SSO kerberos not working - no Token Provider is given or no Token is present!
search cancel

SSO kerberos not working - no Token Provider is given or no Token is present!

book

Article ID: 260550

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine CA Automic One Automation

Issue/Introduction

SSO Kerberos not working on our servers.

The AWI logs show the following error:

2023-02-23 12:16:03,471 pool-1-thread-1        [ERROR] NOLOGIN/- 79DFEA23814D7B77ABF583108E8B2B38-0  +1 [com.uc4.ecc.plugins.login.behaviours.kerberos.KerberosLoginBehaviour] - Login Type == Kerberos, but no Token Provider is given or no Token is present!
java.lang.RuntimeException: java.lang.IllegalStateException: No Kerberos Token is present!

After activating tracing on AWI by setting xml=3 in uc4config.xml and <root level="TRACE"> in logback.xml and redoing the Kerberos login the more detailed error is the following:

2023-02-23 12:15:57,131 penssl-nio-8443-exec-1 [DEBUG] NOLOGIN/- 79DFEA23814D7B77ABF583108E8B2B38-0   [com.uc4.ecc.plugins.login.behaviours.kerberos.KerberosSSORequestHandler] - received a NTLM ticket instead of a kerberos ticket. This can happen if the client is not in the same domain. Disable SSO for current user and downgrade to ECC authentication.
2023-02-23 12:15:57,131 penssl-nio-8443-exec-1 [TRACE] NOLOGIN/- 79DFEA23814D7B77ABF583108E8B2B38-0   [com.uc4.ecc.framework.entrypoint.vaadin14.V14Session] - + locked 79DFEA23814D7B77ABF583108E8B2B38 [email protected][Locked by thread https-openssl-nio-8443-exec-1]  --- holdcount: 1
2023-02-23 12:15:57,132 penssl-nio-8443-exec-1 [TRACE] NOLOGIN/- 79DFEA23814D7B77ABF583108E8B2B38-0   [com.uc4.ecc.framework.entrypoint.vaadin14.V14Session] - - unocked 79DFEA23814D7B77ABF583108E8B2B38 [email protected][Unlocked] --- holdcount: 0
2023-02-23 12:15:57,315 pool-1-thread-1        [TRACE] NOLOGIN/- 79DFEA23814D7B77ABF583108E8B2B38-0  +1 [com.uc4.webui.common.timer.Sleep] - Operation failed. retrying in 377 ms
2023-02-23 12:15:57,315 pool-1-thread-1        [TRACE] NOLOGIN/- 79DFEA23814D7B77ABF583108E8B2B38-0  +1 [com.uc4.webui.common.timer.Sleep] - Sleep waiting for 377 ms
2023-02-23 12:15:57,692 pool-1-thread-1        [TRACE] NOLOGIN/- 79DFEA23814D7B77ABF583108E8B2B38-0  +1 [com.uc4.webui.common.timer.Sleep] - Operation failed. retrying in 610 ms
2023-02-23 12:15:57,692 pool-1-thread-1        [TRACE] NOLOGIN/- 79DFEA23814D7B77ABF583108E8B2B38-0  +1 [com.uc4.webui.common.timer.Sleep] - Sleep waiting for 610 ms
2023-02-23 12:15:58,303 pool-1-thread-1        [TRACE] NOLOGIN/- 79DFEA23814D7B77ABF583108E8B2B38-0  +1 [com.uc4.webui.common.timer.Sleep] - Operation failed. retrying in 987 ms
2023-02-23 12:15:58,303 pool-1-thread-1        [TRACE] NOLOGIN/- 79DFEA23814D7B77ABF583108E8B2B38-0  +1 [com.uc4.webui.common.timer.Sleep] - Sleep waiting for 987 ms
2023-02-23 12:15:59,290 pool-1-thread-1        [TRACE] NOLOGIN/- 79DFEA23814D7B77ABF583108E8B2B38-0  +1 [com.uc4.webui.common.timer.Sleep] - Operation failed. retrying in 1597 ms
2023-02-23 12:15:59,290 pool-1-thread-1        [TRACE] NOLOGIN/- 79DFEA23814D7B77ABF583108E8B2B38-0  +1 [com.uc4.webui.common.timer.Sleep] - Sleep waiting for 1597 ms
