0 Replies Latest reply on Feb 9, 2018 6:57 AM by Sergey Smirnov

    Integrate RSSO and Midtier (9.04)

    Sergey Smirnov

      Hello! Sorry that is not in the thread Atrium SSO, but the activity is not so big and it's hard to find the answer

      RSSO installed on a separate server (rhel), midtier also on a separate server (rhel).

      Integrating RSSO on midtier. All without errors or warnings.

      Set up Windows AD domain, set up samba on the server RSSO to see the AD.

      On the server RSSO also indicated the settings for the krb5.conf.

      Launched RSSO, went locally under the administrator indicated for the Kerberos realm:

           cookie domain: test.ru

           application domain: test.ru

           KERBEROS: KDC server: dat.test.ru, SPN: HTTP/rsso.test.ru@TEST.RU, Kerberos Realm: test.ru, and create keytab-file

      Created user in AD domain (add it as in ARS)

      Click button "Test" - all successful. At the klist command there are entries in the Windows.

      Set in hosts file (windows-user) ip and hostname for midtier and rsso, set up firefox (prescribed trusted domain):

      network.negotiate-auth.trusted-uris     .test.ru

      network.automatic-ntlm-auth.trusted-uris     .test.ru

      , try in the browser go to midtier: http://mt.test.ru/arsys/ - redirect on rsso, but gives an error "unable to login, contact administrator". The log:

      SEVERE Thread_36 com.bmc.rsso.core.auth.extensions.kerberos.KerberosAuthentication.authenticate(): Unable to do kerberos authentication

      Details: null

          java.security.AccessController.doPrivileged(Native Method)

          javax.security.auth.Subject.doAs(Subject.java:422)

          com.bmc.rsso.core.auth.extensions.kerberos.KerberosAuthentication.authenticateKerberosToken(KerberosAuthentication.java:108)

          com.bmc.rsso.core.auth.extensions.kerberos.KerberosAuthentication.authenticate(KerberosAuthentication.java:99)

          com.bmc.rsso.auth.Authenticator.doAuth(Authenticator.java:131)

          com.bmc.rsso.auth.Authenticator.authenticate(Authenticator.java:47)

          com.bmc.rsso.servlet.LoginServlet.processRequest(LoginServlet.java:60)

          com.bmc.rsso.servlet.LoginServlet.doPost(LoginServlet.java:91)

          javax.servlet.http.HttpServlet.service(HttpServlet.java:650)

          javax.servlet.http.HttpServlet.service(HttpServlet.java:731)

          org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)

          org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

          org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

          org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

          org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

          org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:743)

          org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:485)

          org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:410)

          org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:337)

          com.bmc.rsso.servlet.LoginRequestServlet.processRequest(LoginRequestServlet.java:127)

          com.bmc.rsso.servlet.LoginRequestServlet.doPost(LoginRequestServlet.java:144)

          javax.servlet.http.HttpServlet.service(HttpServlet.java:650)

          javax.servlet.http.HttpServlet.service(HttpServlet.java:731)

          org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)

          org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

          org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

          org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

          org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

          com.bmc.rsso.filter.GZIPFilter.doFilter(GZIPFilter.java:40)

          org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

          org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

          com.bmc.rsso.filter.CacheFilter.doFilter(CacheFilter.java:91)

          org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

          org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

          com.codahale.metrics.servlet.AbstractInstrumentedFilter.doFilter(AbstractInstrumentedFilter.java:104)

          org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

          org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

          org.apache.catalina.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:108)

          org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

          org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

          com.bmc.rsso.filter.ResponseHeaderFilter.doFilter(ResponseHeaderFilter.java:40)

          org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

          org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

          org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)

          org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)

          org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)

          org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)

          org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)

          org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)

          org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)

          org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)

          org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)

          org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)

          org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)

          java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

          java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

          org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

          java.lang.Thread.run(Thread.java:748)

       

      WARNING Thread_36 com.bmc.rsso.auth.Authenticator.doAuth(): [30] user failed to login, auth type:IdPKerberos, order:1

      SEVERE Thread_36 com.bmc.rsso.auth.Authenticator.doAuth(): [30] User failed to login, username:null

      P.S. And in catalina.out file:

      >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType

       

      P.S.The solution was to put long and short names SPN