Environment
NetIQ Access Manager 3.2
NetIQ Access Manager 3.2 Identity Server with Kerberos enabled
NetIQ Access Manager 3.2 Identity Server with Kerberos enabled
Situation
After upgrading NetIQ Access Manager (NAM) from 3.2.1 to 3.2.2, any application that was protected with a kerberos contract would fail. Instead of being single signed on to the back end application via NAM, the standard NAM login page would be displayed asking for user credentials even though the user was authenticated to the workstation using Kerberos. This indicated that the Kerberos authentication had failed and the NAM Identity server fell back to form based login (default behaviour).
Prior to the upgrade from 3.2.1, users were not prompted to login again via login form.
Prior to the upgrade from 3.2.1, users were not prompted to login again via login form.
Resolution
Manually copy the old keytab file to /opt/novell/java/jre/lib/security/ directory and restart the IDP server.
As a best practice, it is stringly recommended that you call the keytab file on the NAM side nidpkey.keytab. This is the filename that is backed up during upgrades and variations on the name will cause the reference to the valid file to fail.
As a best practice, it is stringly recommended that you call the keytab file on the NAM side nidpkey.keytab. This is the filename that is backed up during upgrades and variations on the name will cause the reference to the valid file to fail.
Cause
Kerberos files are maintained by the upgrade when the keytab file is defined as per the docs with the name nidpkey.keytab. Anything non standard will not get upgraded:
upgrade_utility_functions.sh
says:
########################################################
# checkKerberos: make sure we don't break the Kerberos
# configuration when upgrading java
########################################################
backupKerberosConf()
{
if [ -d /opt/novell/java/jre/lib/security ]
then
jsdir=`pwd`
cd /opt/novell/java/jre/lib/security
[ -f bcsLogin.conf ] && tar cvf /tmp/kbconf.tar bcsLogin.conf >> "${MAIN_INSTALL_LOG}" 2>&1
[ -f nidpkey.keytab ] && tar umvf /tmp/kbconf.tar nidpkey.keytab >> "${MAIN_INSTALL_LOG}" 2>&1
cd $jsdir
fi
}
########################################################
# checkKerberos: make sure we don't break the Kerberos
# configuration when upgrading java
########################################################
backupKerberosConf()
{
if [ -d /opt/novell/java/jre/lib/security ]
then
jsdir=`pwd`
cd /opt/novell/java/jre/lib/security
[ -f bcsLogin.conf ] && tar cvf /tmp/kbconf.tar bcsLogin.conf >> "${MAIN_INSTALL_LOG}" 2>&1
[ -f nidpkey.keytab ] && tar umvf /tmp/kbconf.tar nidpkey.keytab >> "${MAIN_INSTALL_LOG}" 2>&1
cd $jsdir
fi
}
Additional Information
Log file entry in catalina showed the following for this user:
<amLogEntry> 2014-02-17T07:24:57Z DEBUG NIDS Application:
Method: LocalAuthenticationClass.<init>
Thread: http-bio-10.200.24.61-8080-exec-1
Parameter m_ExpiredCheck(ExpiredCheck) = false </amLogEntry>
Method: LocalAuthenticationClass.<init>
Thread: http-bio-10.200.24.61-8080-exec-1
Parameter m_ExpiredCheck(ExpiredCheck) = false </amLogEntry>
Debug is true storeKey true useTicketCache true useKeyTab true
doNotPrompt true ticketCache is
/opt/novell/java/jre/lib/security/spnegoTicket.cache isInitiator true KeyTab is
/opt/novell/java/jre/lib/security/thsvid20.keytab refreshKrb5Config is false
principal is HTTP/THSVID20.pharm.ie@PHARM.IE
tryFirstPass is false useFirstPass is false storePass is false clearPass is
false
Acquire TGT from Cache
Principal is HTTP/THSVID20.pharm.ie@HARM.IE
null credentials from Ticket Cache
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
Key for the principal HTTP/THSVID20.pharm.ie@PHARM.IE not available in /opt/novell/java/jre/lib/security/thsvid20.keytab
[Krb5LoginModule] authentication failed
Unable to obtain password from user
Acquire TGT from Cache
Principal is HTTP/THSVID20.pharm.ie@HARM.IE
null credentials from Ticket Cache
Ordering keys wrt default_tkt_enctypes list
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 17 16 23 1 3.
Key for the principal HTTP/THSVID20.pharm.ie@PHARM.IE not available in /opt/novell/java/jre/lib/security/thsvid20.keytab
[Krb5LoginModule] authentication failed
Unable to obtain password from user
<amLogEntry> 2014-02-17T07:24:57Z SEVERE NIDS Application:
AM#100104105: AMDEVICEID#9E83BFD8D24490D6: Could not initialize Kerberos/GSS No
valid credentials provided (Mechanism level: Attempt to obtain new ACCEPT
credentials failed!) </amLogEntry>