This discussion is archived
1 Reply Latest reply: Oct 7, 2011 3:04 AM by 580566 RSS

Help with WindowsDesktopSSO and AMIdentity.getAttributes

580566 Newbie
Currently Being Moderated
Hi guys and girls,
I need some help from you experts.

I successfully setup, thanks to this guide

http://blogs.oracle.com/knittel/entry/opensso_windowsdesktopsso

and a lot of trial & errors and googling a Kerberos authentication between OpenAM version 9.5.2 and an Active Directory Server.
When I navigate to openAM page (from a domain machine) http://<openAMhost>:<port>/opensso, it doesn't ask for credentials ...
and I can see, with ieHttpHeaders, kerberos data exchange.

Without creating an Active Directory DataStore (pointing to the same domain where I use kerberos data) in openAM,
when I navigate (from a domain machine) to /opensso/idm/EndUser page, it always gives me:

"Plug-in com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo encountered an ldap exception. LDAP Error 32: The entry specified in the request does not exist."

Since my aim was to get user information from a web app ... I thought I could have done this with an agent/SDK call as I usually do with "classic" authentication.

Now I created a J2EE Agent (on openAM) to protect one of my application deployed on a JBoss 4.2.1-GA server.
Agent configured with default options and these changes:

Agent Filter Mode: J2EE_POLICY
User Mapping Mode: USER_ID
User Attribute Name: tried both with employeenumber and uid
User Principal Flag: enabled
User Token Name: UserToken
FQDN Check: tried both with enabled and disabled
WebAuthentication Available : Enabled

In my application WEB-INF/jboss-web.xml looks like this:

     <?xml version="1.0" encoding="UTF-8"?>
     <jboss-web>
          <security-domain>java:/jaas/AMRealm</security-domain>
     </jboss-web>
Usually, when I authenticate with "classic" (internal datastore) login, I can get user attributes programmatically with a code like this:
       private String getCredenzialiUtente(HttpServletRequest request)
        {
            String                 SSOUsername      = null;
            SSOToken               ssoToken      = null;
            SSOTokenManager        manager           = null;

              try
              {
                manager = SSOTokenManager.getInstance();
                if ( manager == null)
                     throw new RuntimeException("Unable to Get: SSOTokenManager");

                String ssoTokenID = AmFilterManager.getAmSSOCache().getSSOTokenForUser(request);
                ssoToken = manager.createSSOToken(ssoTokenID);
               
                if ( ssoToken == null )
                      throw new RuntimeException("Unable to Get: TokenForUser");
                       
                AMIdentity amid = new AMIdentity(ssoToken);
                if(amid == null)
                   throw new RuntimeException("Unable to Get: UserIdentity");

                SSOUsername  = amid.getName();
                System.out.println("######### USERNAME FROM SSO: " + SSOUsername);

                Set<String> info = new HashSet<String>();
                info.add("uid");
                info.add("givenName");
               
                java.util.Map mappa = amid.getAttributes(info);
               
                if ( mappa != null )
                {
                    java.util.Set insieme = mappa.keySet();
                    java.util.Iterator it = insieme.iterator();
                   
                    while ( it.hasNext() )
                    {
                        String n = it.next().toString();
                        System.out.println( n + " ==> " + mappa.get(n) );
                    }
                   
                }
                else
                {
                    System.err.println(" DAMN - NO ATTR ");
                }
                      
          }
          catch (Exception exception)
          {
            exception.getMessage();
            exception.printStackTrace();
          }

