Why isn't Single Sign-on working?

Question

I need help figuring out why Single Sign-on is not working.  I have implemented AD groups in DPA and it is working, but we cannot figure out why the single sign-on is not working.

Using the steps from SolarWinds Knowledge Base :: Configuring DPA for Single Sign-On, I have the files created and in place, but after the system.properties file is modified for the single sign-on , the box does not appear on the login page.   We are using version 9.0.146 of DPA on a Windows Server 2008 R2 Enterprise.

Here is what the Single Sign-On section of the System.properties file looks like.

##################################################################
# Single Sign-On
##################################################################
## Enable/Disable single sign-on
com.confio.security.ldap.isSsoEnabled=true
## Location of the Kerberos config file(need to specify file location).
com.confio.ws.ldap.sso.krbConfLocation=c:\Windows\krb5.ini
## The Ignite application "service principal"
## Make sure servicePrincipal matches what was used in the key table -->
com.confio.ws.ldap.sso.servicePrincipal=HTTP/igniteserver:8123
## Location of the Kerberos key table (need to specify file location).
com.confio.ws.ldap.sso.keyTablLocation=C:\Windows\security\ignite.keytab

Since there is an important note that says:  Important Note: Be sure to use '/' as your path separator instead of '\'.

I have tried both separators in the Location paths.

The krb5.ini file is:

# Set defaults
[libdefaults]
    default_realm = LOCAL.DOMAIN
    default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
    default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
    forwardable=true

# Define where to find the kerberos server for a particular realm
[realms]
LOCAL.DOMAIN = {
    kdc = DC01.local.domain
 kdc =DC02.local.domain
    default_domain = local.domain
}

# Map subdomains and domain names to Kerberos realm names.
# Individual host names may be specified. Domain suffixes may be
# specified with a leading period and will apply to all host
# names ending in that suffix.
[domain_realm]

.local.domain = LOCAL.DOMAIN
    local.domain = LOCAL.DOMAIN

[logging]
#    kdc = CONSOLE
#    kdc = SYSLOG:INFO
#    admin_server = FILE:=/var/kadm5.log

Any assistance is appreciated.

mohsin-md · Answer

I have similar issues as well, have raised a support call Case # - 0082, Jhune Magbuo is looking into the issue. will keep this thread alive with updates if i get any

jbriscoe1966 · Answer

has this issue been identified and fixed yet? My DBA's just set this u p on Sever 2016. When trying to log in we git the check box to enable SSO but it does not work.  Error is unable to login using SSO try typing your credentials. Typing in the credentials works fine using domain\username. In the auth.logs file I am seeing

Negotiate Header was invalid: Negotiate YIIKxgYGKwYBBQUCoIIKujCCCragMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCCoAEggp8YIIKeAYJKoZIhvcSAQICAQBuggpnMIIKY6ADAgEFoQMCAQ6iBw org.springframework.security.authentication.BadCredentialsException: Kerberos validation not successful,

I am also seeing

org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:68) ~[spring-security-kerberos-core-1.0.1.RELEASE.jar:1.0.1.RELEASE]
 ... 53 more and Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC. We are not using RC4 we are using aes128-cts-hmac-sha1-96. The krb5 file is locate din the Program Files\SolarWinds\DPA\iwc	omcat\SSO directory.

I have tried to create the keytab file using 2 different ways and still it is not working. the first way was ktpass -princ HTTP/cisdpaapp16.caci.com@CACI.COM -mapuser accountname@caci.com -pass -crypto aes-128-cts-hmac-sha1-96 -ptype KRB5_NT_PRINCIPAL -out C:\CIS\KeyTab\svcdpasso\AES128_3_19_21_

The second way was ktpass /out .\ignite.keytab /mapuser accountname@caci.com /princ HTTP/cisdpaapp16.caci.com@CACI.COM /pass KRB5_NT_PRINCIPAL /crypto AES128-cts-hmac-sha1-96

mandevil · Answer

Do you mind opening up a support ticket?  As suspected, this is starting to get messy and we'll need a full set of logs.  We'll be looking for the ticket and you can reference this thread.  Thanks!