Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

Adobe Summit 2023 [19th to 23rd March, Las Vegas and Virtual] | Complete AEM Session & Lab list

Kerberos SSO - working in Windows but failed in unix


Level 4

Hi all,

Let me explain my current situation.

We need to enable SSO Kerberos in Windows

Server 2003 for Livecycle with Websphere.

In development environment the Application Server is installed in a Windows based machine (Windows XP/ Windows Server 2003), we test the kerberos successfully.

In client's environment, the Application Server is installed in Unix, we test the kerberos and it failed.

From what I observed,

In Windows environment, we can use any name with format HTTP/xxx with command ktpass e.g.

ktpass HTTP/  -mappuser spnego

I put it in the Service User field and it will test successfully with Windows Environment.

(Of course, in actual configuration, I put HTTP/<lcesServerName>

In Unix environment, we have the exception "Server not found in kerberos database"

When I read the /etc/hosts file, I saw that the  <lcesServerName> is mapped to 2 different IP addresses. and with precedence is<lcesServerName>

i.e. if I ping <lcesServerName> it will ping the IP

I thought in Unix, after authenticated successfully, It tries to connect to the real lces server, i.e. <lcesServerName>

and because internal Unix cannot connect to external IP ( then it failed.

Then I tried to create another service user sso.<lcesServerName> to map specifically to and livecycle return me the error "No resolver supplied". The same thing happens if I map HTTP/ to spnego.

The exception is (totaly not related to Livecycle):

10/16/09 16:29:17:816 CST] 0000015e ConfigAuthEdi A testKerberosSettings_onClick TRAS0014I: The following exception was logged java.lang.IllegalArgumentException: No resolver supplied
at com.wedgetail.idm.sso.auth.FilterAuthContext.<init>(
at com.wedgetail.idm.sso.AbstractAuthenticator.getAuthSession(
at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(
at com.wedgetail.idm.sso.AuthFilter.init(


I'm sure that the Service User, Service Password, KDC Host and spnego user account are properly configured.

Is there any idea why test kerberos fails in Unix or is it because of Unix or the AD server?

Thank you,

Tuan Anh

0 Replies


Level 4

Also regarding debugging the Firefox Kerberos issue can you follow the steps mentioned ar Should be similar for windows and post the log. Also refer to

I am intrested in knowing why it did not worked


Level 4

Hi Chetan,

Thank you for your reply. Currently I'm focusing on SSO with SSL, this is a road block that prevent our production go live. If have time then I will go into the Firefox cos we still note it down as a item need to be resolved.

After deploying the quick fix, both workspace and customize workspace have same error. I.e. 1st time login, it stop at the login screen, after refresh it will let user go in...




Level 4

I belive you are using websphere. The installations docs mention that you need to set some property in Websphere so that it does not add s=certain HTTP headers which cause that issue

Look for CookiesConfigureNoCache in admin_guide.pdf

Have you done that