.um.ui.config.ConfigAuthEditAction testKerberosSettings_onClick TRAS0014I: The following exception was logged java.lang.IllegalArgumentException: No resolver supplied
at com.wedgetail.idm.sso.directory.ad.DefaultADConfig.<init>(DefaultADConfig.java:121)
at com.wedgetail.idm.sso.auth.FilterAuthContext.<init>(FilterAuthContext.java:260)
at com.wedgetail.idm.sso.AbstractAuthenticator.getAuthSession(AbstractAuthenticator.java:636)
at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:509)
at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:105)
at com.adobe.idp.um.auth.filter.spnego.SpnegoRequestHandler.testKerberosConfigBO(SpnegoRequestHandler.java:124)
at com.adobe.idp.um.ui.config.ConfigAuthEditAction.testKerberosSettings_onClick(ConfigAuthEditAction.java:1331)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:618)
at com.cc.framework.adapter.struts.ActionUtil.handleFormAction(Unknown Source)
at com.cc.framework.adapter.struts.FWAction.handleFormAction(Unknown Source)
at com.cc.framework.adapter.struts.ActionUtil.execute(Unknown Source)
at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)
at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1146)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1087)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:145)
at com.adobe.framework.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:173)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:190)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:130)
at com.adobe.idp.um.auth.filter.AuthenticationFilter.doFilter(AuthenticationFilter.java:154)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:190)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:130)
at com.adobe.idp.um.auth.filter.PortalSSOFilter.doFilter(PortalSSOFilter.java:113)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:190)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:130)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilterChain.java:87)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:837)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:680)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:588)
at com.ibm.ws.wswebcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:524)
at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:90)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:751)
at com.ibm.ws.wswebcontainer.WebContainer.handleRequest(WebContainer.java:1478)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:125)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:458)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:387)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:267)
at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214)
at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at com.ibm.io.async.AsyncChannelFuture$1.run(AsyncChannelFuture.java:205)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1497)
.
[10/16/09 16:21:15:332 CST] 00000285 DiscoveryServ W   DCSV1036W: DCS Stack DefaultCoreGroup at Member dcssys2Cell01\dcssys2Node02\GIPAppSrv: An unusual connectivity state occured with member dcssys2Cell01\dcssys2Node01\DRAAppSrv, details: alarm(): Closing the connection because members did not manage to connect.
[10/16/09 16:21:26:661 CST] 00000240 DiscoveryServ W   DCSV1036W: DCS Stack DefaultCoreGroup at Member dcssys2Cell01\dcssys2Node02\GIPAppSrv: An unusual connectivity state occured with member dcssys2Cell01\dcssys2Node01\SGSAppSrv, details: alarm(): Closing the connection because members did not manage to connect.
[10/16/09 16:21:37:322 CST] 00000240 DiscoveryServ W   DCSV1036W: DCS Stack DefaultCoreGroup at Member dcssys2Cell01\dcssys2Node02\GIPAppSrv: An unusual connectivity state occured with member dcssys2Cell01\dcssys2Node01\ESVAppSrv, details: alarm(): Closing the connection because members did not manage to connect.
[10/16/09 16:22:23:448 CST] 00000285 DiscoveryServ W   DCSV1036W: DCS Stack DefaultCoreGroup at Member dcssys2Cell01\dcssys2Node02\GIPAppSrv: An unusual connectivity state occured with member dcssys2Cell01\dcssys2Node01\OFFICEAppSrv, details: alarm(): Closing the connection because members did not manage to connect.
