Why isn't Single Sign-on working?

I need help figuring out why Single Sign-on is not working.  I have implemented AD groups in DPA and it is working, but we cannot figure out why the single sign-on is not working.

Using the steps from SolarWinds Knowledge Base :: Configuring DPA for Single Sign-On, I have the files created and in place, but after the system.properties file is modified for the single sign-on , the box does not appear on the login page.   We are using version 9.0.146 of DPA on a Windows Server 2008 R2 Enterprise. 

Here is what the Single Sign-On section of the System.properties file looks like.


##################################################################
# Single Sign-On
##################################################################
## Enable/Disable single sign-on
com.confio.security.ldap.isSsoEnabled=true
## Location of the Kerberos config file(need to specify file location).
com.confio.ws.ldap.sso.krbConfLocation=c:\Windows\krb5.ini
## The Ignite application "service principal"
## Make sure servicePrincipal matches what was used in the key table -->
com.confio.ws.ldap.sso.servicePrincipal=HTTP/igniteserver:8123
## Location of the Kerberos key table (need to specify file location).
com.confio.ws.ldap.sso.keyTablLocation=C:\Windows\security\ignite.keytab


Since there is an important note that says:  Important Note: Be sure to use '/' as your path separator instead of '\'.   

I have tried both separators in the Location paths.

The krb5.ini file is:

# Set defaults
[libdefaults]
    default_realm = LOCAL.DOMAIN
    default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
    default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
    forwardable=true

# Define where to find the kerberos server for a particular realm
[realms]
LOCAL.DOMAIN = {
    kdc = DC01.local.domain
kdc =DC02.local.domain
    default_domain = local.domain
}

# Map subdomains and domain names to Kerberos realm names.
# Individual host names may be specified. Domain suffixes may be
# specified with a leading period and will apply to all host
# names ending in that suffix.
[domain_realm]

    .local.domain = LOCAL.DOMAIN
    local.domain = LOCAL.DOMAIN

[logging]
#    kdc = CONSOLE
#    kdc = SYSLOG:INFO
#    admin_server = FILE:=/var/kadm5.log

Any assistance is appreciated.

Parents
  • Can you share what error you are getting in your auth.log?  <install_dir>/iwd/tomcat/logs

    This may have to turn into a support case as it may get involved.

  • I have corrected the file not found problem so I am getting the single sign-on check, but the single sign-on still fails.  The auth log shows.

    WARN   (2015-03-19 09:38:00,302) [http-8123-1] CustomSpnegoAuthenticationProcessingFilter - Negotiate Header was invalid: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==

    org.springframework.security.authentication.BadCredentialsException: Kerberos validation not succesfull

    at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:69)

    at com.confio.iwc.security.CustomSSOAuthenticationProvider.authenticate(SourceFile:79)

    ......

    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)

    at java.lang.Thread.run(Unknown Source)

    Caused by: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

    at java.security.AccessController.doPrivileged(Native Method)

    at javax.security.auth.Subject.doAs(Unknown Source)

    at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:67)

    ... 37 more

    Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

    at sun.security.jgss.GSSHeader.<init>(Unknown Source)

    at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)

    at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)

    at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:146)

    at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:136)