2023-02-23 12:16:00,887 pool-1-thread-1        [TRACE] NOLOGIN/- 79DFEA23814D7B77ABF583108E8B2B38-0  +1 [com.uc4.webui.common.timer.Sleep] - Operation failed. retrying in 2584 ms
2023-02-23 12:16:00,887 pool-1-thread-1        [TRACE] NOLOGIN/- 79DFEA23814D7B77ABF583108E8B2B38-0  +1 [com.uc4.webui.common.timer.Sleep] - Sleep waiting for 2584 ms
2023-02-23 12:16:03,471 pool-1-thread-1        [ERROR] NOLOGIN/- 79DFEA23814D7B77ABF583108E8B2B38-0  +1 [com.uc4.ecc.plugins.login.behaviours.kerberos.KerberosLoginBehaviour] - Login Type == Kerberos, but no Token Provider is given or no Token is present!
java.lang.RuntimeException: java.lang.IllegalStateException: No Kerberos Token is present!
    at com.uc4.webui.common.timer.Sleep.retry(Sleep.java:69)
    at com.uc4.webui.common.timer.Sleep.retry(Sleep.java:77)
    at com.uc4.ecc.plugins.login.behaviours.kerberos.KerberosLoginBehaviour.updateSSOToken(KerberosLoginBehaviour.java:125)
    at com.uc4.ecc.plugins.login.behaviours.kerberos.KerberosLoginBehaviour.initiateLogin(KerberosLoginBehaviour.java:64)
    at com.uc4.ecc.plugins.login.api.BaseAutomationEngineLoginBehaviour.initiateLogin(BaseAutomationEngineLoginBehaviour.java:40)
    at com.uc4.ecc.plugins.login.backend.LoginService.login(LoginService.java:100)
    at com.uc4.ecc.plugins.login.api.ILoginService$pbryglu.login(Unknown Source)
    at com.uc4.ecc.plugins.login.view.LoginDialogPresenter.performAutomationEngineLogin(LoginDialogPresenter.java:266)
    at com.uc4.ecc.plugins.login.view.LoginDialogPresenter.login(LoginDialogPresenter.java:231)
    at com.uc4.ecc.framework.core.async.BaseRequestCoordinator$1$1.call(BaseRequestCoordinator.java:237)
    at com.uc4.ecc.framework.core.pool.ContextAwareExecutorService$CallableImplementation.call(ContextAwareExecutorService.java:75)
    at com.google.common.util.concurrent.TrustedListenableFutureTask$TrustedFutureInterruptibleTask.runInterruptibly(TrustedListenableFutureTask.java:125)
    at com.google.common.util.concurrent.InterruptibleTask.run(InterruptibleTask.java:69)
    at com.google.common.util.concurrent.TrustedListenableFutureTask.run(TrustedListenableFutureTask.java:78)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.lang.IllegalStateException: No Kerberos Token is present!
    at com.uc4.ecc.plugins.login.behaviours.kerberos.KerberosLoginBehaviour.lambda$updateSSOToken$0(KerberosLoginBehaviour.java:129)
    at com.uc4.webui.common.timer.Sleep.retry(Sleep.java:61)
    ... 16 common frames omitted
2023-02-23 12:16:03,471 pool-1-thread-1        [TRACE] NOLOGIN/- 79DFEA23814D7B77ABF583108E8B2B38-0  +1 [com.uc4.ecc.plugins.login.view.LoginDialogPresenter] - Failed login
com.uc4.ecc.plugins.login.behaviours.kerberos.KerberosNotAvailableException: Kerberos login is not available

 

Environment

Release : 21.0.4

Cause

The issue was that the DNS canonical name was not in the keytab file.

Resolution

Change the keytab file to contain both the AWI DNS alias name (e.g. awi.tomcatserver.com) and the canonical name (e.g. awi.tomcatserver.uc4automic.com)