[10/16/09 16:22:52:648 CST] 00000284 DiscoveryServ W   DCSV1036W: DCS Stack DefaultCoreGroup at Member dcssys2Cell01\dcssys2Node02\GIPAppSrv: An unusual connectivity state occured with member dcssys2Cell01\dcssys2Node01\nodeagent, details: alarm(): Closing the connection because members did not manage to connect.
[10/16/09 16:24:22:486 CST] 00000285 DiscoveryServ W   DCSV1036W: DCS Stack DefaultCoreGroup at Member dcssys2Cell01\dcssys2Node02\GIPAppSrv: An unusual connectivity state occured with member dcssys2Cell01\dcssys2CellManager01\dmgr, details: alarm(): Closing the connection because members did not manage to connect.
[10/16/09 16:24:59:767 CST] 00000285 DiscoveryServ W   DCSV1036W: DCS Stack DefaultCoreGroup at Member dcssys2Cell01\dcssys2Node02\GIPAppSrv: An unusual connectivity state occured with member dcssys2Cell01\dcssys2Node01\ESVAppSrv, details: alarm(): Closing the connection because members did not manage to connect.
[10/16/09 16:25:45:869 CST] 00000284 DiscoveryServ W   DCSV1036W: DCS Stack DefaultCoreGroup at Member dcssys2Cell01\dcssys2Node02\GIPAppSrv: An unusual connectivity state occured with member dcssys2Cell01\dcssys2Node01\OFFICEAppSrv, details: alarm(): Closing the connection because members did not manage to connect.
[10/16/09 16:26:17:920 CST] 00000240 DiscoveryServ W   DCSV1036W: DCS Stack DefaultCoreGroup at Member dcssys2Cell01\dcssys2Node02\GIPAppSrv: An unusual connectivity state occured with member dcssys2Cell01\dcssys2Node01\DRAAppSrv, details: alarm(): Closing the connection because members did not manage to connect.
[10/16/09 16:27:56:827 CST] 00000240 DiscoveryServ W   DCSV1036W: DCS Stack DefaultCoreGroup at Member dcssys2Cell01\dcssys2Node02\GIPAppSrv: An unusual connectivity state occured with member dcssys2Cell01\dcssys2Node01\SGSAppSrv, details: alarm(): Closing the connection because members did not manage to connect.
[10/16/09 16:28:20:067 CST] 00000240 DiscoveryServ W   DCSV1036W: DCS Stack DefaultCoreGroup at Member dcssys2Cell01\dcssys2Node02\GIPAppSrv: An unusual connectivity state occured with member dcssys2Cell01\dcssys2Node01\ESVAppSrv, details: alarm(): Closing the connection because members did not manage to connect.
[10/16/09 16:29:06:138 CST] 00000240 DiscoveryServ W   DCSV1036W: DCS Stack DefaultCoreGroup at Member dcssys2Cell01\dcssys2Node02\GIPAppSrv: An unusual connectivity state occured with member dcssys2Cell01\dcssys2Node01\OFFICEAppSrv, details: alarm(): Closing the connection because members did not manage to connect.
[10/16/09 16:29:15:219 CST] 00000240 DiscoveryServ W   DCSV1036W: DCS Stack DefaultCoreGroup at Member dcssys2Cell01\dcssys2Node02\GIPAppSrv: An unusual connectivity state occured with member dcssys2Cell01\dcssys2Node01\nodeagent, details: alarm(): Closing the connection because members did not manage to connect.
[10/16/09 16:29:17:575 CST] 0000015e Reference     I org.apache.xml.security.signature.Reference verify Verification successful for URI "#a95c3d350a4d248743d84634d5cef871"
[10/16/09 16:29:17:812 CST] 0000015e ConfigAuthEdi A com.adobe.idp.um.ui.config.ConfigAuthEditAction testKerberosSettings_onClick This exception stack trace is due to clicking of test button on Kerberos settings page.This is to help in determining wether Kerberos configuration is working fine or not and is not due to andprogram error. The exception that occured while testing Kerberos related config is
[10/16/09 16:29:17:816 CST] 0000015e ConfigAuthEdi A com.adobe.idp.um.ui.config.ConfigAuthEditAction testKerberosSettings_onClick TRAS0014I: The following exception was logged java.lang.IllegalArgumentException: No resolver supplied
at com.wedgetail.idm.sso.directory.ad.DefaultADConfig.<init>(DefaultADConfig.java:121)
at com.wedgetail.idm.sso.auth.FilterAuthContext.<init>(FilterAuthContext.java:260)
at com.wedgetail.idm.sso.AbstractAuthenticator.getAuthSession(AbstractAuthenticator.java:636)
at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:509)
