We need your help to troubleshoot 1 issue which we are getting from many users after implementing PeopleSoft Kerberos SSO against AD. This issue is specific to Windows 7 PC and where Kerberos Token is not available.
Some facts which we know :
Kerberos will fail for users who are not logged in system using AD Domain ( as Kerberos Token will be invalid).
These users are not on AD Doamin so SSO will fail, which is understandable. But - We have designed our solution in such a way - that when SSO fails, it will trigger a login screen to Peoplesoft. User can provide his credentials (userid/AD password) manually and LDAP directory Authentication will be triggered using AD servers.
Note - Our Website is SSL enabled (HTTPS)
On windows 7 when person try to connect who is outside AD Domain, SSO fails ( as token not found)- > PeopleSoft Login sreen comes up in HTTPS -> User connect using AD userid and password -> PeopleSoft login screen gets refreshed and notheing happens.
Surprisingly - Same works on Googgle Crome OR if I change the URL to HTTP .
We have set secute connection "True" in web.xml for Kerberos settings.
Below is the Fiddler trace when we click "signin button" ---- On non AD domain.
POST /psp/PIMSTEST/?cmd=login&languageCd=ENG HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729)
Accept-Encoding: gzip, deflate
Cookie: ggnptestap1-80-PORTAL-PSJSESSIONID=KbhXRpGQ52hLJtWbbK0DJ1XGDbSJ9Wn2!386905482; SignOnDefault=
Authorization: Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
HTTP/1.1 200 OK
Date: Thu, 11 Jul 2013 10:19:09 GMT
Content-Type: text/html; CHARSET=utf-8
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Set-Cookie: ggnptestap1-80-PORTAL-PSJSESSIONID=HBT3RpGdCX1q8W51ZxTz8hpQ2bCpMFKh!386905482; path=/; HttpOnly
Set-Cookie: PS_TOKEN=; domain=; expires=Thu, 01-Jan-1970 01:00:00 GMT; path=/
X-Powered-By: Servlet/2.5 JSP/2.1
Thanks for Help
Sounds like a challenging problem. What tools release? Can you detail what method your using for Kerberos more? LDAP lookup code is LDAP lookup code (I'm assuming your using the delivered signon peoplecode for that). I would expect it to either work or not work, so I'm more inclined to think the problem is with IE especially with your other comments. What version of IE is it? Are there any entries in the APPSRV log indicating that login is successful or not at the time? Failures would be logged by default I would expect. The lack of an indication may mean something.
We are on PT 8.51. We use delivered code in Sign-on peoplecode. IE is 8. But same IE 8 works with WIN XP. Issue is with WIN 7 only...
App server does not show any connection when we have this failed login ( manual AD Authentication).
Looks like HTTP Header values are not passed as they would in WIN 7 + Token in not there..
Webserver itself kills the session...