Environment
Application Server - Websphere
User Application 3.7.0 Patch C
Windows 2003 Operating System
Configuring SSO using MIT Kerberos using AD authentication
User Application 3.7.0 Patch C
Windows 2003 Operating System
Configuring SSO using MIT Kerberos using AD authentication
Situation
In the User Application server.log error being thrown:
2010-09-01 22:02:11,836 INFO [STDOUT] (http-0.0.0.0-8080-1) [Krb5LoginModule] authentication failed
Cannot get kdc for realm DOMAIN.COM
2010-09-01 22:02:11,836 ERROR [com.novell.common.auth.sso.SSOFilter] (http-0.0.0.0-8080-1) Failed to perform SPNEGO Kerberos V5 SSO.
com.novell.common.auth.sso.SSOFilterException: Failed to perform SPNEGO Kerberos V5 SSO.
at com.novell.common.auth.sso.KerberosFilter$SunSpengo.login(KerberosFilter.java:206)
at com.novell.common.auth.sso.KerberosFilter.login(KerberosFilter.java:122)
at com.novell.common.auth.sso.SSOFilter.doFilter(SSOFilter.java:111)
at com.novell.common.auth.sso.KerberosFilter.doFilter(KerberosFilter.java:58)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
at org.jboss.web.tomcat.service.session.ClusteredSessionValve.invoke(ClusteredSessionValve.java:109)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Unknown Source)
Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Unknown Source)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at com.novell.common.auth.sso.KerberosFilter$SunSpengo.login(KerberosFilter.java:197)
... 25 more
2010-09-01 22:02:11,836 INFO [STDOUT] (http-0.0.0.0-8080-1) [Krb5LoginModule] authentication failed
Cannot get kdc for realm DOMAIN.COM
2010-09-01 22:02:11,836 ERROR [com.novell.common.auth.sso.SSOFilter] (http-0.0.0.0-8080-1) Failed to perform SPNEGO Kerberos V5 SSO.
com.novell.common.auth.sso.SSOFilterException: Failed to perform SPNEGO Kerberos V5 SSO.
at com.novell.common.auth.sso.KerberosFilter$SunSpengo.login(KerberosFilter.java:206)
at com.novell.common.auth.sso.KerberosFilter.login(KerberosFilter.java:122)
at com.novell.common.auth.sso.SSOFilter.doFilter(SSOFilter.java:111)
at com.novell.common.auth.sso.KerberosFilter.doFilter(KerberosFilter.java:58)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
at org.jboss.web.tomcat.service.session.ClusteredSessionValve.invoke(ClusteredSessionValve.java:109)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Unknown Source)
Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Unknown Source)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
at com.novell.common.auth.sso.KerberosFilter$SunSpengo.login(KerberosFilter.java:197)
... 25 more
Resolution
There were duplicate accounts created in AD with the same UPN name which was creating a conflict in Kerberos authentication with Novell User Application. Once one of the duplicates was deleted, the Novell Admin account was able to successfully exchange the Kerberos credentials with AD.
Additional Information
When setting up SSO for User Application follow the steps in the User Application 3.7 documentation.
Be sure you are consistent in the use of upper & lower cases. The AD Domain name is the only thing that MUST be in uppercase, this is critical.
Be sure you are consistent in the use of upper & lower cases. The AD Domain name is the only thing that MUST be in uppercase, this is critical.
All other settings should be in lowercase unless uppercase is required to
access a server etc but be consistent in entering information.