Hello,
At the customer site , we are trying to customize SSO for the Business Publisher via APG. We preformed all the documented steps:
- We created the SPN
- We created a keytab as described in the documentation
- We set the property of the APG UMC as described
- We configured the web browser as defined
However, when trying to run the Business Publisher, we receive the manual login page,
And in the APG log we get the message: (please see the yellow mark)
FINE 2012-08-22 11:30:44,788 c.i.a.u.n.UmcNotificationService - NotificationService: Work started -> new MailingList
FINE 2012-08-22 11:30:44,789 c.i.a.u.u.j.JpaLocalTxInterceptor - TX: loginKerberos -> Number of active transactions: 0
FINE 2012-08-22 11:30:44,789 c.i.a.u.u.j.JpaLocalTxInterceptor - TX: loginKerberos -> Creating new transaction...
FINE 2012-08-22 11:30:44,789 c.i.a.u.u.j.JpaLocalTxInterceptor - TX: loginKerberos -> Starting transaction...
FNST 2012-08-22 11:30:44,793 c.i.a.u.u.l.UmcLicenseInterceptor - LICENSE: Performing license check for operation loginKerberos...
FNST 2012-08-22 11:30:44,795 c.i.a.u.u.l.UmcLicenseInterceptor - LICENSE: License key is valid for operation loginKerberos
FINE 2012-08-22 11:30:44,795 c.i.a.u.n.UmcNotificationService - NotificationService: Work started -> new MailingList
FINE 2012-08-22 11:30:44,795 c.i.a.u.u.j.JpaLocalTxInterceptor - TX: login -> Number of active transactions: 1
FINE 2012-08-22 11:30:44,796 c.i.a.u.u.j.JpaLocalTxInterceptor - TX: login -> Joining existing transaction...
Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is C:\ARISGE1.0\.\config\Kerberos\umc.keytab refreshKrb5Config is false principal is HTTP/MCMICHAL03.eur.ad.sag tryFirstPass is false useFirstPass is false storePass is false clearPass is false
KeyTab instance already exists
Added key: 17version: 0
Found unsupported keytype (18) for HTTP/MCMICHAL03.eur.ad.sag@EUR.AD.SAG
Added key: 23version: 0
Added key: 3version: 0
Added key: 1version: 0
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 3 1 16 17 17 23 23 23.
0: EncryptionKey: keyType=3 kvno=0 keyValue (hex dump)=
0000: 80 DA B3 89 38 40 80 B5
1: EncryptionKey: keyType=1 kvno=0 keyValue (hex dump)=
0000: 80 DA B3 89 38 40 80 B5
2: EncryptionKey: keyType=17 kvno=0 keyValue (hex dump)=
0000: 8C 04 BB F6 CC 49 A7 DC CC 6A 85 6F 8C 54 5F EE .....I...j.o.T_.
3: EncryptionKey: keyType=23 kvno=0 keyValue (hex dump)=
0000: FC 95 59 39 E5 2D CD AF D0 EB 63 1C A1 7C C0 69 ..Y9.-....c....i
principal's key obtained from the keytab
principal is HTTP/MCMICHAL03.eur.ad.sag@EUR.AD.SAG
EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 80 DA B3 89 38 40 80 B5
EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 80 DA B3 89 38 40 80 B5
EncryptionKey: keyType=17 keyBytes (hex dump)=0000: 8C 04 BB F6 CC 49 A7 DC CC 6A 85 6F 8C 54 5F EE .....I...j.o.T_.
EncryptionKey: keyType=23 keyBytes (hex dump)=0000: FC 95 59 39 E5 2D CD AF D0 EB 63 1C A1 7C C0 69 ..Y9.-....c....i
Added server's keyKerberos Principal HTTP/MCMICHAL03.eur.ad.sag@EUR.AD.SAGKey Version 0key EncryptionKey: keyType=3 keyBytes (hex dump)=
0000: 80 DA B3 89 38 40 80 B5
[Krb5LoginModule] added Krb5Principal HTTP/MCMICHAL03.eur.ad.sag@EUR.AD.SAG to Subject
Added server's keyKerberos Principal HTTP/MCMICHAL03.eur.ad.sag@EUR.AD.SAGKey Version 0key EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: 80 DA B3 89 38 40 80 B5
[Krb5LoginModule] added Krb5Principal HTTP/MCMICHAL03.eur.ad.sag@EUR.AD.SAG to Subject
Added server's keyKerberos Principal HTTP/MCMICHAL03.eur.ad.sag@EUR.AD.SAGKey Version 0key EncryptionKey: keyType=17 keyBytes (hex dump)=
0000: 8C 04 BB F6 CC 49 A7 DC CC 6A 85 6F 8C 54 5F EE .....I...j.o.T_.
[Krb5LoginModule] added Krb5Principal HTTP/MCMICHAL03.eur.ad.sag@EUR.AD.SAG to Subject
Added server's keyKerberos Principal HTTP/MCMICHAL03.eur.ad.sag@EUR.AD.SAGKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: FC 95 59 39 E5 2D CD AF D0 EB 63 1C A1 7C C0 69 ..Y9.-....c....i
[Krb5LoginModule] added Krb5Principal HTTP/MCMICHAL03.eur.ad.sag@EUR.AD.SAG to Subject
Commit Succeeded
WARN 2012-08-22 11:30:44,799 c.i.a.u.j.KerberosTicketValidator - UMC - Verification of kerberos ticket failed: Defective token detected (Mechanism level: GSSHeader did not find the right tag)
FINE 2012-08-22 11:30:44,799 c.i.a.u.u.j.JpaLocalTxInterceptor - TX: loginKerberos -> Transaction marked for rollback.
FINE 2012-08-22 11:30:44,799 c.i.a.u.u.j.JpaLocalTxInterceptor - TX: loginKerberos -> Rolling back transaction...
FINE 2012-08-22 11:30:44,802 c.i.a.u.n.UmcNotificationService - NotificationService: Work finished -> clear MailingList
I was able to reproduce this problem on my own demo system.
I understand we did something wrong or missed something but we can't find this error any place at the documentation and we need advise how to resolve this urgently.
Thanks , michal