          System.out.println("OUT getCredenzialiUtente: " + SSOUsername);
          return SSOUsername;
        }       
When I log to console with default "ldapService" module (outside the domain), I can get something like:
     2011-09-29 13:14:38,733 INFO  [STDOUT]  ####################################### USER = amadmin
     2011-09-29 13:15:32,250 INFO  [STDOUT] IN getCredenzialiLAit
     2011-09-29 13:15:32,260 INFO  [STDOUT] ######### USERNAME DA SSO: a2zarrillo
     2011-09-29 13:15:32,291 INFO  [STDOUT] uid ==> [a2zarrillo]
     2011-09-29 13:15:32,291 INFO  [STDOUT] givenName ==> [Antonio2]
     2011-09-29 13:15:32,311 INFO  [STDOUT] OUT getCredenziali: a2zarrillo
     2011-09-29 13:15:32,321 INFO  [STDOUT]  ####################################### USER = a2zarrillo
but when i try to login from inside the domain (with kerberos, so no credentials) with a domain user, I get:
     2011-09-29 13:15:39,496 INFO  [STDOUT] IN getCredenzialiLAit
     2011-09-29 13:15:39,503 INFO  [STDOUT] ######### USERNAME DA SSO: tonyweb
     2011-09-29 13:15:39,550 ERROR [STDERR] Message:Plug-in  encountered an ldap exception.  LDAP Error 32: The entry specified in the request does not exist.
     2011-09-29 13:15:39,554 ERROR [STDERR]      at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
     2011-09-29 13:15:39,560 ERROR [STDERR]      at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
     2011-09-29 13:15:39,562 ERROR [STDERR]      at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
     2011-09-29 13:15:39,566 ERROR [STDERR]      at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
     2011-09-29 13:15:39,574 ERROR [STDERR]      at com.sun.identity.shared.jaxrpc.SOAPClient$SOAPContentHandler.createResourceBasedException(SOAPClient.java:834)
     2011-09-29 13:15:39,575 ERROR [STDERR]      at com.sun.identity.shared.jaxrpc.SOAPClient$SOAPContentHandler.endDocument(SOAPClient.java:800)
     2011-09-29 13:15:39,578 ERROR [STDERR]      at org.apache.xerces.parsers.AbstractSAXParser.endDocument(Unknown Source)
     2011-09-29 13:15:39,582 ERROR [STDERR]      at org.apache.xerces.impl.XMLDocumentScannerImpl.endEntity(Unknown Source)
     2011-09-29 13:15:39,587 ERROR [STDERR]      at org.apache.xerces.impl.XMLEntityManager.endEntity(Unknown Source)
     2011-09-29 13:15:39,592 ERROR [STDERR]      at org.apache.xerces.impl.XMLEntityScanner.load(Unknown Source)
     2011-09-29 13:15:39,598 ERROR [STDERR]      at org.apache.xerces.impl.XMLEntityScanner.skipSpaces(Unknown Source)
     2011-09-29 13:15:39,600 ERROR [STDERR]      at org.apache.xerces.impl.XMLDocumentScannerImpl$TrailingMiscDispatcher.dispatch(Unknown Source)
     2011-09-29 13:15:39,604 ERROR [STDERR]      at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
     2011-09-29 13:15:39,607 ERROR [STDERR]      at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
     2011-09-29 13:15:39,609 ERROR [STDERR]      at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
     2011-09-29 13:15:39,613 ERROR [STDERR]      at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
     2011-09-29 13:15:39,616 ERROR [STDERR]      at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
     2011-09-29 13:15:39,621 ERROR [STDERR]      at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
     2011-09-29 13:15:39,625 ERROR [STDERR]      at com.sun.identity.shared.jaxrpc.SOAPClient.send(SOAPClient.java:343)
     2011-09-29 13:15:39,633 ERROR [STDERR]      at com.sun.identity.shared.jaxrpc.SOAPClient.send(SOAPClient.java:311)
     2011-09-29 13:15:39,636 ERROR [STDERR]      at com.sun.identity.idm.remote.IdRemoteServicesImpl.getAttributes(IdRemoteServicesImpl.java:229)
     2011-09-29 13:15:39,639 ERROR [STDERR]      at com.sun.identity.idm.remote.IdRemoteCachedServicesImpl.getAttributes(IdRemoteCachedServicesImpl.java:402)
     2011-09-29 13:15:39,642 ERROR [STDERR]      at com.sun.identity.idm.AMIdentity.getAttributes(AMIdentity.java:344)
     2011-09-29 13:15:39,645 ERROR [STDERR]      at org.apache.jsp.MainPageJSP_jsp.getCredenzialiUtente(MainPageJSP_jsp.java:63)
     2011-09-29 13:15:39,648 ERROR [STDERR]      at org.apache.jsp.MainPageJSP_jsp._jspService(MainPageJSP_jsp.java:217)
     2011-09-29 13:15:39,653 ERROR [STDERR]      at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
     2011-09-29 13:15:39,660 ERROR [STDERR]      at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
     2011-09-29 13:15:39,664 ERROR [STDERR]      at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:387)
     2011-09-29 13:15:39,666 ERROR [STDERR]      at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:320)
     2011-09-29 13:15:39,669 ERROR [STDERR]      at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:266)
     2011-09-29 13:15:39,673 ERROR [STDERR]      at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
     2011-09-29 13:15:39,676 ERROR [STDERR]      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
     2011-09-29 13:15:39,678 ERROR [STDERR]      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
     2011-09-29 13:15:39,683 ERROR [STDERR]      at com.sun.identity.agents.filter.AmAgentBaseFilter.allowRequestToContinue(AmAgentBaseFilter.java:127)
     2011-09-29 13:15:39,685 ERROR [STDERR]      at com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:76)
     2011-09-29 13:15:39,690 ERROR [STDERR]      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
     2011-09-29 13:15:39,697 ERROR [STDERR]      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
     2011-09-29 13:15:39,701 ERROR [STDERR]      at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:687)
     2011-09-29 13:15:39,705 ERROR [STDERR]      at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:469)
