Tomcat + Active Directory (Kerberos): SSO Error

system · December 16, 2010, 5:14pm

Hello,

I’m configuring a SSO with Tomcat + Active Directory (Kerberos) in a XI 3.1 SP3 Server, following 1483762 SAP note.

Manual AD login is running ok, from infoview or import wizard.

After test manual login, i’ve modified server.xml from tomcat, to allow bigger http header with the param maxHttpHeaderSize=“32768”
and
InfoViewApp\WEB-INF\web.xml to configure

authentication.default secWinAD siteminder.enabled false vintela.enabled true

IExplorer has also been configured (Logon integration, and intranet site)

Opening infoview, returns this error:

[DEBUG] Thu Dec 16 18:01:11 CET 2010 jcsi.kerberos: GSS: Acceptor supports: KRB5
16-12-10 18:01:11:997 - {ERROR} util.CommonsSsoLogger Thread [http-8080-Processor23]; Provider protocol error: com.wedgetail.idm.spnego.server.SpnegoException: com.dstc.security.util.asn1.Asn1Exception: Bad tag encountered: 78
16-12-10 18:01:11:997 - {ERROR} util.CommonsSsoLogger Thread [http-8080-Processor23]; Session ID: 026FB2D635C5B2815A7934995E66A5C2
Request: /InfoViewApp/logon/logonService.do
Remote: 0:0:0:0:0:0:0:1
Principal: BOUSER@XXX.XXX.NET
Message: Could not authorize request: com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: com.dstc.security.util.asn1.Asn1Exception: Bad tag encountered: 78

Any idea?

Thanks!

xavibo (BOB member since 2007-06-11)

system · December 20, 2010, 9:59am

Did you created the SPN for Vintela and did you mentioned it correctly in web.xml?

You can verify all the steps for configuring Vintela SSO here - http://geek2live.net/posts/active-directory-sso-with-vintela-in-xi-3-1/

nicholas (BOB member since 2008-07-31)

system · December 21, 2010, 11:24am

thanks for the link.

Steps in SAP Note are very similar. I added the right “Replace a Process Level Token” as requested in your link. I don’t use keytab, because I’m waiting to see all is running ok.

One question about this sentence,

ktpass -out BOSSO.keytab princ BOSSO/bo.service.power.internal@POWER.INTERNAL -mapuser bo.service@POWER.INTERNAL -pass admin -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

if bo.service is the service account, why do you reference it as bo.service.power.internal@POWER.INTERNAL ? bo.service@POWER.INTERNAL is valid?

My service account is boadmin. My domain is ADDOMAIN (FQDN: CUSTOMER.NET) and SPN is BOCMS …then the correct ktpass command can be:

ktpass -out BOSSO.keytab princ BOCMS/BOADMIN@CUSTOMER.NET -mapuser BOADMIN@CUSTOMER.NET -pass admin -kvno 255 -ptype KRB5_NT_PRINCIPAL -crypto RC4-HMAC-NT

My SPN is “setspn.exe -a BOCMS/ADDOMAIN BOAdmin” so in Step 8, I’ve tried with in CMC with Service principal name= BOADMIN, and Service principal name= BOCMS/ADDOMAIN
Both allow me to manual login.

in web.xml
I’ve tried also as idm.princ = BOADMIN and BOCMS/ADDOMAIN

 <init-param>
            <param-name>idm.princ</param-name>
            <param-value>BOADMIN</param-value>
 </init-param>

when I try SSO, with idm.princ = BOADMIN

in log I can read:

[DEBUG] jcsi.kerberos: ** creating AS request .. **
 for client: BOADMIN
 at realm: CUSTOMER.NET

and I get the ticket:

++++++++++++++++++++++++++++
Credential
client: BOADMIN@CUSTOMER.NET
session key: [23,  39 45 b e0 73 dd 62 54 a3 55 16 82 34 5a 9c 9e ]
service principal: krbtgt/CUSTOMER.NET@CUSTOMER.NET
valid from: Tue Dec 21 12:13:06 CET 2010
valid till: Tue Dec 21 22:13:04 CET 2010
Ticket:
  encryption type: 23
  service principal: krbtgt/CUSTOMER.NET@CUSTOMER.NET
ticket flags: forwardable forwarded 
valid for: all addresses
++++++++++++++++++++++++++++

and error:

message com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: com.dstc.security.util.asn1.Asn1Exception: Bad tag encountered: 78

description The server encountered an internal error (com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: com.dstc.security.util.asn1.Asn1Exception: Bad tag encountered: 78) that prevented it from fulfilling this request.

when I try SSO, with idm.princ = BOCMS/ADDOMAIN
in log I can read

[DEBUG] jcsi.kerberos: ** creating AS request .. **
 for client: BOCMS/ADDOMAIN
 at realm: CUSTOMER.NET

and throws:

"{ERROR} [localhost].[/InfoViewApp] Thread [Thread-1];  Exception starting filter authFilter
com.wedgetail.idm.sso.ConfigException: Configured service principal name could not be found [caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Client not found in Kerberos database"

I will try with keytab.

