6 Replies Latest reply on Sep 19, 2011 6:32 AM by Bill Robinson

    AD Authentication/SSO - user name field remains empty

    Johannes Richter

      Hello community,

       

      I'm trying to get SSO working. I followed the instructions in admin guide.

      But currently the problem is that the "user name" box remains empty and grayed out.

       

      Maybe some hints what I did:

      1. created AD user "blauthsvc"
      2. created SNP mapping for that user for tha appserver
      3. copied keytab to br directory on appserver
      4. created blappserv_krb5.conf and blappserv_login.conf (see below)
      5. checked if ticket is generated by kinit - worked
      6. added user in format <user>@<realm> to RBAC (enabled for AD Auth)
      7. changed config via blasadmin:
        • set AuthServer IsADKAuthEnabled true
      8. restarted appserver

       

      Did I miss something?

       

      blappserv_krb5.conf

      [libdefaults]

      ticket_lifetime = 6000

      default_realm = VIPCON.OFFICE

      [realms]

      VIPCON.OFFICE = {

      kdc = vip-server.vipcon.office:88

      }

      [domain_realm]

      .vipcon.office = VIPCON.OFFICE

      blappserv_login.conf

       

      com.sun.security.jgss.accept {

      com.sun.security.auth.module.Krb5LoginModule required

      useKeyTab=true

      keyTab="C:\\BMC\\BladeLogic\\8.1\\NSH\\br\\blauthsvc.keytab"

      storeKey=true

      principal="blauthsvc/muc-vip-pocw070@VIPCON.OFFICE"

      doNotPrompt=true

      debug=false;

      };

       

       

      Config:

       

      bladmin:*>show AuthSer   all

      [AuthServer]

      ActiveDirectoryLdapUrl:

      ActiveDirectorySearchBase:

      AppServiceURLs:

      AuthSvcKrb5Config:blappserv_krb5.conf

      AuthSvcKrb5LoginConfig:blappserv_login.conf

      AuthSvcPort:9840

      AuthSvcSocketTimeout:90

      AuthSvcSocketsBindAddress:all

      IsADKAuthEnabled:true

      IsActiveDirectoryLdapCheckEnabled:

      IsDomainAuthEnabled:false

      IsLdapAuthEnabled:

      IsSRPAuthEnabled:true

      IsSSOCredRefreshEnabled:

      IsSecurIdAuthEnabled:

      IsSsoRefreshHostnameCheckEnabled:

      LdapUserDnTemplate:

      LdapUserValidationFilter:

      MaxAuthSvcContexts:20

      MaxAuthSvcThreads:3

      MaximumSessionCredentialLifetime:

      ProxyServiceURLs:

          service:proxysvc.bladelogic:blsess://muc-vip-pocw070:9882

      ReportServiceURLs:

      SessionCredentialLifetime:

       

       

       

      Thanks for help!

       

      Regards

      Johannes

        • 1. AD Authentication/SSO - user name field remains empty

          Hi Johannes,

           

          What OS/SP is the Kerberos server and the AppServer?

          There are several mentions of a microsoft bug in win2k8sp2:

          If you are using Windows 2008 without Service Pack 2, you should enter a user principal

          name rather than a service principal name. In other words, use blauthsvc instead of

          blauthsvc/app4.

           

          Have you used the klist command (page 190) to check the keytab on the AppServer?

          This will prove that your Keberos is setup correctly.

           

          I also noticed that you haven't mentioned anything about setting up the client (BSSA console) side to use AD/Keberos (page 194).

          Specifically the section on page 196

          Performing Windows-only client configuration tasks

          I hope this helps.

           

          Barry

          1 of 1 people found this helpful
          • 2. AD Authentication/SSO - user name field remains empty
            Bill Robinson

            did you make the registry changes required on the client system?  what do the blclient_login.conf and blclient_krb5.conf and config.properties files look like on the client side?

            • 3. Re: AD Authentication/SSO - user name field remains empty
              Johannes Richter

              Hi Barry, hi Bill,

               

              thank's for your answers. I really forgot the client configuration. Shame on me.

              Kerberos is Windows 2k3 SP2.

              AppServer Windows 2008 R2.

               

              Now I did the following:

              1. added registry key "allowtgtsessionkey" with value of "1"
              2. reboot
              3. added blclient_login.conf and blclient_krb5.conf (see below)
              4. updated config.properties in BL directory and user directories (see below)

               

              Result is the same: user name box remains empty and grey

               

              blclient_login.conf:

               

              com.sun.security.jgss.initiate {

              com.sun.security.auth.module.Krb5LoginModule required

              doNotPrompt=true

              Debug=false

              useTicketCache=true;

              };

               

              blclient_krb5.conf:

               

              [libdefaults]

              ticket_lifetime = 6000

              default_realm = VIPCON.OFFICE

              [realms]

              VIPCON.OFFICE = {

              kdc = vip-server.vipcon.office:88

              }

              [domain_realm]

              .vipcon.office = VIPCON.OFFICE

               

               

              config.properties:

               

              AUTH_TYPE=BLSSO

              java.security.krb5.conf=C\:\\BMC\\BladeLogic\\8.1\\NSH\\br\\blclient_krb5.conf

              java.security.auth.login.config=C\:\\BMC\\BladeLogic\\8.1\\NSH\\br\\blclient_login.conf

              javax.security.auth.useSubjectCredsOnly=false

              keystore=bladelogic.keystore

              CMUI.LASTUSER=

              WEBBROWSER=C\:\\Program Files\\Internet Explorer\\iexplore.exe

              show.tooltips=0

              APPSERVER_HOST=localhost

              CMUI.LASTROLE=

              APPSERVER_PORT=9829

              task_refresh_interval=5

              Current.Deploy.DestinationDir=/tmp/blade

              Current.Deploy.MinDiskFree=0

              Current.Deploy.BlockSize=0

              Current.Deploy.ParallelProcs=1

              Current.Deploy.BackupDirectory=/backup

              Current.Deploy.StageDir=/tmp/stage

              Current.Deploy.MinFileSize=0

              Current.Deploy.BackupSuffix=.bak

              Default.Notification.MaxEmailSize=1000

              max.model.cache.size=1000

              Available.Languages=en,fr,ja,zh

              Language=en

              Deploy.RegisterCOMComponents=true

               

               

              Anything wrong?

               

              Thanks

               

              Johannes

              • 4. Re: AD Authentication/SSO - user name field remains empty

                Hi Johannes,

                 

                Did you run the tests I mentioned in the previous post?

                They will help pinpoint where the problem is.

                 

                Please advise if the klist test worked.

                Also are you seeing anything in the logs when you start the UI?

                 

                These might seem like a strange questions:

                1. Have you created an Authenitcation Profile?

                2. I notice that on my UI the username field looks grayed out but I can still enter the user name can you.

                • 5. Re: AD Authentication/SSO - user name field remains empty
                  Johannes Richter

                  Hi Barry,

                   

                  I did the klist and kinit tests and they were successful.

                  I tried it on a different client and it is working there. Great!


                  But still not clear why is it not working on the appserver itself.

                   

                  Auth profile was created!

                  • 6. Re: AD Authentication/SSO - user name field remains empty
                    Bill Robinson

                    is the appserver a member of the domain you are logging into?

                     

                    the registry key is different for windows server vs desktop - the product docs should have both locations listed - that may be the issue on the appserver.

                     

                    what behaviour do you see on the appserver?  greyed login box w/ no username ?