4 Replies Latest reply on Mar 19, 2015 10:11 AM by mandevil

    Why isn't Single Sign-on working?

    lcclbrown

      I need help figuring out why Single Sign-on is not working.  I have implemented AD groups in DPA and it is working, but we cannot figure out why the single sign-on is not working.

       

      Using the steps from SolarWinds Knowledge Base :: Configuring DPA for Single Sign-On, I have the files created and in place, but after the system.properties file is modified for the single sign-on , the box does not appear on the login page.   We are using version 9.0.146 of DPA on a Windows Server 2008 R2 Enterprise. 

       

      Here is what the Single Sign-On section of the System.properties file looks like.


      ##################################################################
      # Single Sign-On
      ##################################################################
      ## Enable/Disable single sign-on
      com.confio.security.ldap.isSsoEnabled=true
      ## Location of the Kerberos config file(need to specify file location).
      com.confio.ws.ldap.sso.krbConfLocation=c:\Windows\krb5.ini
      ## The Ignite application "service principal"
      ## Make sure servicePrincipal matches what was used in the key table -->
      com.confio.ws.ldap.sso.servicePrincipal=HTTP/igniteserver:8123
      ## Location of the Kerberos key table (need to specify file location).
      com.confio.ws.ldap.sso.keyTablLocation=C:\Windows\security\ignite.keytab

       


      Since there is an important note that says:  Important Note: Be sure to use '/' as your path separator instead of '\'.   

      I have tried both separators in the Location paths.

       

      The krb5.ini file is:

      # Set defaults
      [libdefaults]
          default_realm = LOCAL.DOMAIN
          default_tkt_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
          default_tgs_enctypes = rc4-hmac,aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96
          forwardable=true

      # Define where to find the kerberos server for a particular realm
      [realms]
      LOCAL.DOMAIN = {
          kdc = DC01.local.domain
      kdc =DC02.local.domain
          default_domain = local.domain
      }

      # Map subdomains and domain names to Kerberos realm names.
      # Individual host names may be specified. Domain suffixes may be
      # specified with a leading period and will apply to all host
      # names ending in that suffix.
      [domain_realm]

          .local.domain = LOCAL.DOMAIN
          local.domain = LOCAL.DOMAIN

      [logging]
      #    kdc = CONSOLE
      #    kdc = SYSLOG:INFO
      #    admin_server = FILE:=/var/kadm5.log

       

      Any assistance is appreciated.

        • Re: Why isn't Single Sign-on working?
          mandevil

          Can you share what error you are getting in your auth.log?  <install_dir>/iwd/tomcat/logs

          This may have to turn into a support case as it may get involved.

          1 of 1 people found this helpful
            • Re: Why isn't Single Sign-on working?
              lcclbrown

              Here is the error in the auth.log.

               

              INFO   (2015-03-19 08:36:10,697) [main] IgniteJaasKerberosTicketValidator - Unable to initialize Kerberos Ticket Validator. Ignite will start with 'Single Sign-on' disabled.

              java.lang.IllegalArgumentException: Could not load configuration file c:\Windows\krb5.ini (The system cannot find the file specified)

              at javax.security.auth.kerberos.KerberosPrincipal.<init>(Unknown Source)

               

              I have given adminitrative rights to the IGNITE PI Server service account which is also the repository owner and I still receive this error in the log.  Am I incorrect in thinking that the IGNITE(DPA) service account is the correct credential that is initiating the single sign-on?

              • Re: Why isn't Single Sign-on working?
                lcclbrown

                I have corrected the file not found problem so I am getting the single sign-on check, but the single sign-on still fails.  The auth log shows.

                 

                WARN   (2015-03-19 09:38:00,302) [http-8123-1] CustomSpnegoAuthenticationProcessingFilter - Negotiate Header was invalid: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==

                org.springframework.security.authentication.BadCredentialsException: Kerberos validation not succesfull

                at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:69)

                at com.confio.iwc.security.CustomSSOAuthenticationProvider.authenticate(SourceFile:79)

                 

                ......

                 

                at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)

                at java.lang.Thread.run(Unknown Source)

                Caused by: java.security.PrivilegedActionException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

                at java.security.AccessController.doPrivileged(Native Method)

                at javax.security.auth.Subject.doAs(Unknown Source)

                at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator.validateTicket(SunJaasKerberosTicketValidator.java:67)

                ... 37 more

                Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

                at sun.security.jgss.GSSHeader.<init>(Unknown Source)

                at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)

                at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)

                at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:146)

                at org.springframework.security.extensions.kerberos.SunJaasKerberosTicketValidator$KerberosValidateAction.run(SunJaasKerberosTicketValidator.java:136)