at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:105)
at com.adobe.idp.um.auth.filter.spnego.SpnegoRequestHandler.testKerberosConfigBO(SpnegoRequestHandler.java:124)
at com.adobe.idp.um.ui.config.ConfigAuthEditAction.testKerberosSettings_onClick(ConfigAuthEditAction.java:1331)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:79)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:618)
at com.cc.framework.adapter.struts.ActionUtil.handleFormAction(Unknown Source)
at com.cc.framework.adapter.struts.FWAction.handleFormAction(Unknown Source)
at com.cc.framework.adapter.struts.ActionUtil.execute(Unknown Source)
at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)
at com.cc.framework.adapter.struts.FWAction.execute(Unknown Source)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236)
at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1146)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1087)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:145)
at com.adobe.framework.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:173)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:190)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:130)
at com.adobe.idp.um.auth.filter.AuthenticationFilter.doFilter(AuthenticationFilter.java:154)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:190)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:130)
at com.adobe.idp.um.auth.filter.PortalSSOFilter.doFilter(PortalSSOFilter.java:113)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:190)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:130)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilterChain.java:87)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:837)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:680)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:588)
at com.ibm.ws.wswebcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:524)
at com.ibm.ws.webcontainer.servlet.CacheServletWrapper.handleRequest(CacheServletWrapper.java:90)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:751)
at com.ibm.ws.wswebcontainer.WebContainer.handleRequest(WebContainer.java:1478)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:125)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:458)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:387)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.ready(HttpInboundLink.java:267)
at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214)
at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:136)
at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:196)
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:751)
at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:881)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1497)
.
[10/16/09 16:30:48:602 CST] 00000284 DiscoveryServ W   DCSV1036W: DCS Stack DefaultCoreGroup at Member dcssys2Cell01\dcssys2Node02\GIPAppSrv: An unusual connectivity state occured with member dcssys2Cell01\dcssys2Node01\DRAAppSrv, details: alarm(): Closing the connection because members did not manage to connect.
[10/16/09 16:31:11:746 CST] 00000240 DiscoveryServ W   DCSV1036W: DCS Stack DefaultCoreGroup at Member dcssys2Cell01\dcssys2Node02\GIPAppSrv: An unusual connectivity state occured with member dcssys2Cell01\dcssys2Node01\ASAAppSrv, details: alarm(): Closing the connection because members did not manage to connect.
[10/16/09 16:31:40:338 CST] 00000285 DiscoveryServ W   DCSV1036W: DCS Stack DefaultCoreGroup at Member dcssys2Cell01\dcssys2Node02\GIPAppSrv: An unusual connectivity state occured with member dcssys2Cell01\dcssys2Node01\ESVAppSrv, details: alarm(): Closing the connection because members did not manage to connect.
[10/16/09 16:32:26:366 CST] 00000287 DiscoveryServ W   DCSV1036W: DCS Stack DefaultCoreGroup at Member dcssys2Cell01\dcssys2Node02\GIPAppSrv: An unusual connectivity state occured with member dcssys2Cell01\dcssys2Node01\OFFICEAppSrv, details: alarm(): Closing the connection because members did not manage to connect.

