SSO setup using Kerberos

  • 7006853
  • 15-Sep-2010
  • 26-Apr-2012

Environment

Application Server - Websphere
User Application 3.7.0 Patch C
Windows 2003 Operating System
Configuring SSO using MIT Kerberos using AD authentication

Situation

In the User Application server.log error being thrown:

2010-09-01 22:02:11,836 INFO  [STDOUT] (http-0.0.0.0-8080-1)         [Krb5LoginModule] authentication failed
Cannot get kdc for realm DOMAIN.COM
2010-09-01 22:02:11,836 ERROR [com.novell.common.auth.sso.SSOFilter] (http-0.0.0.0-8080-1) Failed to perform SPNEGO Kerberos V5 SSO.
com.novell.common.auth.sso.SSOFilterException: Failed to perform SPNEGO Kerberos V5 SSO.
    at com.novell.common.auth.sso.KerberosFilter$SunSpengo.login(KerberosFilter.java:206)
    at com.novell.common.auth.sso.KerberosFilter.login(KerberosFilter.java:122)
    at com.novell.common.auth.sso.SSOFilter.doFilter(SSOFilter.java:111)
    at com.novell.common.auth.sso.KerberosFilter.doFilter(KerberosFilter.java:58)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
    at org.jboss.web.tomcat.service.session.ClusteredSessionValve.invoke(ClusteredSessionValve.java:109)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
    at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
    at java.lang.Thread.run(Unknown Source)
Caused by: GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT credentials failed!)
    at sun.security.jgss.krb5.Krb5AcceptCredential.getInstance(Unknown Source)
    at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Unknown Source)
    at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Unknown Source)
    at sun.security.jgss.GSSManagerImpl.getMechanismContext(Unknown Source)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    at sun.security.jgss.spnego.SpNegoContext.GSS_acceptSecContext(Unknown Source)
    at sun.security.jgss.spnego.SpNegoContext.acceptSecContext(Unknown Source)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    at sun.security.jgss.GSSContextImpl.acceptSecContext(Unknown Source)
    at com.novell.common.auth.sso.KerberosFilter$SunSpengo.login(KerberosFilter.java:197)
    ... 25 more

Resolution

There were duplicate accounts created in AD with the same UPN name which was creating a conflict in Kerberos authentication with Novell User Application. Once one of the duplicates was deleted, the Novell  Admin account was able to successfully exchange the Kerberos credentials with AD.

Additional Information

When setting up SSO for User Application follow the steps in the User Application 3.7 documentation. 

Be sure you are consistent in the use of upper & lower cases.  The AD Domain name is the only thing that MUST be in uppercase, this is critical. 
 
All other settings should be in lowercase unless uppercase is required to access a server etc but be consistent in entering information. 

Feedback service temporarily unavailable. For content questions or problems, please contact Support.