Automic Workload Automation

Expand all | Collapse all

Kerberos Single Sign-ON

  • 1.  Kerberos Single Sign-ON

    Posted 08-08-2019 10:01 AM
    Hi guys,

    after upgrading to AE 12.3 i try to configure Single Sign-ON with Kerberos.

    I've set up everything as described in the docu but its not working. 

    Ii'll have following error message:

    D:\xxxx\ae\bin>java -Xmx512M -Dsun.security.krb5.debug=true -jar ucsrvjp.jar
    UC4 XXXX#WP-Server Version 12.3.0+build.1563351461009 (PID=7988)
    >>> KeyTabInputStream, readName(): XXXX.LOCAL
    >>> KeyTabInputStream, readName(): HTTP
    >>> KeyTabInputStream, readName(): xxxxxx01.xxxx.local
    >>> KeyTab: load() entry length: 62; type: 1
    >>> KeyTabInputStream, readName(): XXXX.LOCAL
    >>> KeyTabInputStream, readName(): HTTP
    >>> KeyTabInputStream, readName(): xxxxxx01.xxxx.local
    >>> KeyTab: load() entry length: 62; type: 3
    >>> KeyTabInputStream, readName(): XXXX.LOCAL
    >>> KeyTabInputStream, readName(): HTTP
    >>> KeyTabInputStream, readName(): xxxxxx01.xxxx.local
    >>> KeyTab: load() entry length: 70; type: 23
    >>> KeyTabInputStream, readName(): XXXX.LOCAL
    >>> KeyTabInputStream, readName(): HTTP
    >>> KeyTabInputStream, readName(): xxxxxx01.xxxx.local
    >>> KeyTab: load() entry length: 86; type: 18
    >>> KeyTabInputStream, readName(): XXXX.LOCAL
    >>> KeyTabInputStream, readName(): HTTP
    >>> KeyTabInputStream, readName(): xxxxxx01.xxxx.local
    >>> KeyTab: load() entry length: 70; type: 17
    Looking for keys for: HTTP/xxxxxx01.xxxx.local@XXXX.LOCAL
    Java config name: D:\xxxx\ext_res\jdk1.8.0_144\jre\lib\security\krb5.conf
    Loaded from Java config
    Added key: 17version: 4
    Added key: 18version: 4
    Added key: 23version: 4
    Found unsupported keytype (3) for HTTP/xxxxxx01.xxxx.local@XXXX.LOCAL
    Found unsupported keytype (1) for HTTP/vmxxxx01.xxxx.local@XXXX.LOCAL
    >>> KdcAccessibility: reset
    Looking for keys for: HTTP/xxxxxx01.xxxx.local@XXXX.LOCAL
    Added key: 17version: 4
    Added key: 18version: 4
    Added key: 23version: 4
    Found unsupported keytype (3) for HTTP/xxxxxx01.xxxx.local@xxxx.LOCAL
    Found unsupported keytype (1) for HTTP/xxxxxx01.xxxx.local@xxxx.LOCAL
    default etypes for default_tkt_enctypes: 23.
    >>> KrbAsReq creating message
    >>> KrbKdcReq send: kdc=xxxxxx01.xxxx.local UDP:88, timeout=30000, number of retries =3, #bytes=152
    >>> KDCCommunication: kdc=xxxxxx01.xxxx.local UDP:88, timeout=30000,Attempt =1, #bytes=152
    >>> KrbKdcReq send: error trying xxxxxx01.xxxx.local
    java.net.PortUnreachableException: ICMP Port Unreachable
    at java.net.DualStackPlainDatagramSocketImpl.socketReceiveOrPeekData(Native Method)
    at java.net.DualStackPlainDatagramSocketImpl.receive0(DualStackPlainDatagramSocketImpl.java:124)
    at java.net.AbstractPlainDatagramSocketImpl.receive(AbstractPlainDatagramSocketImpl.java:143)
    at java.net.DatagramSocket.receive(DatagramSocket.java:812)
    at sun.security.krb5.internal.UDPClient.receive(NetClient.java:206)
    at sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:411)
    at sun.security.krb5.KdcComm$KdcCommunication.run(KdcComm.java:364)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.krb5.KdcComm.send(KdcComm.java:348)
    at sun.security.krb5.KdcComm.sendIfPossible(KdcComm.java:253)
    at sun.security.krb5.KdcComm.send(KdcComm.java:229)
    at sun.security.krb5.KdcComm.send(KdcComm.java:200)
    at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
    at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:776)
    at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
    at com.automic.sso.SingleSignOnHandler.getLoginContext(SingleSignOnHandler.java:215)
    at com.automic.sso.SingleSignOnHandler.validateKerberosToken(SingleSignOnHandler.java:90)
    at com.automic.sso.SingleSignOnHandler.handleMessage(SingleSignOnHandler.java:61)
    at com.automic.kernel.impl.NATDispatcher.dispatch(NATDispatcher.java:46)
    at com.automic.kernel.impl.MQRecordReader.execute(MQRecordReader.java:40)
    at com.automic.kernel.impl.DBAction.execute(DBAction.java:152)
    at com.automic.kernel.impl.DBAction.execute(DBAction.java:133)
    at com.automic.kernel.impl.DBAction.execute(DBAction.java:115)
    at com.automic.kernel.impl.MessageInQueue$1.runSave(MessageInQueue.java:57)
    at com.automic.kernel.impl.ExecutorTaskWrapper.run(ExecutorTaskWrapper.java:34)
    at com.automic.kernel.impl.MessageInQueue.readNewMessage(MessageInQueue.java:65)
    at com.automic.kernel.impl.MessageInQueue.execute(MessageInQueue.java:31)
    at com.automic.kernel.impl.NetworkMessageDispatcher$NetworkMessageRunnable.runSave(NetworkMessageDispatcher.java:117)
    at com.automic.kernel.impl.ExecutorTaskWrapper.run(ExecutorTaskWrapper.java:34)
    at com.automic.kernel.impl.NetworkMessageDispatcher.dispatch(NetworkMessageDispatcher.java:71)
    at com.automic.kernel.impl.RunnableMessage.runSave(RunnableMessage.java:36)
    at com.automic.kernel.impl.ExecutorTaskWrapper.run(ExecutorTaskWrapper.java:34)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)
               >>> KdcAccessibility: add xxxxxx01.xxxx.local


