1 2 Previous Next 17 Replies Latest reply on Oct 11, 2017 5:23 AM by Evgeniy Serdyukov Go to original post
      • 15. Re: RSSO Kerberos Authentication - SSO Service: NO Token data in request - Username: null
        Jameer Inamdar

        Hi Mpumelelo,

         

        Most time I have seen this error is coming due to mismatch / incorrect SPN. could you please confirm  SSO URL host name mentioned for Mid-tier integration and SPN is created is same.

         

        Like if you are using LB / DNS entry for SSO then SPN require to be with LB / DNS host not RSSO actual host.

         

        HTH

        Jameer

        • 16. Re: RSSO Kerberos Authentication - SSO Service: NO Token data in request - Username: null
          Giuseppe Fentini

          Hello Mpumelelo,

           

          Basing on the error you posted above, I believe you should disable the pre auth for the user "tzm1610".

          • 17. Re: RSSO Kerberos Authentication - SSO Service: NO Token data in request - Username: null
            Evgeniy Serdyukov

            I have the same problem with kerberos authentication

            I found an article about Kerberos on the IBM site and it gave some answers to my questions, why kerberos didn't work:

            • Microsoft Internet Explorer is not configured with the RSSO server in the "Trusted sites" or "Local intranet" zone.

            • Microsoft Internet Explorer is not configured for Integrated Windows Authentication.

            • The client workstation and the RSSO server might be a member of different Active Directory domains (Kerberos realms).

            • The client workstation is not logged in to the Active Directory domain.

            • The client workstation is not specifying the correct host name to access the RSSO server. The value specified for the -princ option of the ktpass command must be the same host name that client will use to contact the RSSO server.

             

            Now I have a working RSSO with Kerberos, but only on the domain PC and only in IE without entering the rsso address into "Trusted sites" or "Local intranet" zone.

             

            I propose to consider the example. I think it will be more understandable.

            I have 3 servers:

            • Remedy SSO Server: vs-bmc-rsso02.ac.int
            • Mid-Tier Server: vs-bmc-mt02.ac.int
            • Domain Controller server for ac.int: vs-msc-dc2.ac.int

            Service user: rsso-spn with password Qwerty123

             

            On DC server run cmd with administrator permission and execute:

            setspn -S HTTP/VS-BMC-RSSO02.ac.int rsso-spn

            ktpass /out C:\BMC\remedysso.keytab /mapuser rsso-spn /princ HTTP/VS-BMC-RSSO02.ac.int@AC.INT /pass Qwerty123 /ptype KRB5_NT_PRINCIPAL /Target AC.INT /kvno 0 /crypto ALL

             

            I am use next templates:

            setspn -S HTTP/<HOST> <USER>

            ktpass -out <file> -mapuser <user> -princ HTTP/<host>@<DOMAIN> -pass <password> -ptype KRB5_NT_PRINCIPAL -target <DOMAIN> -knvo 0 /crypto ALL

             

            In documentation you not see parameter: -mapuser <user>

            And in example from documentation you see parameter -princ without @<DOMAIN>.

            Registr on host name is not important, but registr important for <DOMAIN> atribute.

             

            As a result, my RSSO in Kerberos authentication works by keutab file or by SPN password.

            Examples of settings below in the screenshots

            RSSO-Kerberos-password.png

             

            RSSO-Kerberos-keytab.png

             

            When I tested authentication, I found some problem for me.

            In attach you can see logs for some scenarios.

             

            Scenario 1

            PC from domain ac.int

            IE without Trusted zone for vs-bmc-rsso02.ac.int or *.ac.int

            Run IE, go to http://vs-bmc-mt02.ac.int/arsys/

            Redirect to http://vs-bmc-rsso02.ac.int/rsoo/... and ask Login and Pasword for kerberos

            Input correct login with password

            Authentication success

            Redirect to http://vs-bmc-mt02.ac.int/arsys/

            Fine, all work.

             

            Scenario 2

            PC from domain ac.int

            IE without Trusted zone for vs-bmc-rsso02.ac.int or *.ac.int

            Run Google Chrome v.61, go to http://vs-bmc-mt02.ac.int/arsys/

            Redirect to http://vs-bmc-rsso02.ac.int/rsoo/... and ask Login and Pasword for kerberos

            Input correct login with password

            Authentication failed.

             

            Scenario 3

            PC from domain ac.int

            IE with Trusted zone for *.ac.int

            Login to PC with login and password from scenario 1.

            Run IE, go to http://vs-bmc-mt02.ac.int/arsys/

            Authentication failed

             

            In rsso.log I see on line "com.bmc.rsso.core.auth.extensions.kerberos.SPNEGOToken.checkIfTokenIsNTLM(): Base64 decoded Negotiate header:" that my header is very small and incorrect, if compare with log from scenario 1.

             

            Scenario 4

            Login to PC Domain Controller - vs-msc-dc2.ac.int with login and password from scenario 1.

            Run IE, go to http://vs-bmc-mt02.ac.int/arsys/

            Authentication success.

            Fine, all work.

             

            Scenario 5

            Login to PC Domain Controller - vs-msc-dc2.ac.int with login and password from scenario 1.

            Run Google Chrome, go to http://vs-bmc-mt02.ac.int/arsys/

            Authentication success.

            Fine, all work.

             

            Scenario 6

            PC from another domain, not ac.int

            IE without Trusted zone for vs-bmc-rsso02.ac.int or *.ac.int

            Run IE, go to http://vs-bmc-mt02.ac.int/arsys/

            Redirect to http://vs-bmc-rsso02.ac.int/rsoo/... and ask Login and Pasword for kerberos

            Input correct login with password

            Authentification failed.

             

            In rsso.log I see "com.bmc.rsso.core.auth.extensions.kerberos.SPNEGOToken.checkIfTokenIsNTLM(): Authentication token is NTLM but not SPNEGO. Check SPN mappings on Domain Controller"

             

            Scenario 7

            PC from another domain, not ac.int

            IE with Trusted zone for *.ac.int

            Run IE, go to http://vs-bmc-mt02.ac.int/arsys/

            Authentication failed.

             

            Scenario 8

            PC without domain

            IE without Trusted zone for vs-bmc-rsso02.ac.int or *.ac.int

            Run IE, go to http://vs-bmc-mt02.ac.int/arsys/

            Redirect to http://vs-bmc-rsso02.ac.int/rsoo/... and ask Login and Pasword for kerberos

            Input correct login with password

            Authentication failed.

             

             

            Maybe problem in HTTP whithout SSL. I'll try configurate HTTPS for RSSO server and will try some scenarios again.

            1 2 Previous Next