Environment
NetIQ Access Manager 3.2
NetIQ Access Manager 4.0
NetIQ Access Manager 4.0
Situation
- NetiQ Access Manager Identity Server has been configured for kerberos authentication
- All users trying to login using the kerberos method receive the error:
Error processing SPNEGO/Kerberos GSS Context already established - The configured kerberos fallback authentication does not get executed
configured fallback authentication on the kerberos method:
FALLBACK_AUTHCLASS com.novell.nidp.authentication.local.PasswordClass - The catalina.out from the NIDP server reports: "Commit Succeeded" for the kerberos authentication configuration
- A LAN trace show no problems retrieving a kerberos TGT from the KDC for the NIDP server
- The Workstation sends the requested kerberos TGS over to the NIDP server
Resolution
User could not be found in the Active Directory Directory Service by the NIDP server running the required LDAP query after receiving the TGS. The User Principal Names (UPN) used for the LDAP query did not match the users User Principal Names (UPN). The Domain portion of the UPN was wrong due to historical AD design reasons. Using an additional UP Suffix which runs and LDAP query with an "OR" condition did not fix the problem. UPN was based on an outdated design. After changing the user UPN with th correct value kerberos authentication just worked fine