Regards,

Tuan Anh

Avatar

Level 10

Kerberos SSO, which leverages Microsoft Kerberos, only works in Microsoft Windows architecture.

Jasmin

Avatar

Former Community Member

Hi Jasmin,

My customer installs Livecycle in Unix and uses Windows AD server to authenticate user.

Do you mean that Kerberos only works with pure Windows based environments (Windows - LCES + Windows - AD Server) and will not work on mixed environment (Unix - LCES + Windows - AD Server) ?

Regards,

Tuan Anh

Avatar

Level 10

Correct. It'll only work in pure Windows based environments.

Jasmin

Avatar

Level 4

Kerberos should work with LC running on unix system. Requirement being the clients must be running on Windows

Can you post the setting you used on the LC on Unix env. Also http://mailman.mit.edu/pipermail/kerberos/2006-July/010181.html might be of help to you. Looks like AD only allows known clients to connect to it. So making an entry for the client should allow it to find the server

Avatar

Level 10

My mistake then.

Sorry about that.

Jasmin

Avatar

Former Community Member

Hi Chetan,

I follow exactly Adobe Admin guide document:

(I use ktpass to map HTTP/DCSSYS2.MYDOMAIN.COM@MYDOMAIN.COM to an AD user account.)

DNS IP: 10.178.16.38 (LCES App Server IP, which is DCSSYS2.MYDOMAIN.COM)

KDC Host: MDEVAD01.MYDOMAIN.COM

Service User: HTTP/DCSSYS2.MYDOMAIN.COM

Service Realm: MYDOMAIN.COM

Service Password: password

Enable SPNEGO: <checked>

Is there any other setting you expect but I miss out?

Perhaps you are correct, next time I will try to add the service user into the /system32/drivers/etc/hosts file of AD server and let you know the result.

Thank you for your comment, Chetan and Jasmin.

Regards,

Tuan Anh

Avatar

Former Community Member

Hi,

From AD server, it is able to ping DCSSYS2.MYDOMAIN.COM so I think the AD admin will not accept my request to mapping DCSSYS2.MYDOMAIN.COM in the host file.

After that I change the service user from HTTP/DCSSYS2.MYDOMAIN.COM to HTTP/DCSSYS7.MYDOMAIN.COM and the testing in livcycle successfully but SSO still fail when I try the url http://DCSSYS2.MYDOMAIN.COM:9080/um/login?um_no_redirect=true. The result is "authenticated=false&authstate=SPNEGO_CHALLENGE"

(DCSSYS7 is a cloned environment of DCSSYS2 and it is pingable from AD server)

I use following setting:

DNS IP: 10.178.16.38 (LCES App Server IP, which is DCSSYS2.MYDOMAIN.COM)

KDC Host: MDEVAD01.MYDOMAIN.COM

Service User: HTTP/DCSSYS7.MYDOMAIN.COM

Service Realm: MYDOMAIN.COM

Service Password: password

Enable SPNEGO: <checked>

Do I miss out any step?

Anh

Avatar

Level 10

DNS IP: 10.178.16.38 (LCES App Server IP, which is DCSSYS2.MYDOMAIN.COM)

Just verify the above settings. It should not be the IP address of LCES App Server. Rather it should be the IP Address of DNS Server on which the LCES Server is running.

Nith

Avatar

Former Community Member

Hi Nith,

Thank you for your reply.

Unix doesn't have any DNS server. It resolves the naming by the hosts file, that's why I need to put LCES's IP address.

I have resolved SSO for DCSSYS2 server and wait for Adobe expert to help me resolve the DCSSYS7 server (the error message of DCSSYS7 is "no resolver supplied")

For the DCSSYS2, I need to access via machine name, i.e. http://dcssys2:9080/workspace.

I will update the configuration after DCSSYS7 is resolved.

Regards,

Anh

Avatar

Level 10

Good luck

Thanks & Regards,

Nith

Avatar

Level 4

Couple of points t mention for SPNEGO

  • The Service Principal name used in LC configuration can be *any* arbitrary string as long as it is
    • Unique
    • Follows HTTP/xxx convention
    • Used in the ktpass command
    • Need not be the actual DNS name
  • Once that is done you would then need ot register all the urls which one can use to access the LC server using the setspn -A command. So if a server is access as http://lcserver or htto://lcserver.domain.com (fully qualified). Then register both such urls with AD with the service account used in previous step
  • Post that ensure that browsers are configured as per documentation

if the issue still persist then would suggest you to contact Adobe Support.

Avatar

Former Community Member

Hi,

Finally Kerberos settings has been resolved.

Now we can hit the page using http://machiname, but not with http://machinename.mydomain.com

Commands I executed are:

setspn -A HTTP/LIVECYCLE spnego

setspn -A HTTP/DCSSYS2 spnego

setspn -A HTTP/DCSSYS2.MYDOMAIN.COM spnego

setspn -A HTTP/DCSSYS7 spnego

setspn -A HTTP/DCSSYS7.MYDOMAIN.COM spnego

ktpass -princ HTTP/LIVECYCLE@MYDOMAIN.COM -mapuser spnego

HTTP/LIVECYCLE is used as the Service User. After that I configure Kerberos normally as the documentation.

The "No resolver supplied" error is because Livecycle in AIX require to read the file /etc/resolv.cfn and this file is not there in the system. Our client's admin remove every thing. He only put it in if we require. There are also a firewall between AppServer and AD, we need to specify the port number to be opened, in this case is 88, 389 and 464.

