Forum Stats

  • 3,768,925 Users
  • 2,252,875 Discussions
  • 7,874,802 Comments

Discussions

Kerberos sign-on PeopleCode not working (FUNCLIB_LDAP.LDAPAUTH.FieldDefault.KRB_AUTHENTICATION()

user10460082
user10460082 Member Posts: 2
edited Nov 9, 2015 11:43AM in Kerberos & Java GSS (JGSS)

Hello,

I am trying to enable Kerberos authentication in our PeopleSoft system (Tools 8.53.24) and am having trouble with the sign-on peoplecode. Specifically the KRB_AUTHENTICATION() function in FUNCLIB_LDAP.LDAPAUTH.FieldDefault(). I have set up everything according to the directions in PeopleBooks. The web server is accepting a valid Kerberos token, and is executing the correct PeopleCode. It's successfully retrieving the user name from the token, but when it instantiates the KerberosSSOValidator class and calls the validate() method, it's returning a string of "NULL" for the &validUserName variable, which makes it fail the subsequent IF evaluation. See below and note the red highlighted code which indicates where my problem is:

     If Len(&userName) > 0 Then

            &krbToken = Substring(&krbToken, 11, Len(&krbToken) + 1);

            &validator = GetJavaClass("com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOValidator").getInstance();

            Local string &validUserName = &validator.validate(&krbToken);

           

            If &validUserName <> "NULL" And

                  &princName = &validUserName Then

               SetAuthenticationResult( True, Upper(&userName), "", False);

               &authMethod = "KRB";

           End-If;


     End-If;

I added some statements to insert the values of the various values that are in play in this block of code, and I can see that before calling $validator.validate(), &userName correctly holds the user ID that came through in the Kerberos token. I also confirmed that the call to instantiate KerberosSSOValidator is not returning a null object (if it was the subsequent line would fail anyway). Yet validate() still returns a string of "NULL". Also, if I override the call to validate and hardcode &validUserName = "<my user name>", it successfully logs me (or anybody) in as my ID if they try and hit a PeopleSoft page.

Has anybody else experienced this error? Please respond with any information specific to this code, and not with Oracle's instructions on setting up Kerberos Authentication. I have thoroughly followed those steps.

Tagged:

Best Answer

  • user10460082
    user10460082 Member Posts: 2
    edited Nov 9, 2015 11:43AM Accepted Answer

    We finally resolved this issue. The problem was that when the keytab was generated, the -mapuser parameter was missing from the ktpass command. As a result the SPN was not properly mapped to the service account that we created for this functionality.

Answers

  • user10460082
    user10460082 Member Posts: 2
    edited Nov 9, 2015 11:43AM Accepted Answer

    We finally resolved this issue. The problem was that when the keytab was generated, the -mapuser parameter was missing from the ktpass command. As a result the SPN was not properly mapped to the service account that we created for this functionality.

This discussion has been closed.