Expand my Community achievements bar.

Kerberos SSO - working in Windows but failed in unix

Avatar

Former Community Member
10/16/09 2:26:25 AM

Hi all,

Let me explain my current situation.

We need to enable SSO Kerberos in Windows

Server 2003 for Livecycle with Websphere.

In development environment the Application Server is installed in a Windows based machine (Windows XP/ Windows Server 2003), we test the kerberos successfully.

In client's environment, the Application Server is installed in Unix, we test the kerberos and it failed.

From what I observed,

In Windows environment, we can use any name with format HTTP/xxx with command ktpass e.g.

ktpass HTTP/1.1.1.1@DOMAIN.COM  -mappuser spnego

I put it in the Service User field and it will test successfully with Windows Environment.

(Of course, in actual configuration, I put HTTP/<lcesServerName>.domain.com)

In Unix environment, we have the exception "Server not found in kerberos database"

When I read the /etc/hosts file, I saw that the  <lcesServerName>.domain.com is mapped to 2 different IP addresses.

10.172.16.16 and 10.0.0.1 with precedence is 10.172.16.16<lcesServerName>.domain.com

i.e. if I ping <lcesServerName>.domain.com it will ping the IP 10.172.16.16.

I thought in Unix, after authenticated successfully, It tries to connect to the real lces server, i.e. <lcesServerName>.domain.com

and because internal Unix cannot connect to external IP (10.172.16.16) then it failed.

Then I tried to create another service user sso.<lcesServerName>.domain.com to map specifically to 10.0.0.1 and livecycle return me the error "No resolver supplied". The same thing happens if I map HTTP/10.0.0.1 to spnego.

The exception is (totaly not related to Livecycle):
================

10/16/09 16:29:17:816 CST] 0000015e ConfigAuthEdi A com.adobe.idp.um.ui.config.ConfigAuthEditAction testKerberosSettings_onClick TRAS0014I: The following exception was logged java.lang.IllegalArgumentException: No resolver supplied
at com.wedgetail.idm.sso.directory.ad.DefaultADConfig.<init>(DefaultADConfig.java:121)
at com.wedgetail.idm.sso.auth.FilterAuthContext.<init>(FilterAuthContext.java:260)
at com.wedgetail.idm.sso.AbstractAuthenticator.getAuthSession(AbstractAuthenticator.java:636)
at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:509)
at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:105)

=================

I'm sure that the Service User, Service Password, KDC Host and spnego user account are properly configured.

Is there any idea why test kerberos fails in Unix or is it because of Unix or the AD server?

Thank you,

Tuan Anh

Views

10.1K

Replies

23

Total Likes

Translate
Translate
23 Replies

Avatar

Level 4
Level 4
11/19/09 11:09:09 PM

Also regarding debugging the Firefox Kerberos issue can you follow the steps mentioned ar http://bretm.wordpress.com/2009/02/18/debugging-firefox-gssapi/. Should be similar for windows and post the log. Also refer to https://developer.mozilla.org/en/HTTP_Logging

I am intrested in knowing why it did not worked

Views

367

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Former Community Member
11/20/09 4:53:40 AM

Hi Chetan,

Thank you for your reply. Currently I'm focusing on SSO with SSL, this is a road block that prevent our production go live. If have time then I will go into the Firefox cos we still note it down as a item need to be resolved.

After deploying the quick fix, both workspace and customize workspace have same error. I.e. 1st time login, it stop at the login screen, after refresh it will let user go in...

Regards,

Anh

Views

336

Replies

0

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
11/20/09 5:05:54 AM

I belive you are using websphere. The installations docs mention that you need to set some property in Websphere so that it does not add s=certain HTTP headers which cause that issue

Look for CookiesConfigureNoCache in admin_guide.pdf

Have you done that

Views

388

Replies

0
Sign in to like this content

Total Likes

Translate
Translate