MI

Hello,

At the customer site , we are trying to customize SSO for the Business Publisher via APG. We preformed all the documented steps:

  1. We created the SPN
  2. We created a keytab as described in the documentation
  3. We set the property of the APG UMC as described
  4. We configured the web browser as defined

However, when trying to run the Business Publisher, we receive the manual login page,

And in the APG log we get the message: (please see the yellow mark)

 

FINE 2012-08-22 11:30:44,788 c.i.a.u.n.UmcNotificationService    - NotificationService: Work started -> new MailingList

FINE 2012-08-22 11:30:44,789 c.i.a.u.u.j.JpaLocalTxInterceptor   - TX: loginKerberos -> Number of active transactions: 0

FINE 2012-08-22 11:30:44,789 c.i.a.u.u.j.JpaLocalTxInterceptor   - TX: loginKerberos -> Creating new transaction...

FINE 2012-08-22 11:30:44,789 c.i.a.u.u.j.JpaLocalTxInterceptor   - TX: loginKerberos -> Starting transaction...

FNST 2012-08-22 11:30:44,793 c.i.a.u.u.l.UmcLicenseInterceptor   - LICENSE: Performing license check for operation loginKerberos...

FNST 2012-08-22 11:30:44,795 c.i.a.u.u.l.UmcLicenseInterceptor   - LICENSE: License key is valid for operation loginKerberos

FINE 2012-08-22 11:30:44,795 c.i.a.u.n.UmcNotificationService    - NotificationService: Work started -> new MailingList

FINE 2012-08-22 11:30:44,795 c.i.a.u.u.j.JpaLocalTxInterceptor   - TX: login -> Number of active transactions: 1

FINE 2012-08-22 11:30:44,796 c.i.a.u.u.j.JpaLocalTxInterceptor   - TX: login -> Joining existing transaction...

Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false KeyTab is C:\ARISGE1.0\.\config\Kerberos\umc.keytab refreshKrb5Config is false principal is HTTP/MCMICHAL03.eur.ad.sag tryFirstPass is false useFirstPass is false storePass is false clearPass is false

KeyTab instance already exists

Added key: 17version: 0

Found unsupported keytype (18) for HTTP/MCMICHAL03.eur.ad.sag@EUR.AD.SAG

Added key: 23version: 0

Added key: 3version: 0

Added key: 1version: 0

Ordering keys wrt default_tkt_enctypes list

default etypes for default_tkt_enctypes: 3 1 16 17 17 23 23 23.

0: EncryptionKey: keyType=3 kvno=0 keyValue (hex dump)=

0000: 80 DA B3 89 38 40 80 B5  

 

1: EncryptionKey: keyType=1 kvno=0 keyValue (hex dump)=

0000: 80 DA B3 89 38 40 80 B5  

 

2: EncryptionKey: keyType=17 kvno=0 keyValue (hex dump)=

0000: 8C 04 BB F6 CC 49 A7 DC   CC 6A 85 6F 8C 54 5F EE  .....I...j.o.T_.

 

 

3: EncryptionKey: keyType=23 kvno=0 keyValue (hex dump)=

0000: FC 95 59 39 E5 2D CD AF   D0 EB 63 1C A1 7C C0 69  ..Y9.-....c....i

 

 

principal's key obtained from the keytab

principal is HTTP/MCMICHAL03.eur.ad.sag@EUR.AD.SAG

EncryptionKey: keyType=3 keyBytes (hex dump)=0000: 80 DA B3 89 38 40 80 B5  

EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 80 DA B3 89 38 40 80 B5  

EncryptionKey: keyType=17 keyBytes (hex dump)=0000: 8C 04 BB F6 CC 49 A7 DC   CC 6A 85 6F 8C 54 5F EE  .....I...j.o.T_.

