Configuring Kerberos and Single SignOn with SV 10.5 facing Exceptions

book

Article ID: 141162

calendar_today

Updated On:

Products

CLOUDTEST CA Application Test CA Cloud Test Mobile MOBILECLOUD Service Virtualization

Issue/Introduction

 
Customer has IAM, Enterprise Dashboard, Registry and Portal running - All 10.5.

We are still in the process of configuring their IAM with LDAP.

When looking at our next steps, we discussed we will need to change some configuration in the browser and customer mentioned the users should not have permissions to change the security settings in the browser.

He also added that they authenticate to the computer using a smart card. They do not enter a username and password.

It looks like the information from the smartcard is translated to a username/password in the Active Directory side, and this information will be passed in the request header being sent in the browser.

Should that work fine? Is there a different step to follow if a user cannot change the security settings in the browser?

We are following the documentation.
 
While configuring LDAP + Kerberos to enable single sign on I am facing the following exception:

2019-10-02 10:35:20,347 WARN  [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator] (default task-26) SPNEGO login failed: java.security.PrivilegedActionException: GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:68)
at org.keycloak.storage.ldap.LDAPStorageProvider.authenticate(LDAPStorageProvider.java:677)
at org.keycloak.credential.UserCredentialStoreManager.authenticate(UserCredentialStoreManager.java:296)
at org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:89)
at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:200)
at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:853)
at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:722)
at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:145)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:395)
at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:139)
...
... 81 more
 
2019-10-02 10:35:20,362 INFO  [stdout] (default task-26) [Krb5LoginModule]: Entering logout
 
2019-10-02 10:35:20,362 INFO  [stdout] (default task-26) [Krb5LoginModule]: logged out Subject
 

Environment

Release : 10.5

Component : CA Application Test

Resolution

As suggested set the following values for "network.negotiate-auth.trusted-uris" in the Firefox browser:

.ndc.nasa.gov,.nasa.gov,https://yourserver.ndc.nasa.gov

Basically we should specify a comma-delimited list of trusted domain(s) and/or hostname(s) and/or URL prefix(es) in the popup window.

Please note that domains can wild carded by specifying a domain suffix with a dot in front (i.e .example.com).

Example #1: hostname.example.com - Fully Qualified Domain Name (FQDN) of the host running web application(IAM/Keycloak).
Example #2: https://hostname.example.com - URL of the web application application(IAM/Keycloak)
Example #3: .example.com - domain name

Also, make sure that you have the following configured in your Firefox browser for the Kerberos to work:

network.negotiate-auth.allow-non-fqdn = false
network.negotiate-auth.allow-proxies = true
network.negotiate-auth.delegation-uris = Include the local intranet domain name, such as .your-domain.com, where the leading period represents a wildcard character
network.negotiate-auth.using-native-gsslib = true


Additional Information

Please refer to the Auto login section in the docops.ca.com for configuring Kerberos:


https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/continuous-testing/devtest-solutions/10-5/administering/security/enable-auto-
login.html