SSO authentification problem (APEX 19.1)

f8cce20f-528d-4394-bb81-53e55fdb1db5

Hello, I try to configure SINGLE SIGN-ON for APEX using Kerberos I've followed the guide from Windows Integrated Authentication - HOWTO and this.

Following the first and second instruction, I caught the error http 401 and message in log:

01-Oct-2019 08:51:41.903 FINE [http-nio-8080-exec-2] org.apache.catalina.realm.JAASRealm.authenticate JAAS LoginContext created for username [real_user_name]01-Oct-2019 08:51:41.903 FINE [http-nio-8080-exec-2] org.apache.catalina.realm.JAASRealm.createPrincipal Checking Principal [HTTP/[email protected]_name] [javax.security.auth.kerberos.KerberosPrincipal]01-Oct-2019 08:51:41.903 FINE [http-nio-8080-exec-2] org.apache.catalina.realm.JAASRealm.createPrincipal No valid user Principal found01-Oct-2019 08:51:41.903 FINE [http-nio-8080-exec-2] org.apache.catalina.realm.JAASRealm.createPrincipal No valid role Principals found.01-Oct-2019 08:51:41.903 FINE [http-nio-8080-exec-2] org.apache.catalina.realm.JAASRealm.authenticate Username [real_user_name] NOT successfully authenticated

And then i followed the article and tweak the $CATALINA_HOME/conf/Catalina/localhost/apex.xml file by string userClassNames="javax.security.auth.kerberos.KerberosPrincipal":

<?xml version="1.0" encoding="UTF-8"?><Context>  <Valve className="org.apache.catalina.authenticator.SpnegoAuthenticator"      loginConfigName="APEX"  />  <Realm className="org.apache.catalina.realm.JAASRealm"   allRolesMode="authOnly"   appName="APEX"   userClassNames="javax.security.auth.kerberos.KerberosPrincipal"
  /></Context>

After that it's work fine:

01-Oct-2019 10:16:58.973 FINE [http-nio-8080-exec-3] org.apache.catalina.realm.JAASRealm.authenticate JAAS LoginContext created for username [A.Karetnikov]01-Oct-2019 10:16:58.973 FINE [http-nio-8080-exec-3] org.apache.catalina.realm.JAASRealm.createPrincipal Checking Principal [HTTP/[email protected]_name] [javax.security.auth.kerberos.KerberosPrincipal]01-Oct-2019 10:16:58.974 FINE [http-nio-8080-exec-3] org.apache.catalina.realm.JAASRealm.createPrincipal Principal [HTTP/[email protected]_name] is a valid user class. We will use this as the user Principal.01-Oct-2019 10:16:58.974 FINE [http-nio-8080-exec-3] org.apache.catalina.realm.JAASRealm.createPrincipal No valid role Principals found.01-Oct-2019 10:16:58.974 FINE [http-nio-8080-exec-3] org.apache.catalina.realm.JAASRealm.authenticate Username [real_user_name] successfully authenticated as Principal [{1}] -- Subject was created too                [Krb5LoginModule]: Entering logout                [Krb5LoginModule]: logged out Subject

But in application i see not real user name only KerberosPrincipal name http/[email protected]_name

When i configure "autentification scheme" as HTTP Header Variable,if i fill the field HTTP Header Variable Name as "SSO_USER" it doesnt't work, application show message "User not found", if i stay the field HTTP Header Variable Name emty it's work but i don't have real user name, only KerberosPrincipal name http/[email protected]_name.

Please specify what am I doing wrong?

Paavo

Hi

Please fix your nick

Can't say directly why it is not correct, but try making 'report' page to check do you have sso_user set? and in mt ag slideset p13 could lead to success?

rgrds Paavo

f8cce20f-528d-4394-bb81-53e55fdb1db5

I tried to change my nickname. The profile is displayed correctly, but not in the discussion

-------------------------------------------------------------------------------------------------------------------------

I created a page but it displays KerberosPrincipal name http/[email protected]_name

As for slide 13, I don’t understand where i set these settings. I have Tomcat 8.5

Paavo

Hi 35345234r2452343243r.3

I have understod that ORDS writes over the REMOTE_USER so you need to have SSO_USER for the header.

I am not sure how you can do it in your setup, but e.g. for me it shows it like this.

You should see the SSO_USER (the blue masked row).

rgrds Paavo

f8cce20f-528d-4394-bb81-53e55fdb1db5

Do You have Tomcat or Apache?

i deleted this from $CATALINA_HOME/webapps/apex/WEB-INF/web.xml but

<security-constraint>    <web-resource-collection>      <web-resource-name>APEX</web-resource-name>      <url-pattern>/*</url-pattern>    </web-resource-collection>    <auth-constraint>       <role-name>*</role-name>    </auth-constraint>  </security-constraint>  <login-config>     <auth-method>SPNEGO</auth-method>  </login-config>  

but then i don't see login information in logs

However I saw a similar picture like yours

but HTTP Header Variable Name authentication scheme set REMOTE_USER,

if i change this to "SSO_USER"

i can not enter the application, I see error "USER not found"

Paavo

Hi

In your debug-print page I can't see the SSO_USER so it is not set?

And yes the setup I use is different from yours due apache front so the setup is pretty close to this mt-ag guidelined on with the SSO_USER rewrite rule.

For the ORDS installation (tomcat) it was pretty straightforward but iterated it several times to get it ok with apex and tenants.

Maybe someone else can help you with the pure tomcat setup?

rgrds Paavo

f8cce20f-528d-4394-bb81-53e55fdb1db5

if i set HTTP Header Variable Name in authentication scheme to "SSO_USER", and then when I click on the link to the application, I see an error:

"USER not found"

Hm.. maybe this message tell something catalina.out:

>>>KRBError:         sTime is Wed Oct 02 14:04:56 MSK 2019 1570014296000         suSec is 520070         error code is 25         error Message is Additional pre-authentication required         sname is krbtgt/[email protected]         eData provided.         msgType is 30

I dont know what does it mean this error, but after that in log everthing OK

f8cce20f-528d-4394-bb81-53e55fdb1db5

Please help someone