    ... 40 more

    WARN   (2015-03-19 09:38:25,522) [http-8123-2] CustomSpnegoAuthenticationProcessingFilter - Negotiate Header was invalid: Negotiate YIIGxwYGKwYBBQUCoIIGuzCCBregMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBoEEggZ9YIIGeQYJKoZIhvcSAQICAQBuggZoMIIGZKADAgEFoQMCAQ6iBwMFACAAAACjggVdYYIFWTCCBVWgAwIBBaEKGwhBUy5MT0NBTKImMCSgAwIBAqEdMBsbBEhUVFAbE2lnbml0ZS1zcWwuYXMubG9jYWyjggUYMIIFFKADAgESoQMCAQOiggUGBIIFAkc3rJQnNJMvUZ5kzLxsbV/sDuqbp5Dct+GfjMGXOGvAenZKf2WEZiBHRgZEv5KZwXodOEwvzi0TrLXOlR07Va9nLVgDcaws5YSdceSQCOxgtjnkvjEKlmFN616dJ2/WEM2Smgl0vfxu++zOEMZVcnySLYNTcpJV1kHPRlXZvO+rI+97pcNrejZSqHOYFNYW/7c/24subgCCTAYYvlNiv6Pp043Rmkehg86E6QBBC5acdBp5m1t2wcM3He6KqfmPkOt2b715NOOXrRDQ0YVLljs5/5H14AMK8lSM3nk29S98TGX+Mn2zdte6xtGzi8UV/eVa5ZrjJ/1P10Ji41G9HiXWt2UsDA/eSGKtMo0gtQwHOlYzPvkjIlF7b06xZdpgyFiueFdH3mT7PfZgL6Oe6UKWDBPdbc7V0ftv7ZnmqMF0sbrL0UPwK1Yxe2ro2gn3OmbJCtnThyEjVq17kvspT69r2Vp9+eO+eBgQJV63vuEM39VD4aLoy1SaWK1iXUTUllDbuSebQ7tg4NVuMpcLJmI3vHMD//0yGs3/BF6jEL1PdJeGNITYpnBXgE5Bg1DzAqroSulXBXQZX7Kvi5orFm+eFI8IOfZCAiLxlumoygHkQrHJdtj30LPt2h2PJ4zQvKi6Bsyem2URr8v1o/P/jXslhW5nA/LoxNOqugcoZWi9dw6a6LFMJjbvMd0eXAv5M5COoBauFomumJYGg1jctMJaVjj5FSXwNJ4xQ0EvoZjW/ISLoGt8nAvb3M2SYoJHYsSdeY7315B5pbghByYudq4zDP9bLqsnBw66euCwacqi/3FAueoB12kBmWGuSmR1M//Q0z3yUBg37bUzObRKBvyyxz4wneIEHed1M8wepwSRLHCef2gtts4dq6rb3pUT9gkJc4F2Vovf6MqMkJMqzqkyT/Qf/Z9zIlB6T0J1GVpMbfMKfu/qimshKCUNCEwDyDsYH+sc5pOA04pt4FiQt0AoJGZnXPW02tSWuqoNSwQukPoQprawctQe6J3O7BT3SK6glIV0qBDDzhprXMVgoqLVwDgMCs7DRp1yu70QT6Q2QyZFp77OYRNOHjAJMoPV8H852DLMUWOsRwtcBi7EIP+fz0bbjdF4mmfRRRpdjGmb37bX3B05J38CVPNtgTYkbXoaQuHEf1eY2RXS/tiwyOQSgxz2G+kXU9S6riyMtKH2TWIw3jDRzHpW7WOi3BFHCyue/ZaHFPoPyl3fHCoGHh+GTWm+FQReDI4tiwIQgmY83/GyV9dmq7k5tIAgfMlqAHqtIoiXyB5/9HHhxEY9YQL1/zEyWURx5K6Jr6u5+UFuNNRRbUHyu8vVEFPdJnD9ObvhMVC3+gzpgEnPGVbaloAFZKwhLUvdD398r5T3bs7FCoJL6Bw4pQkqCKiTbRQNZ+U4L5NLF9+TRqUFF/C7FrDynCKHkD0NIAd7uGFbxCD7czFW4b2keWhKLoJCWDl8P4NXW4Fy39DrSdBpp6u1u5afxTXD+/LyPmdyR6bopYNF3fkNULNaVNM3X87g99+OhJeNMvcgqa+cvEGHstUCTK6SmvFEN9hmyGYYcQCi5mbXGg7L1OSMlfSwjaIx+i6cFbqtpVVrGtgicQ3ihBeu1j3uGQNwivZhugXG5/YF3qYmDWH3D4ZzYAhCIuGwx4ZSdgI4Wo5tnJe21bGMOQc8cz0tEWMhNTokpC+gvSUSs9TFqIikge0wgeqgAwIBEqKB4gSB30pk6/fnVZOh3LmQzkKA5rrfs1D+XjG/QFWkNA/t8T8mKc9rN89bb70O6qvBV9SUUSP85EM8t7keHvn9hcS2eeScH1ojtbzNXH+a8+h8mjfnw04//+9SgtKpKtBboIqRj8A+h0Kx6n65o+cM0NzQwWa1X804N1Nftmso+BeyKfNTehOc1ASCh+QK1RnneM/VcCO2EAZoCrozbU1oPIdk0co8poMBqujNIGMXEvDqRygShigsvPFynAinTMyvVd7CA459FM6MswM6MhHYLUyJInoP6cWZf9m1CUOQqzlQlzI=

    org.springframework.security.authentication.BadCredentialsException: Kerberos validation not succesfull

