Invoking DFS service using Kerberos authentication from SharePoint .net

Hello,

I am developing service that is connecting to Documentum 6.6 and getting documents etc. Right now I am trying to connect to services using Kerberos authentication but I have problem with getting kerberos ticket. My code looks like this:

IServiceContext serviceContext;

ISearchService searchService;

ContextFactory contextFactory = ContextFactory.Instance;

serviceContext = contextFactory.NewContext();

ServiceFactory serviceFactory = ServiceFactory.Instance;

KerberosTokenHandler handler = new KerberosTokenHandler();

String servicePrincipalName = "DFS/documetum66"; // this is the service principal name for your DFS service account in Active Directory.

using (KerberosClientContext kerberosClientContext = new KerberosClientContext(servicePrincipalName, true, ImpersonationLevel.Delegation))

{

KerberosBinarySecurityToken token = new KerberosBinarySecurityToken(kerberosClientContext.InitializeContext(), KerberosValueType.KERBEROSV5_AP_REQ);

handler.SetBinarySecurityToken(token);

List<IEndpointBehavior> handlers = new List<IEndpointBehavior>();

handlers.Add(handler);

handler.SetBinarySecurityToken(new KerberosBinarySecurityToken(kerberosClientContext.InitializeContext(), KerberosValueType.GSS_KERBEROSV5_AP_REQ));

searchService = serviceFactory.GetRemoteService<ISearchService>(serviceContext, "search",

settings.Address + "/services", handlers);

}

but the kerberosClientContext.InitializeContext() is throwing exception: WSE594: InitializeSecurityContext call failed with the following error message: An internal error occurred.

Does anybody tried to Invoke services using Kerberos and had similar issue or know the reason why it can happen ?

Regards,

Michal Jedrzejewski

Find more posts tagged with

Documentum

API

Comments

aflowers001

Whats the error on the server side?

m.jedrzej

Thanks Andy but It looks like the code is correct. Configuration of my machine and AD is wrong I will setup completely new environment for documentum and see if I can make it work. I will post my results.

m.jedrzej

Ok, I managed to get kerberos token - it was problem with environment. Right now I think I configured Documentum to use SSO, I can for example get repository list but when I am trying to execute some query on searchService using kerberos I am getting errors:

errorTrace in errorTrace.log

and I also attached server.log

It is probably still configuration problem but I dont know what more can I do. I did everything from DFS66 development guide and Documentum Administrator user guide to enable kerberos. Did someone had similar issue or know what can cause this error?

abc123

RepositoryInquiryService or SearchService to get repository list doesn't require any credentials so you would be able to get the list. The error log shows your Kerberos authenticaiton still doesn't work. To troubleshooting this issue, you need to check following items:

1. On DFS server side, enable debug in jaas.conf, enable tracing in dfs-runtime.properties of dfs-rt.jar, enable DEBUG level in log4j.properties.

2. On Content Server side, check whether the Kerberos plugin has been loaded successfully: C:\Documentum\dba\log\<docbase>.log. check whether the Kerberos user has been imported to/created in docbase.

Regards,

William

m.jedrzej

Thank you for answer.

1.I have enabled debug in local-dfs-runtime.properties and in log5j.properties in rps.ear (I have Documentum 6.6 developer edition so jboss is there by default) I couldnt find this file anywhere else. In server.log there is no additional info. Should I look for it somewhere else ? (sorry for that kind of questions but I am not very familiar with tomcat,jboss etc. )

03/26/12 01:40:13	dm_init: Plugin Version 1.0
03/26/12 01:40:13	dm_init: Initializing dm_krb plugin
03/26/12 01:40:13	dm_init: <C:\Documentum\dba\auth\kerberos\documentum.0001.keytab> loaded
03/26/12 01:40:13	dm_init: SPN <CS/DOCUMENTUM@KRB.DOCUMENTUM.COM> loaded
03/26/12 01:40:13	dm_init: Initialized dm_krb plugin

so the plugin seems to be initialized correctly. Kerberos users are created in docbase.

abc123

Please check whether DFS installation is avaiable at <DctmServer_MethodServer>\deploy\dfs.ear. Below are all items I have in mind to configure DFS kerberos deployment for your jboss.

configure local-dfs-runtime.properties and log4j.properties under APP-INF\classes. <seeing log file path from log4j.properties>
enable kerberos token server handler in authorized-service-handler-chain.xml.
configure spn, jaas.conf, and krb5.ini in services-core.war\WEB-INF\web.xml and all other war modules.
set debug=true in jaas.conf.
configure <DctmServer_MethodServer>\conf\login-config.xml for kerberos policy.

And follow DFS deployment guide for all other concerns.

Regards,

William

m.jedrzej

Thanks William your answers are very helpful.

I added jass.conf and ker5.ini to war modules and changed few things and right now I have new errors. (see logs below)

abc123

Error found in logs: "SEVERE: WSSERVLET11: failed to parse runtime descriptor: "Class: com.emc.documentum.fs.rt.handlers.KerberosTokenServerHandler could not be found".

As Kerberos failed, DFC unified login was activiated and then you saw a lot of authentication failures not relevant to Kerberos. Please check whether rps.ear contains 6.6 version of emc-dfs-rt.jar and the class com.emc.documentum.fs.rt.handlers.KerberosTokenServerHandler.

I would recommend you to customize your deployment in a standalone JBOSS server. Documentum Java Method Server is not expected to have much customization on it, though I had seen a successful Kerberos sample And if your case is urgent, please contact EMC tech support to review your configuration completely.

Regards,

William

m.jedrzej

I was desperate and I added entry to DctmServer_MethodServer\deploy\rps.ear\APP-INF\classes\authorized-service-hanlder-chain with kerberos handler which was unnecessary. Right now I am getting (only) this one error. (see logs below).

Case is urgent I am also waiting for support response. I would be nice if I could get confirmation that this code is fine and this is only configuration issue.

dustinb

Did you ever get this worked out? I'm also trying to get DFS to call services through .net. In your original code, why do you call InitializeContext twice? The second time you call it after you already added it to the handlers List and then do nothing with it. I am able to get a ticket the first time (though ContinueNeeded flag is set) but calling query service just returns null pointer exception.