2 Replies Latest reply on Jul 13, 2013 7:02 AM by user10498877

    Manual AD Directory Authentication fails after Kerberos Implementation




      We need your help to troubleshoot 1 issue which we are getting from many users after implementing PeopleSoft Kerberos SSO against AD. This issue is specific to Windows 7 PC and where Kerberos Token is not available.


      Some facts which we know :

      Kerberos will fail for users who are not logged in system using AD Domain ( as Kerberos Token will be invalid).


      These users are not on AD Doamin so SSO will fail, which is understandable. But - We have designed our solution in such a way - that when SSO fails, it will trigger a login screen to Peoplesoft. User can provide his credentials (userid/AD password) manually and LDAP directory Authentication will be triggered using AD servers.


      Note - Our Website is SSL enabled (HTTPS)


      On windows 7 when person try to connect who is outside AD Domain, SSO fails ( as token not found)- > PeopleSoft Login sreen comes up in HTTPS -> User connect using AD userid and password -> PeopleSoft login screen gets refreshed and notheing happens.


      Surprisingly - Same works on Googgle Crome OR if I change the URL to HTTP .


      We have set secute connection "True" in web.xml for Kerberos settings.


      Below is the Fiddler trace when we click "signin button" ---- On non AD domain.



      Request Header
      POST /psp/PIMSTEST/?cmd=login&languageCd=ENG HTTP/1.1
      Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
      Referer: https://pimstest.equant.com/psp/PIMSTEST/?cmd=start&languageCd=ENG&cmd=login&errorCode=105
      Accept-Language: en-US,fr-FR;q=0.5
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
      Content-Type: application/x-www-form-urlencoded
      Accept-Encoding: gzip, deflate
      Host: pimstest.equant.com
      Content-Length: 0
      Connection: Keep-Alive
      Cache-Control: no-cache
      Cookie: ggnptestap1-80-PORTAL-PSJSESSIONID=KbhXRpGQ52hLJtWbbK0DJ1XGDbSJ9Wn2!386905482; SignOnDefault=

      Response Header
      HTTP/1.1 200 OK
      Cache-Control: no-cache
      Connection: close
      Date: Thu, 11 Jul 2013 10:19:09 GMT
      Content-Length: 13010
      Content-Type: text/html; CHARSET=utf-8
      Expires: Thu, 01 Dec 1994 16:00:00 GMT
      Set-Cookie: ggnptestap1-80-PORTAL-PSJSESSIONID=HBT3RpGdCX1q8W51ZxTz8hpQ2bCpMFKh!386905482; path=/; HttpOnly
      Set-Cookie: PS_TOKEN=; domain=; expires=Thu, 01-Jan-1970 01:00:00 GMT; path=/
      RespondingWithSignonPage: true
      X-Powered-By: Servlet/2.5 JSP/2.1




      Thanks for Help



        • 1. Re: Manual AD Directory Authentication fails after Kerberos Implementation

          Sounds like a challenging problem.  What tools release? Can you detail what method your using for Kerberos more? LDAP lookup code is LDAP lookup code (I'm assuming your using the delivered signon peoplecode for that).  I would expect it to either work or not work, so I'm more inclined to think the problem is with IE especially with your other comments.  What version of IE is it?  Are there any entries in the APPSRV log indicating that login is successful or not at the time?  Failures would be logged by default I would expect.  The lack of an indication may mean something.

          • 2. Re: Manual AD Directory Authentication fails after Kerberos Implementation



            We are on PT 8.51. We use delivered code in Sign-on peoplecode.  IE is 8. But same IE 8 works with WIN XP. Issue is with WIN 7 only...


            App server does not show any connection when we have this failed login ( manual AD Authentication).


            Looks like HTTP Header values are not passed as they would in WIN 7 + Token in not there..


            Webserver itself kills the session...