Configuring Kerberos and Single SignOn with SV 10.5 facing Exceptions

Article Id: 141162

Status: Published

Updated On: 03-12-2019 16:36

Products:

CLOUDTEST , CA Application Test , CA Cloud Test Mobile , MOBILECLOUD , Service Virtualization

Issue/Introduction:

Customer has IAM, Enterprise Dashboard, Registry and Portal running - All 10.5.

We are still in the process of configuring their IAM with LDAP.

When looking at our next steps, we discussed we will need to change some configuration in the browser and customer mentioned the users should not have permissions to change the security settings in the browser.

He also added that they authenticate to the computer using a smart card. They do not enter a username and password.

It looks like the information from the smartcard is translated to a username/password in the Active Directory side, and this information will be passed in the request header being sent in the browser.

Should that work fine? Is there a different step to follow if a user cannot change the security settings in the browser?

We are following the documentation.

While configuring LDAP + Kerberos to enable single sign on I am facing the following exception:

2019-10-02 10:35:20,347 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-26) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.Subject.doAs(Subject.java:422)

at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:68)

at org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(LDAPStorageProvider.java:677)

at org.keycloak.credential.UserCredentialStoreManager.authenticate(UserCredentialStoreManager.java:296)

at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:89)

at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:200)

at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:853)

at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:722)

at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:145)

at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:395)

at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:139)

...

... 81 more

2019-10-02 10:35:20,362 INFO [stdout] (default task-26) [Krb5LoginModule]: Entering logout

2019-10-02 10:35:20,362 INFO [stdout] (default task-26) [Krb5LoginModule]: logged out Subject

Environment:

Release : 10.5

Component : CA Application Test

Resolution:

As suggested set the following values for "network.negotiate-auth.trusted-uris" in the Firefox browser:

.ndc.nasa.gov,.nasa.gov,https://yourserver.ndc.nasa.gov

Basically we should specify a comma-delimited list of trusted domain(s) and/or hostname(s) and/or URL prefix(es) in the popup window.

Please note that domains can wild carded by specifying a domain suffix with a dot in front (i.e .example.com).

Example #1: hostname.example.com - Fully Qualified Domain Name (FQDN) of the host running web application(IAM/Keycloak).
Example #2: https://hostname.example.com - URL of the web application application(IAM/Keycloak)
Example #3: .example.com - domain name

Also, make sure that you have the following configured in your Firefox browser for the Kerberos to work:

network.negotiate-auth.allow-non-fqdn = false
network.negotiate-auth.allow-proxies = true
network.negotiate-auth.delegation-uris = Include the local intranet domain name, such as .your-domain.com, where the leading period represents a wildcard character
network.negotiate-auth.using-native-gsslib = true

Additional Information:

Please refer to the Auto login section in the docops.ca.com for configuring Kerberos:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/continuous-testing/devtest-solutions/10-5/administering/security/enable-auto-
login.html