    My krb5.conf looks like:

    [libdefaults]
    default_realm = XXXX.LOCAL
    default_tkt_enctypes = rc4-hmac
    default_tgs_enctypes = rc4-hmac
    permitted_enctypes = rc4-hmac

    [domain_realm].
    xxxx.local = XXXX.LOCAL

    [realms]
    XXXX.LOCAL = {
    kdc = xxxxxx01.xxxx.local
    admin_server = xxxxxx01.xxxx.local
    }
    [logging]default = FILE:\\L:\xxxx_logs\KDC
    *****************************************************

    Does anyone of you have an idea what i can check/configure to get it running? Currently i have no idea.

    Thanks

    regards,
    Ben



  • 2.  RE: Kerberos Single Sign-ON

    Posted 08-08-2019 10:18 AM
    Edited by Carsten Schmitz 08-08-2019 10:23 AM
    Hi.

    Firewall​. Check UDP is allowed, not just TCP.

    edit: well, obviously, check ICMP is allowed. But I'm assuming you already did that, and this Java exception might be bogus and might also result from UDP being blocked as per some sources, and/or certain firewalls may slump ICMP in with UDP despite it being a different protocol.

    Hth,


  • 3.  RE: Kerberos Single Sign-ON

    Posted 08-09-2019 05:26 AM
    Hi,
    everything checked with our Network-Admins.
    no blocking point so far.

    I have no idea anymore...

    regards,
    Benedikt


  • 4.  RE: Kerberos Single Sign-ON

    Posted 08-21-2019 03:35 AM
    make sure the HTTP Header size is big enough on the Automic AWI - Tomcat Server.xml - this caused us lots of issues before it worked and was difficult to track down, I'm not sure it fixes your issue above but one to check anyway.

     <Connector port="8080" protocol="HTTP/1.1"
          maxHttpHeaderSize="16384"
                   connectionTimeout="20000"
                   redirectPort="8443" />


    ------------------------------
    Glencore International AG
    ------------------------------