                ... 40 more

                WARN   (2015-03-19 09:38:25,522) [http-8123-2] CustomSpnegoAuthenticationProcessingFilter - Negotiate Header was invalid: Negotiate YIIGxwYGKwYBBQUCoIIGuzCCBregMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCBoEEggZ9YIIGeQYJKoZIhvcSAQICAQBuggZoMIIGZKADAgEFoQMCAQ6iBwMFACAAAACjggVdYYIFWTCCBVWgAwIBBaEKGwhBUy5MT0NBTKImMCSgAwIBAqEdMBsbBEhUVFAbE2lnbml0ZS1zcWwuYXMubG9jYWyjggUYMIIFFKADAgESoQMCAQOiggUGBIIFAkc3rJQnNJMvUZ5kzLxsbV/sDuqbp5Dct+GfjMGXOGvAenZKf2WEZiBHRgZEv5KZwXodOEwvzi0TrLXOlR07Va9nLVgDcaws5YSdceSQCOxgtjnkvjEKlmFN616dJ2/WEM2Smgl0vfxu++zOEMZVcnySLYNTcpJV1kHPRlXZvO+rI+97pcNrejZSqHOYFNYW/7c/24subgCCTAYYvlNiv6Pp043Rmkehg86E6QBBC5acdBp5m1t2wcM3He6KqfmPkOt2b715NOOXrRDQ0YVLljs5/5H14AMK8lSM3nk29S98TGX+Mn2zdte6xtGzi8UV/eVa5ZrjJ/1P10Ji41G9HiXWt2UsDA/eSGKtMo0gtQwHOlYzPvkjIlF7b06xZdpgyFiueFdH3mT7PfZgL6Oe6UKWDBPdbc7V0ftv7ZnmqMF0sbrL0UPwK1Yxe2ro2gn3OmbJCtnThyEjVq17kvspT69r2Vp9+eO+eBgQJV63vuEM39VD4aLoy1SaWK1iXUTUllDbuSebQ7tg4NVuMpcLJmI3vHMD//0yGs3/BF6jEL1PdJeGNITYpnBXgE5Bg1DzAqroSulXBXQZX7Kvi5orFm+eFI8IOfZCAiLxlumoygHkQrHJdtj30LPt2h2PJ4zQvKi6Bsyem2URr8v1o/P/jXslhW5nA/LoxNOqugcoZWi9dw6a6LFMJjbvMd0eXAv5M5COoBauFomumJYGg1jctMJaVjj5FSXwNJ4xQ0EvoZjW/ISLoGt8nAvb3M2SYoJHYsSdeY7315B5pbghByYudq4zDP9bLqsnBw66euCwacqi/3FAueoB12kBmWGuSmR1M//Q0z3yUBg37bUzObRKBvyyxz4wneIEHed1M8wepwSRLHCef2gtts4dq6rb3pUT9gkJc4F2Vovf6MqMkJMqzqkyT/Qf/Z9zIlB6T0J1GVpMbfMKfu/qimshKCUNCEwDyDsYH+sc5pOA04pt4FiQt0AoJGZnXPW02tSWuqoNSwQukPoQprawctQe6J3O7BT3SK6glIV0qBDDzhprXMVgoqLVwDgMCs7DRp1yu70QT6Q2QyZFp77OYRNOHjAJMoPV8H852DLMUWOsRwtcBi7EIP+fz0bbjdF4mmfRRRpdjGmb37bX3B05J38CVPNtgTYkbXoaQuHEf1eY2RXS/tiwyOQSgxz2G+kXU9S6riyMtKH2TWIw3jDRzHpW7WOi3BFHCyue/ZaHFPoPyl3fHCoGHh+GTWm+FQReDI4tiwIQgmY83/GyV9dmq7k5tIAgfMlqAHqtIoiXyB5/9HHhxEY9YQL1/zEyWURx5K6Jr6u5+UFuNNRRbUHyu8vVEFPdJnD9ObvhMVC3+gzpgEnPGVbaloAFZKwhLUvdD398r5T3bs7FCoJL6Bw4pQkqCKiTbRQNZ+U4L5NLF9+TRqUFF/C7FrDynCKHkD0NIAd7uGFbxCD7czFW4b2keWhKLoJCWDl8P4NXW4Fy39DrSdBpp6u1u5afxTXD+/LyPmdyR6bopYNF3fkNULNaVNM3X87g99+OhJeNMvcgqa+cvEGHstUCTK6SmvFEN9hmyGYYcQCi5mbXGg7L1OSMlfSwjaIx+i6cFbqtpVVrGtgicQ3ihBeu1j3uGQNwivZhugXG5/YF3qYmDWH3D4ZzYAhCIuGwx4ZSdgI4Wo5tnJe21bGMOQc8cz0tEWMhNTokpC+gvSUSs9TFqIikge0wgeqgAwIBEqKB4gSB30pk6/fnVZOh3LmQzkKA5rrfs1D+XjG/QFWkNA/t8T8mKc9rN89bb70O6qvBV9SUUSP85EM8t7keHvn9hcS2eeScH1ojtbzNXH+a8+h8mjfnw04//+9SgtKpKtBboIqRj8A+h0Kx6n65o+cM0NzQwWa1X804N1Nftmso+BeyKfNTehOc1ASCh+QK1RnneM/VcCO2EAZoCrozbU1oPIdk0co8poMBqujNIGMXEvDqRygShigsvPFynAinTMyvVd7CA459FM6MswM6MhHYLUyJInoP6cWZf9m1CUOQqzlQlzI=

                org.springframework.security.authentication.BadCredentialsException: Kerberos validation not succesfull

                 

                Is this showing an invalid keytab file?