Kerberos SSO on D6.7SP1

Hello Everyone,

I've spent almost 3 days trying to launch Kerberos SSO authentication on the following environment.

3 workstations with Windows 2008 SP2 Enterprise x64 registered in one domain.

Documentum CS 6.7 SP1 (with a patch applied).
Weblogic 12c Server with DA 6.7SP1 (with a patch applied) deployed on managed server. JDK 1.6-33 x64.
A client machine with Firefox v14.

I created LDAP configuration and synchronized it with a specific Active Directory branch. Sync user accounts authentication works fine.

There are 3 test user accounts:

user-wdk with registered HTTP SPN: HTTP/wdkapp.domain.com@DOMAIN.COM
user-cs wih registered CS SPN: CS/repo_name@DOMAIN.COM
user-test for client machine.

User source for these users has been changed to dm_kbr.

Keytab files were generated by means of ktpass utility. Delegation has been enabled for user-wdk to CS SPN only.

CS configuration has been done as follows:

CS SPN keytab file was placed at <%DOCUMENTUM%>\dba\auth\kerberos\
Docbase was restarted. dm_krb_docbaseid.log stated that Kerberos initialization went successfully.
Authentication tracing was enabled.

DA SSO configuration has been done as follows:

custom/app.xml authentication section has been copied from wdk/app.xml. kerberos_sso was enabled, domain was set to DOMAIN.COM, docbase login fallback was set to true.
HTTP SPN keytab file was placed at <%DA%>/WEB-INF/wdkapp.keytab
JAAS Kerberos configuration was placed at <%DA%>/WEB-INF/Krb5Login.conf
Kerberos settings file was placed at <%WINDIR%>/krb5.ini
I added next java parameters to java command line of managed server batch execution file:

‐Djava.security.krb5.config=%WINDIR%\krb5.ini

‐Djava.security.auth.login.config=<%DA%>/WEB-INF/Krb5Login.conf

‐Djava.security.auth.useSubjectCredsOnly=false

-Dsun.security.krb5.debug=true

I also enabled WDK web tracing and logging.

Testing time has come. I logged into client workstation with user-test credentials, opened Firefox, specified DA workstation URLI for 2 network.nego* options, restarted Firefox. Opened DA. The first screen appeared displaying repository selection and login button. Wireshark sniffed 2 KRB5 packets: TGS-REQ and TGS-REP. After I pressed login button it gently showed me default login fallback page. Kerberos SSO failed.

I logged into DA workstation and checked the log.

com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOAuthenticationScheme:Token type = SPNEGO

com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOAuthenticationScheme:Obtaining service token from SPNEGO

com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOAuthenticationScheme:Accepting service token for SPN HTTP/wdkapp.domain.com@DOMAIN.COM

com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOAuthenticationScheme:Failed to accept or delegate service token :No valid credentials provided

com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOAuthenticationScheme:GSSException: No valid credentials provided

at sun.security.jgss.krb5.Krb5Context.getDelegCred(Krb5Context.java:463)

at sun.security.jgss.GSSContextImpl.getDelegCred(GSSContextImpl.java:595)

at com.emc.documentum.kerberos.utility.AcceptResult.getDelegatedCred(AcceptResult.java:53)

at com.documentum.web.formext.session.KerberosSSOAuthenticationScheme.authenticate(KerberosSSOAuthenticationScheme.java:216)

at com.documentum.web.formext.session.AuthenticationService.authenticate(AuthenticationService.java:195)

at com.documentum.web.formext.session.KerberosSSOLogin.authenticate(KerberosSSOLogin.java:181)

at com.documentum.web.formext.session.KerberosSSOLogin.onLogin(KerberosSSOLogin.java:134)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

at java.lang.reflect.Method.invoke(Method.java:597)

at com.documentum.web.form.FormProcessor.invokeMethod(FormProcessor.java:1646)

at com.documentum.web.form.FormProcessor.invokeMethod(FormProcessor.java:1500)

at com.documentum.web.form.FormProcessor.fireActionEvent(FormProcessor.java:1305)

at com.documentum.web.form.RecallOperation.execute(RecallOperation.java:101)

at com.documentum.web.form.FormProcessor.processAction(FormProcessor.java:115)

at com.documentum.web.form.FormAction.processAction(FormAction.java:107)

at com.documentum.web.env.WDKController.doStartRequest(WDKController.java:202)

