5 Replies Latest reply on Mar 21, 2009 8:19 AM by 807573

    Windows Desktop SSO, Please verify the configuration

    807573
      Hi All,
      I am testing Windows Desktop Authentication and it failed. Please help regarding the steps that i should follow. The documentation in Access Manager Administration guide are vague. It would be useful if someone explain the theory behind creating the keytab files.

      Setup:
      Access Manager Machine:
      host: am
      domain: testdomain.com
      Domain Controller machine:
      host: dc
      domain: TESTDOMAIN.COM

      Step 1:
      Created a user in AD with following credentials
      User id: am
      first name: am
      password: 123
      password never expires and do not require to change on next logon

      Step 2:
      running the ktpass utility on AD
      ktpass -princ host/am.testdomain.com@TESTDOMAIN.COM -pass 123 -mapuser userName -out am.host.keytab

      the output was:

      Targeting domain controller: dc.testdomain.com
      Using legacy password setting method
      Successfully mapped host/am.testdomain.com to am.
      WARNING: pType and account type do not match. This might cause problems.
      Key created.
      Output keytab to am.host.keytab:
      Keytab version: 0x502
      keysize 74 host/am.testdomain.com@TESTDOMAIN.COM ptype 0 (KRB5_NT_UNKNOWN) vno
      10 etype 0x17 (RC4-HMAC) keylength 16 (0x3dbde697d71690a769204beb12283678)


      i thought the warning was the problem so i removed it by supplying the ptype attribute

      now i run the second command
      ktpass -princ HTTP/am.testdomain.com@TESTDOMAIN.COM -pas 123 -mapuser am -out am.HTTP.keytab

      the output was:
      Targeting domain controller: dc.testdomain.com
      Using legacy password setting method
      Successfully mapped host/am.testdomain.com to am.
      WARNING: pType and account type do not match. This might cause problems.
      Key created.
      Output keytab to am.HTTP.keytab:
      Keytab version: 0x502
      keysize 74 host/am.testdomain.com@TESTDOMAIN.COM ptype 0 (KRB5_NT_UNKNOWN) vno
      11 etype 0x17 (RC4-HMAC) keylength 16 (0x3dbde697d71690a769204beb12283678)

      Step 3
      i copied the files to the access manager server in /tmp

      Step 4
      i logged into the access manager went to the service configuration tab clicked besides WIndows Desktop SSO and supplied following parameters

      Service Principal: host/am.testdomain.com@TESTDOMAIN.COM
           
      Keytab File Name:/tmp/am.HTTP.keytab
           
      Kerberos Realm:      TESTDOMAIN.COM      
           
      Kerberos Server Name:      dc.testdomain.com      
           
      Return Principal with Domain Name:      false
           
      Authentication Level: 0

      i clicked save

      Step 5

      i gave the windows desktop sso authentication service to top level organization and the next level as well.


      Test case 1
      created the same user on AD and access manager top level.
      internet explorer was all set ,i just added the hostname am.testdomain.com to local intranet.
      i access the following url

      http://am.testdomain.com/amserver/UI/Login?module=WindowsDesktopSSO
      i received the message

      "Authentication Failed"


      at server end here are the results listing of :

      1-amAuthentication.error

      "2007-02-23 13:55:33" "Login Failed|module_instance|WindowsDesktopSSO" WindowsDesktopSSO AUTHENTICATION-268 o=employees,dc=testdomain,dc=com "Not Available" INFO "Not Available" 192.168.200.11 "cn=dsameuser,ou=DSAME Users,o=employees,dc=testdomain,dc=com" 192.168.200.11


