We have a project where we are struggling to get Kerberos working with:
- SSO Policy Server 12.6
- SPS 12.52 SP1 on Solaris 10
Any recommendations would be appreciated. We are considering upgrading SPS to 12.6. #kerberos
What is the OS and version of the policy server? Can you be more specific about the kinds of problems you're having?
Hi. thanks for the response.
Case #00863241 has the details if you have time and wouldn't mind.
We have SPS 12.52 SP1 32 bit is on Solaris 10. Directory server 12.6 on windows 2012 R2, and SSO itself is on windows R2 (12.6). I have heard conflicting things as to whether SPS 12.52 is a problem with Policy Server 12.6?
Are we sure 00863241 is the correct case number.
Anyways, R1252 AG should work with R12.6 Policy Server. It is a supported configuration. All features available in R1252 should work. All features applicable to R12.6 May not work unless AG is upgraded to R12.6. Having said that Kerberos support for CA AG, was introduced in 12.52 SP1 CRs. I need to see the release notes to identify which CR on R12.52 SP1 this was introduced.
What is the exact version of CA AG R12.52 SP1, right down to the CR level? Could we have that detail.
Can you please provide details on the Kerberos errors e are seeing.
Richard also believes we do have a supported environment with SPS 12.52…
Senior Project Manager
Support case number - 00855771
10/02/2017][12:19:51.799][12:19:51][SmAuthServer.cpp:377][LogMessage:ERROR:[sm-Server-02960] Failed to initialize authentication scheme 'Kerberos Auth']
[10/02/2017][12:19:51.799][12:19:51][SmAuthUser.cpp:4085][CSmAuthUser::AuthenticateUserDir][Service_SM_**d@ADP1.****.PTE][false][Cannot init Auth scheme. leave function.]
There is a ton of things that could go wrong with regards to Kerberos which is outside CA SSO.
I am hoping the following have been checked (this applies to both on SPS and Policy Server).
Having said the above, can we check the authentication scheme and the ACO Parameters, which are in scope of CA SSO.
Principal Name defined within the Authentication Scheme. The format is "serviceaccountname/FQDN@DOMAIN.COM".
References : I would use these as starting reference points and then build on these into the variants we have to work with.
For Windows Policy Server How to setup SiteMinder Kerberos Authentication - Part 1
For Linux Apache WebAgent Kerberos Authentication with CA SSO Using Linux Policy Server ; should be mostly the same for SPS / Solaris as well.
Thanks very much... Will have our team look at this.
Thank you, Hubert!
Please find my comments:
Set I -
Set II -
We used wireshark, procmon , Dependency checker and log files (for sure) as we moved forward each step.
1. Initial errors were rectified by moving some "Missing DLLs" with SSO 12.6 based on this tech note - Policy Server crashes when initializing the Kerberos Authentication
2. Error that gave us hard time was "Authentication scheme initialization error" - Setting was verified to be accurate, but still when we hit the flow from the workstation browser, we ended up getting up the . Verified each of component for the tickets and what we found was PS was somehow not responding as it should be and ended up with this error.
Tool set mentioned above gave us hints that it was not responding to kerberos requests as it should be, but they did not actually point at what the problem was.
And special mention goes to Brian Dyson/ team who actually figured out the setting that was missing in the setup, which was setting "default_ccache_name" in the kerberos configuration file. This is outside the SSO settings. This parameter (& values) is generally not included because we assume windows to handle this with default locations (or add it only if we have a custom cache file location). Adding this setting did the work for us and kerberos worked like a charm. This setting is particular with new windows servers, we were on windows 2012 R2 for Policy server in this case.
I will try to post another note with additional details for team to refer to. I would recommend folks working on new windows and kerberos to keep this setting in mind while making the configuration.
Here is a document on "Kerberos troubleshooting" (Authored by Brian Dyson)
Am sure you will find it helpful while dealing with configuration / troubleshooting kerberos.
Thanks Wes, this will be helpful.