at com.documentum.web.env.WDKController.processRequest(WDKController.java:95)

at com.documentum.web.env.WDKController.doFilter(WDKController.java:86)

at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:74)

at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3288)

at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3254)

at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)

at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)

at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:57)

at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2163)

at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2089)

at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2074)

at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1513)

at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:254)

at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)

at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOAuthenticationScheme:Browser Supported :true

com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOAuthenticationScheme:Found SPNEGO token in client session

com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOAuthenticationScheme:Token type = SPNEGO

com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOAuthenticationScheme:Default docbase is null

com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOAuthenticationScheme:Browser Supported :true

com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOAuthenticationScheme:Can not authenticate with already processed spnego token

I spent some time debugging Kerberos jgss implementation and found nothing but delegation credentials are not being obtained from KDC. But why?

If my Kerberos SSO setup is technically correct, I'm open for any suggestions and ideas.

Thanks in advance.

Find more posts tagged with

Documentum

Comments

mkachan

By the way does anyone have a clue whether Generis CARA client supports Kerberos SSO?

VadimYakovlev

can you post your Krb5Login.conf?

VadimYakovlev

mkachan wrote:A client machine with Firefox v14.

I'm a bit confused. Do you test your SSO authentication with Firefox? If so, can you please point to the WDK/SSO configuration documentation where it states that the Firefox is supported? Because I didn't see it.

mkachan

Krb5Login.conf content:

HTTP-wdkapp-domain-com

{

com.sun.security.auth.module.Krb5LoginModule required

debug=true

principal="HTTP/wdkapp.domain.com@DOMAIN.COM"

refreshKrb5Config=true

useKeyTab=true

storeKey=true

doNotPrompt=true

useTicketCache=false

isInitiator=false

keyTab="E:/Documentum/DA/WEB-INF/wdkapp.keytab";

};

krb5.ini content:

[libdefaults]

default_realm = DOMAIN.COM

forwardable = true

ticket_lifetime = 24h

clockskew = 72000

default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac

default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac

permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1 rc4-hmac

[realms]

DOMAIN.COM = {

kdc = ADSERVER.DOMAIN.COM

admin_server = ADSERVER.DOMAIN.COM

}

mkachan

VadimYakovlev wrote:mkachan wrote:A client machine with Firefox v14.I'm a bit confused. Do you test your SSO authentication with Firefox? If so, can you please point to the WDK/SSO configuration documentation where it states that the Firefox is supported? Because I didn't see it.

First of all, EMC Documentum Kerberos SSO Authentication (A Detailed Review) document clearly states that Firefox is supported. But they list 3.x as maximum supported version. I have the most recent version.

<authentication> configuration node from app.xml contains the following:

<kerberos_sso>

...

...

</kerberos_sso>

Despite the version of Firefox, SPNEGO works fine in the beginning: it sends the token with a ticket and a session key to DA instance.

VadimYakovlev

If you ping the Domain Controller from your application server machine (wherever your DA or Taskspace is deployed) what do you get in reply in terms of FQDN and capitalization?

For example ADSERVER.DOMAIN.COM vs adserver.DOMAIN.COM. Make sure the values in krb5.ini reflect that.

Also, in the Krb5Login.conf you have

principal="HTTP/wdkapp.domain.com@DOMAIN.COM"

But when you look into the properties of this account in the Active Directory Manager, does it exactly reflect the value of "principal" (in terms of FQDN and capitalization, even .com vs .COM)?

Same with respect to the wdkapp.domain.com - I assume this is the name of your WDK application host? Make sure you use this in the browser's address bar exactly as it is defined in the "principal" value.

I did have exactly this error because there was some discrepancy in FQDN of the domain controller/principal account or it's capitalization throughout my configuration.

Can't recall exactly what it was and can't look back into my notes as I did it for my previous job last year. (eventually got the SSO working)

Yes, thank you, I also looked into the detailed doc and saw the Firefox there.

dctmque

Mkachan ..Can you please let me know how was this resolved i am getting the same error.

Failed to accept or delegate service token :No valid credentials provided

Thanks.

jmlim

I had made a video on how to setup the Kerberos SSO for webtop in following:

Kerberos SSO for Documentum Webtop - YouTube

Perhaps can help you.

Venkat_COS

The video is private. Can you please open it up for external consumption?