Layer7 Access Management

Expand all | Collapse all

SSO with Kerberos Authentication Errors

Jump to Best Answer
  • 1.  SSO with Kerberos Authentication Errors

    Posted 10-13-2017 02:50 PM

    We have a project where we are struggling to get Kerberos working with:

    - SSO Policy Server 12.6

    - SPS 12.52 SP1 on Solaris 10

    Any recommendations would be appreciated.    We are considering upgrading SPS to 12.6.  #kerberos



  • 2.  Re: SSO with Kerberos Authentication Errors

    Posted 10-13-2017 05:59 PM

    What is the OS and version of the policy server?  Can you be more specific about the kinds of problems you're having?



  • 3.  Re: SSO with Kerberos Authentication Errors

    Posted 10-13-2017 06:11 PM

    Hi.  thanks for the response.

     

    Case #00863241 has the details if you have time and wouldn't mind.

    We have SPS 12.52 SP1 32 bit is on Solaris 10. Directory server 12.6 on windows 2012 R2, and SSO itself is on windows R2 (12.6).    I have heard conflicting things as to whether SPS 12.52 is a problem with Policy Server 12.6?

     

    Thanks heaps!

     



  • 4.  Re: SSO with Kerberos Authentication Errors

    Posted 10-13-2017 06:48 PM

    Wes

     

    Are we sure 00863241 is the correct case number.

     

    Anyways, R1252 AG should work with R12.6 Policy Server. It is a supported configuration. All features available in R1252 should work. All features applicable to R12.6 May not work unless AG is upgraded to R12.6. Having said that Kerberos support for CA AG, was introduced in 12.52 SP1 CRs. I need to see the release notes to identify which CR on R12.52 SP1 this was introduced.

     

    What is the exact version of CA AG R12.52 SP1, right down to the CR level? Could we have that detail.



  • 5.  Re: SSO with Kerberos Authentication Errors

    Posted 10-14-2017 01:10 PM
      |   view attached

    Mukund

     

    Can you please provide details on the Kerberos errors e are seeing.

     

    Richard also believes we do have a supported environment with SPS 12.52…

     

    Thanks.

     

    Wes Kozak

    CA Services

    Senior Project Manager

    Mobile:  +1-604-657-9273

    <http://www.ca.com/>



  • 6.  Re: SSO with Kerberos Authentication Errors

    Posted 10-14-2017 02:01 PM

    Support case number - 00855771


    10/02/2017][12:19:51.799][12:19:51][6796][2996][SmAuthServer.cpp:377][][][][][][][][][][][][][][][][][][][][][][LogMessage:ERROR:[sm-Server-02960] Failed to initialize authentication scheme 'Kerberos Auth'] 


    [10/02/2017][12:19:51.799][12:19:51][6796][2996][SmAuthUser.cpp:4085][CSmAuthUser::AuthenticateUserDir][][][][Service_SM_**d@ADP1.****.PTE][][][][][][][][][false][][][][][][][][Cannot init Auth scheme. leave function.] 



  • 7.  Re: SSO with Kerberos Authentication Errors

    Posted 10-14-2017 02:24 PM

    Thanks

     

    Wes Kozak

    CA Services

    Senior Project Manager

    Mobile 604-657-9273



  • 8.  Re: SSO with Kerberos Authentication Errors
    Best Answer

    Posted 10-15-2017 03:16 PM

    There is a ton of things that could go wrong with regards to Kerberos which is outside CA SSO.

    I am hoping the following have been checked (this applies to both on SPS and Policy Server).

    • The KRB5_CONFIG environment variable is set correctly for the user running SPS. For the Windows Policy Server refer here How to setup SiteMinder Kerberos Authentication - Part 1
    • krb5.conf has been configured correctly with the necessary parameters.
    • KVNO numbers in your keytab files match with the KVNO in KDC.
    • Kerberos is very case sensitive. Make sure your hostname / FQDNs match correctly everywhere (KDC, keytabs, SPNs).
    • Encryption algorithms matches (what is defined in krb5.conf, with what KDC is using, what was used when generating keytab files and can be seen using a Wireshark trace).

