New Ranks & Badges For The Community!
Notice something different? The ranks and associated badges have gone "Star Fleet". See what they all mean HERE
Highlighted
Commodore
Commodore
1987 views

User Application SSO using Kerberos Method not working

I want to login via Active Directory Users into IDM User Application. For this I followed the below URL
https://www.netiq.com/documentation/idm45/setup_guide/data/b1dizhf5.html

After all configuration when I hit the User Application URL (http://dev.demo.local:8180/IDMProv) it will ask for the Active Directory User credentials and after entered the credentials I will redirect to the User Application login page and In the User Application logs I am getting the below Error
2017-10-27 17:22:28,168 [main] INFO  org.apache.catalina.startup.Catalina- Server startup in 126274 ms
Debug is true storeKey true useTicketCache true useKeyTab true doNotPrompt true ticketCache is /opt/netiq/idm/apps/tomcat/kerberos/spnegoTicket.cache isInitiator true KeyTab is /home/novleas/dev.keytab refreshKrb5Config is true principal is HTTP/dev.demo.local@DEMO.local tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
Acquire TGT from Cache
Principal is HTTP/dev.demo.local@DEMO.local
null credentials from Ticket Cache
[Krb5LoginModule] authentication failed
Cannot locate KDC


I am using Windows Server 2012 R2 (Active Directory Server) and IDM 4.5.
Labels (1)
0 Likes
10 Replies
Highlighted
Commodore
Commodore

I forgot to add, I am using SLES 11 SP3 for IDM 4.5.
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

On 2018-01-03 16:54, fartyalvikram wrote:
> Cannot locate KDC


Did you specify a KDC in your krb5.conf?

--
Norbert
--
Norbert
0 Likes
Highlighted
Commodore
Commodore

klasen;2472937 wrote:
On 2018-01-03 16:54, fartyalvikram wrote:
> Cannot locate KDC


Did you specify a KDC in your krb5.conf?

--
Norbert


Now I am not getting any error inside the logs.
My krb5.conf file code is given below
[libdefaults]
default_realm = DEMO.LOCAL
kdc_timesync = 0
forwardable = true
proxiable = false
[realms]
DEMO.LOCAL = {
kdc = server.demo.local
admin_server = server.demo.local
}
[domain_realm]
.demo.local = DEMO.LOCAL
demo.local = DEMO.LOCAL

Now when I hit the User Application URL (http://dev.demo.local:8180/IDMProv) it redirect to the User Application login page and when I entered the user credentials of AD and click on login it gives the error login user name password wrong. In the User Application logs I am not getting any error and my logs are freeze at that time, there is nothing.
0 Likes
Highlighted
Commodore
Commodore

In the below URL of Step 4 can you please explain me what I have to do exactly?
https://www.netiq.com/documentation/idm45/setup_guide/data/b1djz1eu.html
4. An an Administrator in Active Directory, create an end user account with the MCC to prepare for SSO.
The end user account name has to match some attribute value of an eDirectory user in order to support single sign-on. Create the user with some name such as cnano, remember the password, and ensure that User must change password at next logon is not selected.


Currently for Step 4, I just created a user in AD with cnano (user logon name) and add Administrator in "Member of". Do I need anything else for this step and I want to know that where we are using this user.
0 Likes
Highlighted
Commodore
Commodore

Now I can see the "Commit Succeeded" inside my User Application logs as given below
Total custom resource files loaded: 2

Debug is true storeKey true useTicketCache true useKeyTab true doNotPrompt true ticketCache is /opt/netiq/idm/apps/tomcat/kerberos/spnegoTicket.cache isInitiator true KeyTab is /home/novleas/dev.keytab refreshKrb5Config is true principal is HTTP/dev@DEMO.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
Acquire TGT from Cache
Principal is HTTP/dev@DEMO.LOCAL
null credentials from Ticket Cache
principal is HTTP/dev@DEMO.LOCAL
Will use keytab
Commit Succeeded

Debug is true storeKey true useTicketCache true useKeyTab true doNotPrompt true ticketCache is /opt/netiq/idm/apps/tomcat/kerberos/spnegoTicket.cache isInitiator true KeyTab is /home/novleas/dev.keytab refreshKrb5Config is true principal is HTTP/dev@DEMO.LOCAL tryFirstPass is false useFirstPass is false storePass is false clearPass is false
Refreshing Kerberos configuration
Acquire TGT from Cache
Principal is HTTP/dev@DEMO.LOCAL
null credentials from Ticket Cache
principal is HTTP/dev@DEMO.LOCAL
Will use keytab
Commit Succeeded

card name-pwd-login com.novell.oidp.authentication.AuthenticationManager@48bfc90
card krb-login com.novell.oidp.authentication.AuthenticationManager@48bfc90
card eIDPLogin com.novell.oidp.authentication.AuthenticationManager@48bfc90
2018-01-11 18:39:28,362 [localhost-startStop-1] INFO org.apache.catalina.startup.HostConfig- Deployment of web application
archive /opt/netiq/idm/apps/tomcat/webapps/osp.war has finished in 12,306 ms

