SSO Vitnella not working for users in different domains

system · October 16, 2012, 7:58am

Hello!
I set up SSO for instructions “Configuring Vintela SSO in Distributed Environments-Complete Guide”. BOXI 3.1 server has a name “sapboxi” and is set to domain FIRST_DOMAIN. Account Service - acc_serv@SECOND_DOMAIN. He was given all the necessary rights.
I issue the command:

I then created krb5.ini:

With the command kinit I checked:

Then I met all the settings in BOXI.

When I run InfoView as user any_user@SECOND_DOMAIN - all is well

When I run InfoView as user any_user@FIRST_DOMAIN - all bad:

message com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Could not decrypt service ticket with Key type 23, KVNO 2, Principal “HTTP/sapboxi.first_domain@FIRST_DOMAIN” using key: Principal: BOSSO/acc_serv.sapboxi.first_domain@SECOND_DOMAIN Type: 1 TimeStamp: Tue Oct 16 11:44: 30 MSD 2012 KVNO: -1 Key: [23, 15 4a 62 56 56 53 6d 91 52 f0 3f 7d a0 0 99 30] Exception for this key was: com.dstc.security.kerberos.CryptoException: Integrity check failure [Note : principal names are different; this may or may not be a problem] [Note: KVNO used wildcard match, not exact match; perhaps the password used to generate this key is not the most recent password?])

Please help!

UPDATE!

I found in TOMCAT log “stdout”:
When I’m trying login with any_user@SECOND_DOMAIN I’m not getting Error and in log:

When I’m trying login with any_user@FIRST_DOMAIN I’m getting Error and in log:

[DEBUG] Wed Oct 17 11:26:43 MSD 2012 jcsi.kerberos: Ticket service name is: HTTP/sapboxi.first_domain@FIRST_DOMAIN
[DEBUG] Wed Oct 17 11:26:43 MSD 2012 jcsi.kerberos: GSS name is: BOSSO/acc_serv.sapboxi.first_domain@SECOND_DOMAIN
[DEBUG] Wed Oct 17 11:26:43 MSD 2012 jcsi.kerberos: Using keytab entry for: BOSSO/acc_serv.sapboxi.first_domain@SECOND_DOMAIN
[DEBUG] Wed Oct 17 11:26:43 MSD 2012 jcsi.kerberos: ** decrypting ticket … **
with key

Principal: BOSSO/acc_serv.sapboxi.first_domain@SECOND_DOMAIN
Type: 1
TimeStamp: Wed Oct 17 11:18:07 MSD 2012
KVNO: -1
Key: [23, 15 4a 62 56 56 53 6d 91 52 f0 3f 7d a0 0 99 30 ]

[DEBUG] Wed Oct 17 11:26:43 MSD 2012 jcsi.kerberos: Could not decrypt service ticket with Key type 23, KVNO 2, Principal “HTTP/sapboxi.first_domain@FIRST_DOMAIN” using key:
Principal: BOSSO/acc_serv.sapboxi.first_domain@SECOND_DOMAIN
Type: 1
TimeStamp: Wed Oct 17 11:18:07 MSD 2012
KVNO: -1
Key: [23, 15 4a 62 56 56 53 6d 91 52 f0 3f 7d a0 0 99 30 ]
Exception for this key was: com.dstc.security.kerberos.CryptoException: Integrity check failure[Note: principal names are different; this may or may not be a problem]
[Note: KVNO used wildcard match, not exact match; perhaps the password used to generate this key is not the most recent password?]

WildKlaus (BOB member since 2012-10-16)

system · October 18, 2012, 7:28am

up

WildKlaus (BOB member since 2012-10-16)