This discussion is archived
2 Replies Latest reply: Jul 13, 2013 12:02 AM by user121220 RSS

Manual AD Directory Authentication fails after Kerberos Implementation

user121220 Newbie
Currently Being Moderated

Hello

 

We need your help to troubleshoot 1 issue which we are getting from many users after implementing PeopleSoft Kerberos SSO against AD. This issue is specific to Windows 7 PC and where Kerberos Token is not available.

 

Some facts which we know :

Kerberos will fail for users who are not logged in system using AD Domain ( as Kerberos Token will be invalid).

 

These users are not on AD Doamin so SSO will fail, which is understandable. But - We have designed our solution in such a way - that when SSO fails, it will trigger a login screen to Peoplesoft. User can provide his credentials (userid/AD password) manually and LDAP directory Authentication will be triggered using AD servers.

 

Note - Our Website is SSL enabled (HTTPS)

 

On windows 7 when person try to connect who is outside AD Domain, SSO fails ( as token not found)- > PeopleSoft Login sreen comes up in HTTPS -> User connect using AD userid and password -> PeopleSoft login screen gets refreshed and notheing happens.

 

Surprisingly - Same works on Googgle Crome OR if I change the URL to HTTP .

 

We have set secute connection "True" in web.xml for Kerberos settings.

 

Below is the Fiddler trace when we click "signin button" ---- On non AD domain.

 

===============================================================

Request Header
POST /psp/PIMSTEST/?cmd=login&languageCd=ENG HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Referer: https://pimstest.equant.com/psp/PIMSTEST/?cmd=start&languageCd=ENG&cmd=login&errorCode=105
Accept-Language: en-US,fr-FR;q=0.5
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: pimstest.equant.com
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ggnptestap1-80-PORTAL-PSJSESSIONID=KbhXRpGQ52hLJtWbbK0DJ1XGDbSJ9Wn2!386905482; SignOnDefault=
Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==

Response Header
HTTP/1.1 200 OK
Cache-Control: no-cache
Connection: close
Date: Thu, 11 Jul 2013 10:19:09 GMT
Content-Length: 13010
Content-Type: text/html; CHARSET=utf-8
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Set-Cookie: ggnptestap1-80-PORTAL-PSJSESSIONID=HBT3RpGdCX1q8W51ZxTz8hpQ2bCpMFKh!386905482; path=/; HttpOnly
Set-Cookie: PS_TOKEN=; domain=; expires=Thu, 01-Jan-1970 01:00:00 GMT; path=/
RespondingWithSignonPage: true
X-Powered-By: Servlet/2.5 JSP/2.1

 

=====================================================

 

Thanks for Help

 

Rajat

  • 1. Re: Manual AD Directory Authentication fails after Kerberos Implementation
    RCC Journeyer
    Currently Being Moderated

    Sounds like a challenging problem.  What tools release? Can you detail what method your using for Kerberos more? LDAP lookup code is LDAP lookup code (I'm assuming your using the delivered signon peoplecode for that).  I would expect it to either work or not work, so I'm more inclined to think the problem is with IE especially with your other comments.  What version of IE is it?  Are there any entries in the APPSRV log indicating that login is successful or not at the time?  Failures would be logged by default I would expect.  The lack of an indication may mean something.

  • 2. Re: Manual AD Directory Authentication fails after Kerberos Implementation
    user121220 Newbie
    Currently Being Moderated

    Hi

     

    We are on PT 8.51. We use delivered code in Sign-on peoplecode.  IE is 8. But same IE 8 works with WIN XP. Issue is with WIN 7 only...

     

    App server does not show any connection when we have this failed login ( manual AD Authentication).

     

    Looks like HTTP Header values are not passed as they would in WIN 7 + Token in not there..

     

    Webserver itself kills the session...

     

    Thanks,

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points