Thanks.

xavibo (BOB member since 2007-06-11)

system · December 22, 2010, 9:19am

Now in web.xml - idm.princ = BOCMS/ADDOMAIN is correct.

Client not found in Kerberos database means that it is not able to locate the user with which you are ttring to login. Please try kinit with username@DOMAIN.COM format and see if you get the kerberos ticket.

Another thing - Check for Duplicate UPN’s for “BOCMS/ADDOMAIN” and confirm if there is any Windows Server 2008 DC in your network.

nicholas (BOB member since 2008-07-31)

system · January 14, 2011, 12:40pm

Thank you for your input.

Time to resume this work after hollidays

Kinits is running ok for boadmin


kinit.exe boadmin@CUSTOMER.NET
New ticket is stored in cache file C:\Users\boadmin\krb5cc_BOADMIN

kinit.exe boadmin
New ticket is stored in cache file C:\Users\boadmin\krb5cc_BOADMIN

There is one Windows 2008 R2 DC in the networtk, but has AD in 2003 native mode.

Web.xml with idm.princ = BOCMS/ADDOMAIN
raise this error (tomcat stdout.log)



[DEBUG] Fri Jan 14 13:15:56 CET 2011 jcsi.kerberos: Available KDC found: /xxx.xxx.xxx.xxx:88
[DEBUG] Fri Jan 14 13:15:56 CET 2011 jcsi.kerberos: Sending message to KDC: /xxx.xxx.xxx.xxx:88
[DEBUG] Fri Jan 14 13:15:56 CET 2011 jcsi.kerberos: Sending TCP request: /xxx.xxx.xxx.xxx:88
[DEBUG] Fri Jan 14 13:15:56 CET 2011 jcsi.kerberos:     connected;  sending length and request...
[DEBUG] Fri Jan 14 13:15:56 CET 2011 jcsi.kerberos:     sent request;  reading response length...
[DEBUG] Fri Jan 14 13:15:56 CET 2011 jcsi.kerberos:     read length;  reading 98-byte response...
[DEBUG] Fri Jan 14 13:15:56 CET 2011 jcsi.kerberos: --- got 98-byte response, initial byte = 0x7e
[DEBUG] Fri Jan 14 13:15:56 CET 2011 jcsi.kerberos: Message sent sucessfully to KDC: /xxx.xxx.xxx.xxx:88
14-01-11 13:15:56:721 - {ERROR} util.CommonsSsoLogger Thread [Thread-1];  VSJ credentials (principal, realm, keytab/password) are invalid
com.wedgetail.idm.sso.ConfigException: Configured service principal name could not be found [caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosError: Client not found in Kerberos database
KrbError:
	Error code: 6
	Error message: null
	Client name: null
	Client realm: null
	Client time: null
	Server name: krbtgt/CUSTOMER.NET
	Server realm: CUSTOMER.NET
	Server time: Fri Jan 14 13:15:56 CET 2011)]
	at com.wedgetail.idm.sso.util.Util.checkAgainstKDC(Util.java:176)
	at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator2(AbstractAuthenticator.java:556)
	at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:325)
	at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:131)
	at com.businessobjects.sdk.credential.WrappedResponseAuthFilter.init(WrappedResponseAuthFilter.java:56)
	at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:223)
	at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:304)
	at org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterConfig.java:77)
	at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3634)
	at org.apache.catalina.core.StandardContext.start(StandardContext.java:4217)
	at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:759)
	at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:739)
	at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:524)
	at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:608)
	at org.apache.catalina.startup.HostConfig.deployDescriptors(HostConfig.java:535)
	at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:470)
	at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1122)
	at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:310)
	at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1021)
	at org.apache.catalina.core.StandardHost.start(StandardHost.java:718)
	at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1013)
	at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:442)
	at org.apache.catalina.core.StandardService.start(StandardService.java:450)
	at org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
	at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:585)
	at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)

Web.xml with idm.princ = BOADMIN
raise this error:

HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: com.dstc.security.util.asn1.Asn1Exception: Bad tag encountered: 78

TOMCAT stdout.log :