The debug process is quite tedious, I need to export the config.xml from adminui, then change the value kerbDebug = true, then put it back. Then after that go in to Websphere, AppServer > your AppServer > Change log and trace level > Configuration > Runtime, add log level to dstc.com.security.*, com.adobe.ipd.um.*.

The new file trace.log will be created in logs folder.

Now Firefox still cannot using SSO, I have try to add either ".MYDOMAIN.COM' or "DCSSYS7.MYDOMAIN.COM" or "." or both of them in network.negotiate-auth.trusted-uri but it still does not work.

Any idea why it does not work?

Regards,

Anh

Avatar

Level 4

Good to know things started working in some cases. For FireFox it should have worked with the configuration you did

Can you check the network traffic using Wireshark and see for messages related to kerberos. Should indicate or give a hint on whats going wrong

Also what is your client os.

Avatar

Former Community Member

Hi Chetan,

Thank you for your reply,

My client use Firefox 3.0.5 and Windows XP professional OS.

I'm afraid I don't have rights to install any software in client's machine. It is a very restricted environment.

Can I ask the AD admin help me capture the traffic instead?

Regards,

Anh

Avatar

Level 4

It might help. For SPNEGO to work there are two channels of communication

-> client-> LC

-> client -> AD

So capturing traffic at two end should help to get some clue. What happens when you access using FF. Are there any logs in server with the logging turned on as you mentioned in your earlier post?

Avatar

Former Community Member

Hi Chetan,

Good news is now fully qualified name is working by add it (DCSSYS7.MYDOMAIN.COM) into trusted site in IE 7 (short name don't need).

For firefox now I'm not sure what value I should put in the "network.negotiate-auth.trusted-uris". From what documentation said, the .MYDOMAIN.COM is bigger than DCSSYS7.MYDOMAIN.COM so I use .MYDOMAIN.COM but it still does not work.

Regards,

Anh

Avatar

Former Community Member

Just to update:

When testing with Firefox 3.0.5, and .MYDOMAIN.COM in network.negotiate-auth.trusted-uris, the trace.log give me:

[11/13/09 10:40:39:115 CST] 000000b8 SSOFilter     3 711:com.adobe.idp.um.auth.f
ilter.SSOFilter doFilter Initiating negotiation using SPENGO. Sending 401

Anh

Avatar

Former Community Member

Hi all,

My client agree to use IE for office work so Firefox may not be a problem.

But now they want to use SSO over SSL and disable all non-secure ports.

I have read the thread "Problem running customized workspace over SSL"

http://forums.adobe.com/thread/505169

and followed the steps.

But after that, I still encounter the same problem:

1st time login, it will stop at the Login Screen with message "A communication error occurred during the operation: null".

The flashlog.txt show:

=========

----------------- AuthenticatingApplication constructed at 367ms.
----------------- createComponentsFromDescriptors called at 417ms.
VERSION: 2009-20-11 - QuickFix 0.7
init() setTitle 2
Finished loading Theme at 701ms.
----------------- init called at 703ms.
Workspace channel created: id=secure-workspace-polling-amf, url=https://dcssys7.mydomain.com/workspace-server/messagebroker/amfsecurepolling.
----------------- checkLogin --------
singleSignOn: SSO login
login: https://dcssys7.mydomain.com/um/login, time = 773 ms.
******* a fault event occurred: credential check:  credentials not found.  login is required. (ALC-WKS-007-149)
----------------- showLogin called at 835ms.
----------------- doAuthenticate called at 5717ms.
login: credentials
login: https://dcssys7.mydomain.com/um/login, time = 5725 ms.
******* a fault event occurred: A communication error occurred during the operation: null (ALC-WKS-007-017)
----------------- showLogin called at 5953ms.
warning: unable to bind to property 'rawMessage' on class 'lc.core::Message

=========

There no exception or abnormal message in SystemOut.log in server side also.

I have install the quick fix, run the configuration manager, deploy new ear files. (client, native livecycle and livecycle)

Replace the workspace-runtime.swc with new workspace-runtim.swc in deploy folder (in adobe-workspace-client.ear)

Recompile the customized workspace.

Is there any idea?

Thank you and regards,

Anh

Avatar

Level 4

Can you attach Charles proxy log . I am intrested in knowing the HTTP headers being sent by the Server