MI

michal itzhaky-feller on

Hello,

At the customer site , we are trying to customize SSO for the Business Publisher via APG. We preformed all the documented steps:

  1. We created the SPN
  2. We created a keytab as described in the documentation
  3. We set the property of the APG UMC as described
  4. We configured the web browser as defined

However, when trying to run the Business Publisher, we receive the manual login page,

And in the APG log we get the message: (please see the yellow mark)

 

FINE 2012-08-22 11:30:44,788 c.i.a.u.n.UmcNotificationService    - NotificationService: Work started -> new MailingList

FINE 2012-08-22 11:30:44,789 c.i.a.u.u.j.JpaLocalTxInterceptor   - TX: loginKerberos -> Number of active transactions: 0

FINE 2012-08-22 11:30:44,789 c.i.a.u.u.j.JpaLocalTxInterceptor   - TX: loginKerberos -> Creating new transaction...

FINE 2012-08-22 11:30:44,789 c.i.a.u.u.j.JpaLocalTxInterceptor   - TX: loginKerberos -> Starting transaction...

FNST 2012-08-22 11:30:44,793 c.i.a.u.u.l.UmcLicenseInterceptor   - LICENSE: Performing license check for operation loginKerberos...

FNST 2012-08-22 11:30:44,795 c.i.a.u.u.l.UmcLicenseInterceptor   - LICENSE: License key is valid for operation loginKerberos

FINE 2012-08-22 11:30:44,795 c.i.a.u.n.UmcNotificationService    - NotificationService: Work started -> new MailingList

FINE 2012-08-22 11:30:44,795 c.i.a.u.u.j.JpaLocalTxInterceptor   - TX: login -> Number of active transactions: 1

FINE 2012-08-22 11:30:44,796 c.i.a.u.u.j.JpaLocalTxInterceptor   - TX: login -> Joining existing transaction...

Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is C:\ARISGE1.0\.\config\Kerberos\umc.keytab refreshKrb5Config is false principal is HTTP/MCMICHAL03.eur.ad.sag tryFirstPass is false useFirstPass is false storePass is false clearPass is false

KeyTab instance already exists

Added key: 17version: 0

Found unsupported keytype (18) for HTTP/MCMICHAL03.eur.ad.sag@EUR.AD.SAG

Added key: 23version: 0

Added key: 3version: 0

Added key: 1version: 0

Ordering keys wrt default_tkt_enctypes list

default etypes for default_tkt_enctypes: 3 1 16 17 17 23 23 23.

0: EncryptionKey: keyType=3 kvno=0 keyValue (hex dump)=

0000: 80 DA B3 89 38 40 80 B5  

 

1: EncryptionKey: keyType=1 kvno=0 keyValue (hex dump)=

0000: 80 DA B3 89 38 40 80 B5  

 

2: EncryptionKey: keyType=17 kvno=0 keyValue (hex dump)=

0000: 8C 04 BB F6 CC 49 A7 DC   CC 6A 85 6F 8C 54 5F EE  .....I...j.o.T_.

 

 

3: EncryptionKey: keyType=23 kvno=0 keyValue (hex dump)=

0000: FC 95 59 39 E5 2D CD AF   D0 EB 63 1C A1 7C C0 69  ..Y9.-....c....i

 

 

principal's key obtained from the keytab

principal is HTTP/MCMICHAL03.eur.ad.sag@EUR.AD.SAG

EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 80 DA B3 89 38 40 80 B5  

EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 80 DA B3 89 38 40 80 B5  

EncryptionKey: keyType=17 keyBytes (hex dump)=0000: 8C 04 BB F6 CC 49 A7 DC   CC 6A 85 6F 8C 54 5F EE  .....I...j.o.T_.

 

EncryptionKey: keyType=23 keyBytes (hex dump)=0000: FC 95 59 39 E5 2D CD AF   D0 EB 63 1C A1 7C C0 69  ..Y9.-....c....i

 

Added server's keyKerberos Principal HTTP/MCMICHAL03.eur.ad.sag@EUR.AD.SAGKey Version 0key EncryptionKey: keyType=3 keyBytes (hex dump)=

0000: 80 DA B3 89 38 40 80 B5  

 

                        [Krb5LoginModule] added Krb5Principal  HTTP/MCMICHAL03.eur.ad.sag@EUR.AD.SAG to Subject

Added server's keyKerberos Principal HTTP/MCMICHAL03.eur.ad.sag@EUR.AD.SAGKey Version 0key EncryptionKey: keyType=1 keyBytes (hex dump)=

0000: 80 DA B3 89 38 40 80 B5  

 

                        [Krb5LoginModule] added Krb5Principal  HTTP/MCMICHAL03.eur.ad.sag@EUR.AD.SAG to Subject

Added server's keyKerberos Principal HTTP/MCMICHAL03.eur.ad.sag@EUR.AD.SAGKey Version 0key EncryptionKey: keyType=17 keyBytes (hex dump)=

0000: 8C 04 BB F6 CC 49 A7 DC   CC 6A 85 6F 8C 54 5F EE  .....I...j.o.T_.

 

 

                        [Krb5LoginModule] added Krb5Principal  HTTP/MCMICHAL03.eur.ad.sag@EUR.AD.SAG to Subject

Added server's keyKerberos Principal HTTP/MCMICHAL03.eur.ad.sag@EUR.AD.SAGKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=

0000: FC 95 59 39 E5 2D CD AF   D0 EB 63 1C A1 7C C0 69  ..Y9.-....c....i

 

 

                        [Krb5LoginModule] added Krb5Principal  HTTP/MCMICHAL03.eur.ad.sag@EUR.AD.SAG to Subject

Commit Succeeded

 

WARN 2012-08-22 11:30:44,799 c.i.a.u.j.KerberosTicketValidator   - UMC - Verification of kerberos ticket failed: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

FINE 2012-08-22 11:30:44,799 c.i.a.u.u.j.JpaLocalTxInterceptor   - TX: loginKerberos -> Transaction marked for rollback.

FINE 2012-08-22 11:30:44,799 c.i.a.u.u.j.JpaLocalTxInterceptor   - TX: loginKerberos -> Rolling back transaction...

FINE 2012-08-22 11:30:44,802 c.i.a.u.n.UmcNotificationService    - NotificationService: Work finished -> clear MailingList

 

I was able to reproduce this problem on my own demo system.

I understand we did something wrong or missed something but we can't find this error any place at the documentation and we need advise how to resolve this urgently.

Thanks , michal

 

 or register to reply.

Notify Moderator