cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SSO with AD Kerberos

Go to solution
Former Member

on ‎10-17-2008 1:49 AM

0 Kudos

I am getting, when using SSO with AD kerberos

HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Could not decrypt service ticket with Key type 23, KVNO 2, Principal "HTTP/abc @ DOMAIN.NET" using key: Principal: HTTP/abc.domain.net @ DOMAIN.NETType: 1 TimeStamp: Wed Dec 31 16:00:00 PST 1969 KVNO: -1 Key: [23, ae 64 b5 13 e6 d3 e7 d0 6d b5 67 67 32 fa 72 c4 ] Exception for this key was: com.dstc.security.kerberos.CryptoException: Integrity check failure[Note: principal names are different; this may or may not be a problem] [Note: KVNO used wildcard match, not exact match; perhaps the password used to generate this key is not the most recent password?] )

Everything including the keytab file seems fine. Any suggestions?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

BasicTek
Advisor
Advisor
‎10-17-2008 2:33 AM
0 Kudos

yep

run setspn -L on the vintela service account

I'm betting there will be 1 HTTP SPN

HTTP/abc.domain.net

if so run

setspn -a HTTP/abc vintela service account

the resultant setspn - L should reveal both HTTP/hostname and HTTP/FQDN which should represent both options in the URL (http://hostname:8080 and http://FQDN:8080)

Also if it takes time to get an SPN added try using the FQDN in the browser. To note if using a URL with a period . (such as any FQDN) then it must be added to the local intranet sites to do SSO.

Regards,

Tim

Show replies
Show replies
Former Member
‎10-17-2008 3:56 AM
0 Kudos

tim, when I put http://abc.domain.net:8080/infoViewApp I get windows login dialog box. When I use http://abc:8080/InfoViewLogin I get the error listed above

BasicTek
Advisor
Advisor
‎10-17-2008 3:59 AM
0 Kudos 
tim, when I put http://abc.domain.net:8080/infoViewApp I get windows login dialog box

this would be caused because you didn't add the site to your browsers local intranet. Are you using firefox or IE? Do you know how to do this?

-Tim

Former Member
‎10-17-2008 4:45 AM
0 Kudos

I am using IE on win2003. I will give it a shot. Does that mean everyone will have to add this to trusted zone before they can access it?

BasicTek
Advisor
Advisor
‎10-17-2008 9:03 AM
0 Kudos

no, the real fix is likely to add the 2nd SPN from my 1st response. The quick fix should be to hit the FQDN and add it to the local intranet sites.

-Tim

Former Member
‎10-20-2008 8:23 PM
0 Kudos

That worked! Awesome!!

Thanks.

Answers (0)

Ask a Question