...
Ticket:
  encryption type: 23 (DECRYPTED OK) 
  service principal: BOCMS/ADDOMAIN@CUSTOMER.NET
  TransitedEncoding:
    
  client: BOAdmin@CUSTOMER.NET
  session key: [23,  e6 e6 44 32 fa 14 51 80 a5 91 d9 88 82 6 ac a6 ]
  ticket flags: forwardable ok-as-delegate preauthent 
  valid from: Fri Jan 14 12:35:46 CET 2011
  valid till: Fri Jan 14 22:35:41 CET 2011
  renew till: not renewable
  valid for:
    all addresses

[DEBUG] Fri Jan 14 12:35:46 CET 2011 jcsi.kerberos:   decrypted application request:

++++ KRB-AP-REQ Message ++++
encryption type: 23 (DECRYPTED OK)
ap options: 
Ticket:
  encryption type: 23
  service principal: BOCMS/APSA@CUSTOMER.NET
client: BOAdmin@CUSTOMER.NET
subkey: null
client time: Fri Jan 14 12:35:46 CET 2011
cusec: 428000
sequence number: 143341906
++++++++++++++++++++++++++++
[DEBUG] Fri Jan 14 12:35:46 CET 2011 jcsi.kerberos: Got delegated credential
[DEBUG] Fri Jan 14 12:35:46 CET 2011 jcsi.kerberos: Delegated credential: 
++++ KRB-CRED Message ++++
encryption type: 0 (DECRYPTED OK)
sender address: null
receiver address: null
nonce: 0
timestamp: Fri Jan 14 12:35:46 CET 2011
credentials: 
    
Credential
client: BOAdmin@CUSTOMER.NET
session key: [23,  98 2f 1f 42 73 28 d2 b0 16 64 16 f8 d0 51 c8 4d ]
service principal: krbtgt/CUSTOMER.NET@CUSTOMER.NET
valid from: Fri Jan 14 12:35:44 CET 2011
valid till: Fri Jan 14 22:35:41 CET 2011
Ticket:
  encryption type: 23
  service principal: krbtgt/CUSTOMER.NET@CUSTOMER.NET
ticket flags: forwardable forwarded 
valid for: all addresses
++++++++++++++++++++++++++++

[DEBUG] Fri Jan 14 12:37:05 CET 2011 jcsi.kerberos: GSS: Acceptor supports: KRB5
14-01-11 12:37:05:509 - {ERROR} util.CommonsSsoLogger Thread [http-80-Processor24];  Provider protocol error: com.wedgetail.idm.spnego.server.SpnegoException: com.dstc.security.util.asn1.Asn1Exception: Bad tag encountered: 78
14-01-11 12:37:05:509 - {ERROR} util.CommonsSsoLogger Thread [http-80-Processor24];  Session ID: DC3E6EBD972E353041BD536D2B983344
	Request: /InfoViewApp/logon/logonService.do
	Remote: 0:0:0:0:0:0:0:1
	Principal: BOAdmin@CUSTOMER.NET
	Message: Could not authorize request: com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: com.dstc.security.util.asn1.Asn1Exception: Bad tag encountered: 78
14-01-11 12:37:05:556 - {ERROR} [/InfoViewApp].[jsp] Thread [http-80-Processor24];  Servlet.service() for servlet jsp threw exception
java.lang.NullPointerException
	at org.apache.jsp.httperror_005f500_jsp._jspService(httperror_005f500_jsp.java:98)
	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:97)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
	at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:334)
	at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:314)
	at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:264)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
	at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:672)
	at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:465)
	at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:398)
	at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:301)
	at org.apache.catalina.core.StandardHostValve.custom(StandardHostValve.java:363)
	at org.apache.catalina.core.StandardHostValve.status(StandardHostValve.java:284)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:136)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
	at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
	at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
	at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
	at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
	at java.lang.Thread.run(Thread.java:595)

xavibo (BOB member since 2007-06-11)

system · January 17, 2011, 11:23am

As I suggested earlier, in web.xml - idm.princ = BOCMS/ADDOMAIN is correct

Please check SAP Note 1292886 - Client not found in kerberos database when trying to set up vintela or other kerberos options with windows 2008 Domain controllers
…
…
…
Resolution
The resolution is to apply the following Microsoft patch to all 2008 DC’s that we may need to authenticate against.
http://support.microsoft.com/kb/951191

Not pasting the entire article as it may break Forum Rules.

So try installing the patch on Windows Server 2008 or directly upgrade to Server 2008 R2.

Also, did you checked for duplicate UPN’s?

nicholas (BOB member since 2008-07-31)