After this when I hit User App URL (http://192.168.1.111:8180/IDMProv/) it will goes into the loop with the below URL
http://192.168.1.111:8180/osp/a/idm/auth/app?id&sid=0
They did not goes to login page of User App, they again and again go to that URL http://192.168.1.111:8180/osp/a/idm/auth/app?id&sid=0
0 Likes
Highlighted
Vice Admiral
Vice Admiral

Hi

I hope this can help you in the right direction:)

I'm running the user app 402 (RUNNING ON JBOSS). on a windows server 2012R2, and have Kerberos auth setup.

Here is the "Windows: C:\Windows\krb5.ini"

[libdefaults]
default_realm = demo.local
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
kdc_timesync = 0
forwardable = true
proxiable = false

[realms]
demo.local = {
kdc = dc01.demo.local
admin_server = dc01.demo.local

}

[domain_realms]
.demo.local = demo.local
demo.local = demo.local


jboss/server/context/conf/login-config.xml:

<application-policy name = "com.sun.security.jgss.krb5.accept">
<authentication>
<login-module code = "com.novell.common.auth.sso.KerberosCredentialLoginModule" flag = "required" />
<login-module code = "com.sun.security.auth.module.Krb5LoginModule" flag = "required">
<module-option name = "debug">true</module-option>
<module-option name = "kdc">dc01.demo.local</module-option>
<module-option name = "realm">demo.local</module-option>
<module-option name = "useKeyTab">true</module-option>
<module-option name = "keyTab">C:\novell\idm\Kerberos_SSO\rbpm401.keytab</module-option>
<module-option name = "storeKey">true</module-option>
<module-option name = "useFirstPass">true</module-option>
<module-option name = "principal">HTTP/idmuserapp.demo.local</module-option>
<module-option name = "noPrompt">true</module-option>
</login-module>
</authentication>
</application-policy>

/Michael
0 Likes
Highlighted
Commodore
Commodore

Thanks for the reply.
I just want to know, inside the document they mentioned that
4. An an Administrator in Active Directory, create an end user account with the MCC to prepare for SSO.
The end user account name has to match some attribute value of an eDirectory user in order to support single sign-on. Create the user with some name such as cnano, remember the password, and ensure that User must change password at next logon is not selected.

So I want to know that is MCC account is required for this User App SSO using Kerberos.
If yes, so please guide me what is MCC and how can I create an MCC account for creating this SSO working.
0 Likes
Highlighted
Vice Admiral
Vice Admiral

fartyalvikram;2473320 wrote:
Thanks for the reply.
I just want to know, inside the document they mentioned that
4. An an Administrator in Active Directory, create an end user account with the MCC to prepare for SSO.
The end user account name has to match some attribute value of an eDirectory user in order to support single sign-on. Create the user with some name such as cnano, remember the password, and ensure that User must change password at next logon is not selected.

So I want to know that is MCC account is required for this User App SSO using Kerberos.
If yes, so please guide me what is MCC and how can I create an MCC account for creating this SSO working.


No...

It is only a test user that they wish you to create, for testing the SSO Kerberos login.

/Michael
0 Likes
Highlighted
Commodore
Commodore

I am using Identity Manager 4.5 on Linux (SLES 11 SP3) and Windows Server 2012 R2 for Active Directory.
So my User App is running on Tomcat and I have already done Kerberos configuration information for Tomcat as given below
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
debug="true"
refreshKrb5Config="true"
useTicketCache="true"
ticketCache="/opt/netiq/idm/apps/tomcat/kerberos/spnegoTicket.cache"
doNotPrompt="true"
principal="HTTP/dev@DEMO.LOCAL"
useKeyTab="true"
keyTab="/home/novleas/dev.keytab"
storeKey="true";
};

And on the IDM Server, I have configured my /etc/krb5.conf file as given below
[libdefaults]
default_realm = DEMO.LOCAL
kdc_timesync = 0
forwardable = true
proxiable = false
[realms]
DEMO.LOCAL = {
kdc = server.demo.local
admin_server = server.demo.local
}
[domain_realm]
.demo.local = DEMO.LOCAL
demo.local = DEMO.LOCAL


Please correct me if I am wrong.
0 Likes
Highlighted
Vice Admiral
Vice Admiral

Hi

On the Tomcat you have (principal="HTTP/dev@DEMO.LOCAL")


Documentation is saying (principal="HTTP/DNS_Identity_Applications_server@WINDOWS-DOMAIN")

I'm quite sure it have to be something like this: rbpm.mycompany.com

/Michael
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.