Forum Stats

  • 3,852,881 Users
  • 2,264,145 Discussions
  • 7,905,157 Comments

Discussions

SSO authentification problem (APEX 19.1)

f8cce20f-528d-4394-bb81-53e55fdb1db5
edited Oct 3, 2019 1:57AM in APEX Discussions

Hello, I try to configure SINGLE SIGN-ON for APEX using Kerberos I've followed the guide from Windows Integrated Authentication - HOWTO and this.

Following the first and second instruction, I caught the error http 401 and message in log:

01-Oct-2019 08:51:41.903 FINE [http-nio-8080-exec-2] org.apache.catalina.realm.JAASRealm.authenticate JAAS LoginContext created for username [real_user_name]01-Oct-2019 08:51:41.903 FINE [http-nio-8080-exec-2] org.apache.catalina.realm.JAASRealm.createPrincipal Checking Principal [HTTP/[email protected]_name] [javax.security.auth.kerberos.KerberosPrincipal]01-Oct-2019 08:51:41.903 FINE [http-nio-8080-exec-2] org.apache.catalina.realm.JAASRealm.createPrincipal No valid user Principal found01-Oct-2019 08:51:41.903 FINE [http-nio-8080-exec-2] org.apache.catalina.realm.JAASRealm.createPrincipal No valid role Principals found.01-Oct-2019 08:51:41.903 FINE [http-nio-8080-exec-2] org.apache.catalina.realm.JAASRealm.authenticate Username [real_user_name] NOT successfully authenticated

And then i followed the article and tweak the $CATALINA_HOME/conf/Catalina/localhost/apex.xml file by string userClassNames="javax.security.auth.kerberos.KerberosPrincipal":

<?xml version="1.0" encoding="UTF-8"?><Context>  <Valve className="org.apache.catalina.authenticator.SpnegoAuthenticator"      loginConfigName="APEX"  />  <Realm className="org.apache.catalina.realm.JAASRealm"   allRolesMode="authOnly"   appName="APEX"   userClassNames="javax.security.auth.kerberos.KerberosPrincipal"
  /></Context>

After that it's work fine:

01-Oct-2019 10:16:58.973 FINE [http-nio-8080-exec-3] org.apache.catalina.realm.JAASRealm.authenticate JAAS LoginContext created for username [A.Karetnikov]01-Oct-2019 10:16:58.973 FINE [http-nio-8080-exec-3] org.apache.catalina.realm.JAASRealm.createPrincipal Checking Principal [HTTP/[email protected]_name] [javax.security.auth.kerberos.KerberosPrincipal]01-Oct-2019 10:16:58.974 FINE [http-nio-8080-exec-3] org.apache.catalina.realm.JAASRealm.createPrincipal Principal [HTTP/[email protected]_name] is a valid user class. We will use this as the user Principal.01-Oct-2019 10:16:58.974 FINE [http-nio-8080-exec-3] org.apache.catalina.realm.JAASRealm.createPrincipal No valid role Principals found.01-Oct-2019 10:16:58.974 FINE [http-nio-8080-exec-3] org.apache.catalina.realm.JAASRealm.authenticate Username [real_user_name] successfully authenticated as Principal [{1}] -- Subject was created too                [Krb5LoginModule]: Entering logout                [Krb5LoginModule]: logged out Subject

But in application i see not real user name only KerberosPrincipal name http/[email protected]_name

pastedImage_11.png

When i configure "autentification scheme" as HTTP Header Variable,if i fill the field HTTP Header Variable Name as "SSO_USER" it doesnt't work, application show message "User not found", if i stay the field HTTP Header Variable Name emty it's work but i don't have real user name, only KerberosPrincipal name http/[email protected]_name.

pastedImage_5.png

pastedImage_4.png

Please specify what am I doing wrong?

Tagged:

Answers

  • Paavo
    Paavo Member Posts: 747 Silver Badge
    edited Oct 1, 2019 5:29PM

    Hi

    Please fix your nick

    Can't say directly why it is not correct, but try making 'report' page to check do you have sso_user set? and in mt ag slideset p13 could lead to success?

    imagepastedImage_1.png

    rgrds Paavo

  • f8cce20f-528d-4394-bb81-53e55fdb1db5
    edited Oct 2, 2019 2:11AM

    I tried to change my nickname. The profile is displayed correctly, but not in the discussion

    -------------------------------------------------------------------------------------------------------------------------

    I created a page but it displays KerberosPrincipal name http/[email protected]_name

    pastedImage_0.png

    As for slide 13, I don’t understand where i set these settings. I have Tomcat 8.5

  • Paavo
    Paavo Member Posts: 747 Silver Badge
    edited Oct 2, 2019 2:37AM

    Hi 35345234r2452343243r.3

    I have understod that ORDS writes over the REMOTE_USER so you need to have SSO_USER for the header.

    I am not sure how you can do it in your setup, but e.g. for me it shows it like this.

    You should see the SSO_USER (the blue masked row).

    imagepastedImage_1.png

    rgrds Paavo

  • f8cce20f-528d-4394-bb81-53e55fdb1db5
    edited Oct 2, 2019 3:33AM

    Do You have Tomcat or Apache?

    i deleted this from $CATALINA_HOME/webapps/apex/WEB-INF/web.xml but

    <security-constraint>    <web-resource-collection>      <web-resource-name>APEX</web-resource-name>      <url-pattern>/*</url-pattern>    </web-resource-collection>    <auth-constraint>       <role-name>*</role-name>    </auth-constraint>  </security-constraint>  <login-config>     <auth-method>SPNEGO</auth-method>  </login-config>  

    but then i don't see login information in logs

    pastedImage_1.png

    However I saw a similar picture like yours

    pastedImage_2.png

    but HTTP Header Variable Name authentication scheme set REMOTE_USER,

    pastedImage_0.png

    if i change this to "SSO_USER"

    i can not enter the application, I see error "USER not found"

    pastedImage_1.png

  • Paavo
    Paavo Member Posts: 747 Silver Badge
    edited Oct 2, 2019 5:48AM

    Hi

    In your debug-print page I can't see the SSO_USER so it is not set?

    And yes the setup I use is different from yours due apache front so the setup is pretty close to this mt-ag guidelined on with the SSO_USER rewrite rule.

    For the ORDS installation (tomcat) it was pretty straightforward but iterated it several times to get it ok with apex and tenants.

    Maybe someone else can help you with the pure tomcat setup?

    rgrds Paavo

  • f8cce20f-528d-4394-bb81-53e55fdb1db5
    edited Oct 2, 2019 7:09AM

    if i set HTTP Header Variable Name in authentication scheme to "SSO_USER", and then when I click on the link to the application, I see an error:

    pastedImage_1.png

    "USER not found"

    Hm.. maybe this message tell something catalina.out:

    >>>KRBError:         sTime is Wed Oct 02 14:04:56 MSK 2019 1570014296000         suSec is 520070         error code is 25         error Message is Additional pre-authentication required         sname is krbtgt/[email protected]         eData provided.         msgType is 30

    I dont know what does it mean this error, but after that in log everthing OK

  • f8cce20f-528d-4394-bb81-53e55fdb1db5
    edited Oct 3, 2019 1:57AM

    Please help someone