      2-in the debug files amAuthWindowsDesktopSSO

      ******************************************************
      02/24/2007 11:25:36:892 AM PKT: Thread[service-j2ee,5,main]
      ERROR: Service Login Error:
      02/24/2007 11:37:22:580 AM PKT: Thread[service-j2ee,5,main]
      ERROR: Service Login Error:
      02/24/2007 11:40:14:278 AM PKT: Thread[service-j2ee,5,main]
      ERROR: Service Login Error:
      02/24/2007 11:40:19:682 AM PKT: Thread[service-j2ee,5,main]
      ERROR: Service Login Error:
      02/24/2007 11:58:43:763 AM PKT: Thread[service-j2ee,5,main]
      ERROR: Service Login Error:
      02/24/2007 12:03:03:190 PM PKT: Thread[service-j2ee,5,main]
      ERROR: Service Login Error:
      02/24/2007 12:04:42:440 PM PKT: Thread[service-j2ee,5,main]
      ERROR: Service Login Error:
      02/24/2007 12:06:55:286 PM PKT: Thread[httpservice-spi,5,main]
      ERROR: Service Login Error:
      ******************************************************
      02/24/2007 12:27:22:453 PM PKT: Thread[service-j2ee,5,main]
      WindowsDesktopSSO params:
      principal: HTTP/am.testdomain.com@TESTDOMAIN.COM
      keytab file: /tmp/am.HTTP.keytab
      realm : TESTDOMAIN.COM
      kdc server: dc.testdomain.com
      domain principal: false
      auth level: 0
      02/23/2007 12:27:22:456 PM PKT: Thread[service-j2ee,5,main]
      Init WindowsDesktopSSO. This should not happen often.
      02/23/2007 12:27:22:457 PM PKT: Thread[service-j2ee,5,main]
      New Service Login ...
      02/23/2007 12:27:22:459 PM PKT: Thread[service-j2ee,5,main]
      default provider: SunPKCS11-__SUN_SJSAS_internal, sun provider: SUN
      02/23/2007 12:27:22:460 PM PKT: Thread[service-j2ee,5,main]
      Current providers =      SUN
           SunPKCS11-__SUN_SJSAS_internal
           SunPKCS11-Solaris
           SunRsaSign
           SunJSSE
           SunJCE
           SunJGSS
           SunSASL
           Mozilla-JSS

      02/24/2007 12:27:22:483 PM PKT: Thread[service-j2ee,5,main]
      ERROR: Service Login Error:
      02/24/2007 12:27:22:484 PM PKT: Thread[service-j2ee,5,main]
      Stack trace:
      javax.security.auth.login.LoginException: Unable to obtain password from user

           at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:745)
           at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:624)
           at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:512)
           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
           at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
           at java.lang.reflect.Method.invoke(Method.java:585)
           at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
           at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
           at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
           at java.security.AccessController.doPrivileged(Native Method)
           at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
           at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
           at com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDesktopSSO.serviceLogin(WindowsDesktopSSO.java:493)
           at com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDesktopSSO.initWindowsDesktopSSOAuth(WindowsDesktopSSO.java:419)
           at com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDesktopSSO.process(WindowsDesktopSSO.java:129)
           at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:729)
           at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:877)
           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
           at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
           at java.lang.reflect.Method.invoke(Method.java:585)
           at com.sun.identity.authentication.jaas.LoginContext.invoke(LoginContext.java:215)
           at com.sun.identity.authentication.jaas.LoginContext.login(LoginContext.java:132)
           at com.sun.identity.authentication.service.AMLoginContext.runLogin(AMLoginContext.java:366)
           at com.sun.identity.authentication.server.AuthContextLocal.submitRequirements(AuthContextLocal.java:472)
           at com.sun.identity.authentication.UI.LoginViewBean.processLoginDisplay(LoginViewBean.java:1101)
           at com.sun.identity.authentication.UI.LoginViewBean.processHttpCallback(LoginViewBean.java:895)
           at com.sun.identity.authentication.UI.LoginViewBean.getLoginDisplay(LoginViewBean.java:782)
           at com.sun.identity.authentication.UI.LoginViewBean.processLogin(LoginViewBean.java:687)
           at com.sun.identity.authentication.UI.LoginViewBean.forwardTo(LoginViewBean.java:408)
           at com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:981)
           at com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
           at com.iplanet.jato.ApplicationServletBase.doGet(ApplicationServletBase.java:459)
           at javax.servlet.http.HttpServlet.service(HttpServlet.java:747)
           at javax.servlet.http.HttpServlet.service(HttpServlet.java:860)
           at sun.reflect.GeneratedMethodAccessor135.invoke(Unknown Source)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
           at java.lang.reflect.Method.invoke(Method.java:585)
           at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:249)
           at java.security.AccessController.doPrivileged(Native Method)
           at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
           at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:282)
           at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:165)
           at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:257)
           at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
           at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:161)
           at java.security.AccessController.doPrivileged(Native Method)
           at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
           at com.sun.mobile.filter.AMLController.doFilter(AMLController.java:163)
           at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:210)
           at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
           at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:161)
           at java.security.AccessController.doPrivileged(Native Method)
           at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
           at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:263)
           at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
           at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:225)
           at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:173)
           at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
           at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:161)
           at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
           at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:933)
           at com.sun.enterprise.web.connector.httpservice.HttpServiceProcessor.process(HttpServiceProcessor.java:226)
           at com.sun.enterprise.web.HttpServiceWebContainer.service(HttpServiceWebContainer.java:2071)








      This is all now can someone be so kind to help me correct any problems that i may have

      i also have a few more questions

      1- why do we create two keytab files? what is the use of each?
      2- should i create authentication chaining templates in Amconsole?
      3- should i also create krb5.conf file. One forum said that i dont need it if i am only using IE on windows.


