on 10-17-2008 1:49 AM
I am getting, when using SSO with AD kerberos
HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Could not decrypt service ticket with Key type 23, KVNO 2, Principal "HTTP/abc @ DOMAIN.NET" using key: Principal: HTTP/abc.domain.net @ DOMAIN.NETType: 1 TimeStamp: Wed Dec 31 16:00:00 PST 1969 KVNO: -1 Key: [23, ae 64 b5 13 e6 d3 e7 d0 6d b5 67 67 32 fa 72 c4 ] Exception for this key was: com.dstc.security.kerberos.CryptoException: Integrity check failure[Note: principal names are different; this may or may not be a problem] [Note: KVNO used wildcard match, not exact match; perhaps the password used to generate this key is not the most recent password?] )
Everything including the keytab file seems fine. Any suggestions?
yep
run setspn -L on the vintela service account
I'm betting there will be 1 HTTP SPN
HTTP/abc.domain.net
if so run
setspn -a HTTP/abc vintela service account
the resultant setspn - L should reveal both HTTP/hostname and HTTP/FQDN which should represent both options in the URL (http://hostname:8080 and http://FQDN:8080)
Also if it takes time to get an SPN added try using the FQDN in the browser. To note if using a URL with a period . (such as any FQDN) then it must be added to the local intranet sites to do SSO.
Regards,
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
tim, when I put http://abc.domain.net:8080/infoViewApp I get windows login dialog box. When I use http://abc:8080/InfoViewLogin I get the error listed above
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.