0 Replies Latest reply on Feb 9, 2018 6:56 AM by Sergey Smirnov

    Integrate RSSO and Midtier (9.04)

    Sergey Smirnov
      Share:|

      Hello!

      RSSO installed on a separate server (rhel), midtier also on a separate server (rhel).

      Integrating RSSO on midtier. All without errors or warnings.

      Set up Windows AD domain, set up samba on the server RSSO to see the AD.

      On the server RSSO also indicated the settings for the krb5.conf.

      Launched RSSO, went locally under the administrator indicated for the Kerberos realm:

           cookie domain: test.ru

           application domain: test.ru

           KERBEROS: KDC server: dat.test.ru, SPN: HTTP/rsso.test.ru@TEST.RU, Kerberos Realm: test.ru, and create keytab-file

      Created user in AD domain (add it as in ARS)

      Click button "Test" - all successful. At the klist command there are entries in the Windows.

      Set in hosts file (windows-user) ip and hostname for midtier and rsso, set up firefox (prescribed trusted domain):

      network.negotiate-auth.trusted-uris     .test.ru

      network.automatic-ntlm-auth.trusted-uris     .test.ru

      , try in the browser go to midtier: http://mt.test.ru/arsys/ - redirect on rsso, but gives an error "unable to login, contact administrator". The log:

      WARNING Thread_41 com.bmc.rsso.core.auth.extensions.kerberos.SPNEGOToken.checkIfTokenIsNTLM(): Authentication token is NTLM but not SPNEGO. Check SPN mappings on Domain Controller

      WARNING Thread_41 com.bmc.rsso.core.auth.extensions.kerberos.SPNEGOToken.parseToken(): Token tag: 4e

      WARNING Thread_41 com.bmc.rsso.core.auth.extensions.kerberos.SPNEGOToken.parseToken(): Invalid SPNEGO token provided

      WARNING Thread_41 com.bmc.rsso.core.auth.extensions.kerberos.KerberosAuthentication.authenticate(): Kerberos token was not found

      WARNING Thread_41 com.bmc.rsso.auth.Authenticator.doAuth(): [0] user failed to login, auth type:IdPKerberos, order:1

      SEVERE Thread_41 com.bmc.rsso.auth.Authenticator.doAuth(): [1] User failed to login, username:null

      Try RSSO: Kerberos-Authentication fails but it did not help.

      There might be some solutions or where I have error.

       

      UPD: lined time on the servers and the error changed:

      SEVERE Thread_36 com.bmc.rsso.core.auth.extensions.kerberos.KerberosAuthentication.authenticate(): Unable to do kerberos authentication

      Details: null

          java.security.AccessController.doPrivileged(Native Method)

          javax.security.auth.Subject.doAs(Subject.java:422)

          com.bmc.rsso.core.auth.extensions.kerberos.KerberosAuthentication.authenticateKerberosToken(KerberosAuthentication.java:108)

          com.bmc.rsso.core.auth.extensions.kerberos.KerberosAuthentication.authenticate(KerberosAuthentication.java:99)

          com.bmc.rsso.auth.Authenticator.doAuth(Authenticator.java:131)

          com.bmc.rsso.auth.Authenticator.authenticate(Authenticator.java:47)

          com.bmc.rsso.servlet.LoginServlet.processRequest(LoginServlet.java:60)

          com.bmc.rsso.servlet.LoginServlet.doPost(LoginServlet.java:91)

          javax.servlet.http.HttpServlet.service(HttpServlet.java:650)

          javax.servlet.http.HttpServlet.service(HttpServlet.java:731)

          org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)

          org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

          org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

          org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

          org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

          org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:743)

          org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:485)

          org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:410)

          org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:337)

          com.bmc.rsso.servlet.LoginRequestServlet.processRequest(LoginRequestServlet.java:127)

          com.bmc.rsso.servlet.LoginRequestServlet.doPost(LoginRequestServlet.java:144)

          javax.servlet.http.HttpServlet.service(HttpServlet.java:650)

          javax.servlet.http.HttpServlet.service(HttpServlet.java:731)

          org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)

          org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

          org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

          org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

          org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

          com.bmc.rsso.filter.GZIPFilter.doFilter(GZIPFilter.java:40)

          org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

          org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

          com.bmc.rsso.filter.CacheFilter.doFilter(CacheFilter.java:91)

          org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

          org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

          com.codahale.metrics.servlet.AbstractInstrumentedFilter.doFilter(AbstractInstrumentedFilter.java:104)

          org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

          org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

          org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:108)

          org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

          org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

          com.bmc.rsso.filter.ResponseHeaderFilter.doFilter(ResponseHeaderFilter.java:40)

          org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

          org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

          org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)

          org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)

          org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)

          org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)

          org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)

          org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)

          org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)

          org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)

          org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)

          org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)

          org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)

          java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

          java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

          org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

          java.lang.Thread.run(Thread.java:748)

       

      WARNING Thread_36 com.bmc.rsso.auth.Authenticator.doAuth(): [30] user failed to login, auth type:IdPKerberos, order:1

      SEVERE Thread_36 com.bmc.rsso.auth.Authenticator.doAuth(): [30] User failed to login, username:null

       

      P.S.The solution was to put long and short names SPN