      Awaiting response.
      regards
        • 1. Re: Windows Desktop SSO, Please verify the configuration
          807573
          I believe someone who has done Windows Desktop SSO. I was also trying to achieve it but could not find a single documentation that describes all the facts. The details should be provided to be used for others in the future.
          regards
          Kimi
          • 2. Re: Windows Desktop SSO, Please verify the configuration
            807573
            when you run the ktpass command on a Windows 2003 system, it will use the RC4-HMAC encryption method by default. On Windows 2000, it will default to DES-CBC-MD5. I have configured SPNEGO to work with IBM's Tivoli Access Manager and run into issues with keytabs generated on Windows 2003 where the crypto switch was not used to specify the encryption type. If I remember right, there are basically two types of encryption supported by Tivoli Access Manager, and they're both pretty basic.

            I suggest you delete the keytab file and try re-running your ktpass commands and make the following modifications to what you typed in Step 2:

            ktpass -princ host/am.testdomain.com@TESTDOMAIN.COM -pass 123 -crypto DES-CBC-MD5 -mapuser userName -out am.host.keytab -mapOp set

            ktpass -princ HTTP/am.testdomain.com@TESTDOMAIN.COM -pass 123 -crypto DES-CBC-MD5 -mapuser userName -out am.HTTP.keytab -mapOp set

            You should be able to use kinit with the '-k' and '-t' flags to verify that it is connecting to KDC and getting a ticket as expected:

            kinit -k -t am.HTTP.keytab HTTP/am.testdomain.com@TESTDOMAIN.COM

            Also, you can view the encryption type with the klist command:

            klist -k -t am.HTTP.keytab -e

            If you do this on your current key, you will see ArcFour with HMAC/MD5. Most likely this is the problem since it may not be supported on the UNIX system by default. You may want to completely remove the user accounts you created in AD and start the whole process over, replacing your own ktpass commands with the ones above. Let me know if this helps you any. I know your frustration; there isn't one good source of information for configuring this stuff. It sure would be nice if there were.

            Good luck,
            PaulMan2
            • 3. Re: Windows Desktop SSO, Please verify the configuration
              807573
              Hi Paul,
              I have similar problem Though you can help me with this.
              it always complains
              ===
              I am trying to configure and test Desktopsso.

              I have win2003 and AD and dc=configured on the same. I have Sun Access manager 7.1 on the same machine.
              Installed all the windows support tools and necessary tools.

              I have followed this steps:


              1. Create user in AD with name user1
              2.
              ktpass /pass Password /mapuser user1 /princ HTTP/sso.ssoserver.com@SSO.SSOSERVER.COM /ptype KRB5_NT_PRINCIPAL +Desonly /Target SSO.SSOSERVER.COM
              3.
              ktpass /out c:\user1.HTTP.keytab /mapuser demouser /princ HTTP/sso.ssoserver.com@SSO.SSOSERVER.COM /ptype KRB5_NT_PRINCIPAL +Desonly /Target SSO.SSOSERVER.COM
              4. configured my browser by adding site address;
              5. restarted windows server
              6. configured Authentication module to DesktopSSO module and gave the key tab file path as below

              Service Principal: HTTP/sso.ssoserver.com@sso.ssoserver.com
              Keytab File Name: C:\IDENTITY\CONFIG\user1.HTTP.keytab
              Kerberos Realm: SSO.SSOSERVER.COM
              Kerberos Server Name: SSO.SSOSERVER.COM
              Return Principal with Domain Name: false
              Authentication Level: 0

              7. when hit
              http://sso.ssoserver.com/amserver/UI/Login?module=WinSSO
              it gives me authentication failed error

              when i check my windesktopsso log file it shows me service login error

              Any One please help me with this. I am breaking my head since 3 days.
              • 4. Re: Windows Desktop SSO, Please verify the configuration
                807573
                Hi Singh,
                Can you please help me with this DesktopSSO
                • 5. Re: Windows Desktop SSO, Please verify the configuration
                  807573
                  Hello,

                  I had the similar problem, where OpenSSO was unable to get the user password.

                  The steps that are mentioned in the docuement to configure Windows Desktop SSO are considering that the RC4HMAC is enabled in the machine where OpenSSO is deployed. In Win2003 this is by default and all the passwords will be encrypted using this algorithm.

                  But, in UNIX based OS the default is DES.

                  This leads to the configurations steps as

                  For opensso deployed in Windows 2003

                  Use the steps mentioned in the document. This would work.

                  For OpenSSO deployed on Solaris

                  one must either enable solaris to user RC4HMAC OR

                  Generate keytab files with DES encryption. After generating keytab go to the useraccount in AD and enable "use DES encryption for this account" in the account tab . Restart the OpenSSO. It worked for me

                  Hope this helps someone.

                  Thanks
                  M