     

    Having said the above, can we check the authentication scheme and the ACO Parameters, which are in scope of CA SSO.

     

    ACO Parameters

     

    Principal Name defined within the Authentication Scheme. The format is "serviceaccountname/FQDN@DOMAIN.COM".

     

     

    References : I would use these as starting reference points and then build on these into the variants we have to work with.

     

    For Windows Policy Server How to setup SiteMinder Kerberos Authentication - Part 1 

     

    For Linux Apache WebAgent Kerberos Authentication with CA SSO Using Linux Policy Server ; should be mostly the same for SPS / Solaris as well. 



  • 9.  Re: SSO with Kerberos Authentication Errors

    Posted 10-16-2017 02:49 PM

    Thanks very much... Will have our team look at this.



  • 10.  Re: SSO with Kerberos Authentication Errors

    Posted 10-26-2017 01:09 PM

    Thank you, Hubert! 

     

    Please find my comments:

     

    Set I - 

     

    • The KRB5_CONFIG environment variable is set correctly for the user running SPS. For the Windows Policy Server refer here How to setup SiteMinder Kerberos Authentication - Part 1.   - It is a windows PS.
    • krb5.conf has been configured correctly with the necessary parameters. - Yes, verified
    • KVNO numbers in your keytab files match with the KVNO in KDC. - Yes, KVNOs match
    • Kerberos is very case sensitive. Make sure your hostname / FQDNs match correctly everywhere (KDC, keytabs, SPNs).  - Yes, they match case by case everywhere
    • Encryption algorithms matches (what is defined in krb5.conf, with what KDC is using, what was used when generating keytab files and can be seen using a Wireshark trace). - Default enc type is used

     

    Set II - 

    •   ACO entries as described above are all verified to be accurate and matches between entries on KDC/Keytab
    •   Authentication scheme entries were also compared and verified


  • 11.  Re: SSO with Kerberos Authentication Errors

    Posted 10-26-2017 01:23 PM

    Troubleshooting -

       We used wireshark, procmon , Dependency checker and log files (for sure) as we moved forward each step.

    1. Initial errors were rectified by moving some "Missing DLLs" with SSO 12.6 based on this tech note - Policy Server crashes when initializing the Kerberos Authentication 

    2. Error that gave us hard time was "Authentication scheme initialization error" - Setting was verified to be accurate, but still when we hit the flow from the workstation browser, we ended up getting up the . Verified each of component for the tickets and what we found was PS was somehow not responding as it should be and ended up with this error.

    Tool set mentioned above gave us hints that it was not responding to kerberos requests as it should be, but they did not actually point at what the problem was.

     

    And special mention goes to Brian Dyson/ team who actually figured out the setting that was missing in the setup, which was setting "default_ccache_name" in the kerberos configuration file. This is outside the SSO settings. This parameter (& values) is generally not included because we assume windows to handle this with default locations (or add it only if we have a custom cache file location). Adding this setting did the work for us and kerberos worked like a charm. This setting is particular with new windows servers, we were on windows 2012 R2 for Policy server in this case.

     

    I will try to post another note with additional details for team to refer to. I would recommend folks working on new windows and kerberos to keep this setting in mind while making the configuration.

     

    Thanks

    Mukund/-



  • 12.  Re: SSO with Kerberos Authentication Errors

    Posted 10-26-2017 05:16 PM

    Here is a document on "Kerberos troubleshooting" (Authored by Brian Dyson)

    Kerberos Troubleshooting 

     

    Am sure you will find it helpful while dealing with configuration / troubleshooting kerberos.

     

    Thanks

    Mukund.-



  • 13.  Re: SSO with Kerberos Authentication Errors

    Posted 12-28-2017 11:01 AM

    Thanks Wes, this will be helpful.