    Is this showing an invalid keytab file?

  • Do you mind opening up a support ticket?  As suspected, this is starting to get messy and we'll need a full set of logs.  We'll be looking for the ticket and you can reference this thread.  Thanks!

  • has this issue been identified and fixed yet? My DBA's just set this u p on Sever 2016. When trying to log in we git the check box to enable SSO but it does not work.  Error is unable to login using SSO try typing your credentials. Typing in the credentials works fine using domain\username. In the auth.logs file I am seeing 

    Negotiate Header was invalid: Negotiate YIIKxgYGKwYBBQUCoIIKujCCCragMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCCoAEggp8YIIKeAYJKoZIhvcSAQICAQBuggpnMIIKY6ADAgEFoQMCAQ6iBw org.springframework.security.authentication.BadCredentialsException: Kerberos validation not successful,

    I am also seeing 

    org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:68) ~[spring-security-kerberos-core-1.0.1.RELEASE.jar:1.0.1.RELEASE]
    ... 53 more and Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC. We are not using RC4 we are using aes128-cts-hmac-sha1-96. The krb5 file is locate din the Program Files\SolarWinds\DPA\iwc\tomcat\SSO directory.

    I have tried to create the keytab file using 2 different ways and still it is not working. the first way was ktpass -princ HTTP/cisdpaapp16.caci.com@CACI.COM -mapuser accountname@caci.com -pass -crypto aes-128-cts-hmac-sha1-96 -ptype KRB5_NT_PRINCIPAL -out C:\CIS\KeyTab\svcdpasso\AES128_3_19_21_

    The second way was ktpass /out .\ignite.keytab /mapuser accountname@caci.com /princ HTTP/cisdpaapp16.caci.com@CACI.COM /pass KRB5_NT_PRINCIPAL /crypto AES128-cts-hmac-sha1-96

Reply
  • has this issue been identified and fixed yet? My DBA's just set this u p on Sever 2016. When trying to log in we git the check box to enable SSO but it does not work.  Error is unable to login using SSO try typing your credentials. Typing in the credentials works fine using domain\username. In the auth.logs file I am seeing 

    Negotiate Header was invalid: Negotiate YIIKxgYGKwYBBQUCoIIKujCCCragMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCCoAEggp8YIIKeAYJKoZIhvcSAQICAQBuggpnMIIKY6ADAgEFoQMCAQ6iBw org.springframework.security.authentication.BadCredentialsException: Kerberos validation not successful,

    I am also seeing 

    org.springframework.security.kerberos.authentication.sun.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:68) ~[spring-security-kerberos-core-1.0.1.RELEASE.jar:1.0.1.RELEASE]
    ... 53 more and Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC. We are not using RC4 we are using aes128-cts-hmac-sha1-96. The krb5 file is locate din the Program Files\SolarWinds\DPA\iwc\tomcat\SSO directory.

    I have tried to create the keytab file using 2 different ways and still it is not working. the first way was ktpass -princ HTTP/cisdpaapp16.caci.com@CACI.COM -mapuser accountname@caci.com -pass -crypto aes-128-cts-hmac-sha1-96 -ptype KRB5_NT_PRINCIPAL -out C:\CIS\KeyTab\svcdpasso\AES128_3_19_21_

    The second way was ktpass /out .\ignite.keytab /mapuser accountname@caci.com /princ HTTP/cisdpaapp16.caci.com@CACI.COM /pass KRB5_NT_PRINCIPAL /crypto AES128-cts-hmac-sha1-96

Children
No Data