 

EncryptionKey: keyType=23 keyBytes (hex dump)=0000: FC 95 59 39 E5 2D CD AF   D0 EB 63 1C A1 7C C0 69  ..Y9.-....c....i

 

Added server's keyKerberos Principal HTTP/MCMICHAL03.eur.ad.sag@EUR.AD.SAGKey Version 0key EncryptionKey: keyType=3 keyBytes (hex dump)=

0000: 80 DA B3 89 38 40 80 B5  

 

                        [Krb5LoginModule] added Krb5Principal  HTTP/MCMICHAL03.eur.ad.sag@EUR.AD.SAG to Subject

Added server's keyKerberos Principal HTTP/MCMICHAL03.eur.ad.sag@EUR.AD.SAGKey Version 0key EncryptionKey: keyType=1 keyBytes (hex dump)=

0000: 80 DA B3 89 38 40 80 B5  

 

                        [Krb5LoginModule] added Krb5Principal  HTTP/MCMICHAL03.eur.ad.sag@EUR.AD.SAG to Subject

Added server's keyKerberos Principal HTTP/MCMICHAL03.eur.ad.sag@EUR.AD.SAGKey Version 0key EncryptionKey: keyType=17 keyBytes (hex dump)=

0000: 8C 04 BB F6 CC 49 A7 DC   CC 6A 85 6F 8C 54 5F EE  .....I...j.o.T_.

 

 

                        [Krb5LoginModule] added Krb5Principal  HTTP/MCMICHAL03.eur.ad.sag@EUR.AD.SAG to Subject

Added server's keyKerberos Principal HTTP/MCMICHAL03.eur.ad.sag@EUR.AD.SAGKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=

0000: FC 95 59 39 E5 2D CD AF   D0 EB 63 1C A1 7C C0 69  ..Y9.-....c....i

 

 

                        [Krb5LoginModule] added Krb5Principal  HTTP/MCMICHAL03.eur.ad.sag@EUR.AD.SAG to Subject

Commit Succeeded

 

WARN 2012-08-22 11:30:44,799 c.i.a.u.j.KerberosTicketValidator   - UMC - Verification of kerberos ticket failed: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

FINE 2012-08-22 11:30:44,799 c.i.a.u.u.j.JpaLocalTxInterceptor   - TX: loginKerberos -> Transaction marked for rollback.

FINE 2012-08-22 11:30:44,799 c.i.a.u.u.j.JpaLocalTxInterceptor   - TX: loginKerberos -> Rolling back transaction...

FINE 2012-08-22 11:30:44,802 c.i.a.u.n.UmcNotificationService    - NotificationService: Work finished -> clear MailingList

 

I was able to reproduce this problem on my own demo system.

I understand we did something wrong or missed something but we can't find this error any place at the documentation and we need advise how to resolve this urgently.

Thanks , michal

 

by sato eric
Posted on Sat, 03/02/2013 - 16:04

Dear Sir,

If you don't mind share you property files and command lines.

Big Thanks

0
by sato eric
Posted on Sat, 03/02/2013 - 16:27

I suspect the client and server using same machine. Possible client using different machine?

 

 

0

Featured achievement

Genius
You like to help others solve their problems by answering questions.
Recent Unlocks
  • KF
  • KH
  • RG
  • Profile picture for user Vee_ARIS
  • Profile picture for user smarty
  • PacMan

Leaderboard

|
icon-arrow-down icon-arrow-cerulean-left icon-arrow-cerulean-right icon-arrow-down icon-arrow-left icon-arrow-right icon-arrow icon-back icon-close icon-comments icon-correct-answer icon-tick icon-download icon-facebook icon-flag icon-google-plus icon-hamburger icon-in icon-info icon-instagram icon-login-true icon-login icon-mail-notification icon-mail icon-mortarboard icon-newsletter icon-notification icon-pinterest icon-plus icon-rss icon-search icon-share icon-shield icon-snapchat icon-star icon-tutorials icon-twitter icon-universities icon-videos icon-views icon-whatsapp icon-xing icon-youtube icon-jobs icon-heart icon-heart2 aris-express bpm-glossary help-intro help-design Process_Mining_Icon help-publishing help-administration help-dashboarding help-archive help-risk icon-knowledge icon-question icon-events icon-message icon-more icon-pencil forum-icon icon-lock