     2011-09-29 13:15:39,710 ERROR [STDERR]      at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:403)
     2011-09-29 13:15:39,713 ERROR [STDERR]      at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:301)
     2011-09-29 13:15:39,716 ERROR [STDERR]      at com.sun.faces.context.ExternalContextImpl.dispatch(ExternalContextImpl.java:408)
     2011-09-29 13:15:39,725 ERROR [STDERR]      at com.sun.faces.application.ViewHandlerImpl.executePageToBuildView(ViewHandlerImpl.java:442)
     2011-09-29 13:15:39,729 ERROR [STDERR]      at com.sun.faces.application.ViewHandlerImpl.renderView(ViewHandlerImpl.java:115)
     2011-09-29 13:15:39,730 ERROR [STDERR]      at javax.faces.application.ViewHandlerWrapper.renderView(ViewHandlerWrapper.java:178)
     2011-09-29 13:15:39,734 ERROR [STDERR]      at com.cid.faces.application.ViewHandlerImpl.renderView(ViewHandlerImpl.java:92)
     2011-09-29 13:15:39,741 ERROR [STDERR]      at com.sun.rave.web.ui.appbase.faces.ViewHandlerImpl.renderView(ViewHandlerImpl.java:295)
     2011-09-29 13:15:39,744 ERROR [STDERR]      at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:106)
     2011-09-29 13:15:39,747 ERROR [STDERR]      at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:251)
     2011-09-29 13:15:39,750 ERROR [STDERR]      at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:144)
     2011-09-29 13:15:39,753 ERROR [STDERR]      at javax.faces.webapp.FacesServlet.service(FacesServlet.java:245)
     2011-09-29 13:15:39,761 ERROR [STDERR]      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
     2011-09-29 13:15:39,765 ERROR [STDERR]      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
     2011-09-29 13:15:39,768 ERROR [STDERR]      at com.cid.faces.webapp.CidWebUIFilter._invokeDoFilter(CidWebUIFilter.java:239)
     2011-09-29 13:15:39,776 ERROR [STDERR]      at com.cid.faces.webapp.CidWebUIFilter._doFilterImpl(CidWebUIFilter.java:196)
     2011-09-29 13:15:39,780 ERROR [STDERR]      at com.cid.faces.webapp.CidWebUIFilter.doFilter(CidWebUIFilter.java:80)
     2011-09-29 13:15:39,788 ERROR [STDERR]      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
     2011-09-29 13:15:39,793 ERROR [STDERR]      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
     2011-09-29 13:15:39,797 ERROR [STDERR]      at com.sun.identity.agents.filter.AmAgentBaseFilter.allowRequestToContinue(AmAgentBaseFilter.java:127)
     2011-09-29 13:15:39,803 ERROR [STDERR]      at com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:76)
     2011-09-29 13:15:39,807 ERROR [STDERR]      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
     2011-09-29 13:15:39,810 ERROR [STDERR]      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
     2011-09-29 13:15:39,813 ERROR [STDERR]      at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
     2011-09-29 13:15:39,820 ERROR [STDERR]      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
     2011-09-29 13:15:39,825 ERROR [STDERR]      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
     2011-09-29 13:15:39,829 ERROR [STDERR]      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
     2011-09-29 13:15:39,833 ERROR [STDERR]      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
     2011-09-29 13:15:39,836 ERROR [STDERR]      at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
     2011-09-29 13:15:39,843 ERROR [STDERR]      at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
     2011-09-29 13:15:39,846 ERROR [STDERR]      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
     2011-09-29 13:15:39,851 ERROR [STDERR]      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
     2011-09-29 13:15:39,854 ERROR [STDERR]      at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
     2011-09-29 13:15:39,857 ERROR [STDERR]      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
     2011-09-29 13:15:39,860 ERROR [STDERR]      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
     2011-09-29 13:15:39,862 ERROR [STDERR]      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
     2011-09-29 13:15:39,866 ERROR [STDERR]      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:580)
     2011-09-29 13:15:39,870 ERROR [STDERR]      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
     2011-09-29 13:15:39,874 ERROR [STDERR]      at java.lang.Thread.run(Thread.java:619)
     2011-09-29 13:15:39,877 INFO  [STDOUT] OUT getCredenziali: tonyweb
As you can see I'm using the "sample" agentApp.war.     
What am I missing ? It "crashes" as for getAttributes() call :/

I thought it could be because I didn't setup LDAP DataStore ... so I set up Active Directory Data Store.
While in openAM console (from outside domain) I can see (from Subjects tab) Active Directory users and relative information
(like FirstName (=givenName), Surname (=sn), Full Name (=cn), etc.) ... when I try again with idm/EndUser (from a domain machine)
I get the same error:
     Message:Plug-in  encountered an ldap exception.  LDAP Error 32: The entry specified in the request does not exist.
What should I do now ?
If you need more clarifications ... just ask :)


Thank you in advance and sorry for the big post.

Best Regards,
Tony

P.D. By the way, my OpenAM configuration does not create any "amAuthWindowsDesktopSSO.log" :(
I setup, from opensso/Debug.jsp message level for Authentication ... but it still doesn't create this log ... can you please tell me how to let openAM write it ?
     
Again thank you
  • 1. Solved
    580566 Newbie
    Currently Being Moderated
    Weird enough, changing to ADAM data store (and not "standard" AD datastore) solved the problem :D
    I still wonder why since both plugins share the same java [implementing] class...

    Regards,
    Tony

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points