kerberosemc

KERBEROS SSO Login Webtop DCTM 6.7 SP1


Helo,

I'm facing problem when I want to set-up Kerberos SSO on my environment. When I'm trying to login to Webtop 6.7 SP1 at first I can choose the docbase but I recive exception:

ERROR [http-8080-4] com.documentum.web.common.Trace - invokeMethod() failed while calling: onLogin
Unable to obtain password from user

java.lang.IllegalArgumentException: Unable to obtain password from user

My test user has following properties enter image description here

keytab was generated by this script:

ktpass /pass <password> -out wtuser_HTTP.keytab –princ HTTP/dmsserver01.devenv.corp@DEVENV.CORP -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL /mapUser <username>

And in trace log is something like this:

15:04:35,281 DEBUG [main] com.documentum.web.common.Trace - SessionState: [main] Set __dmfSessionBinding = com.documentum.web.formext.session.SessionManagerHttpBinding$SessionBinding@75f0f8ff
15:08:04,905 DEBUG [http-8080-1] com.documentum.web.common.Trace - SessionState: [http-8080-1] Set SessionConfigContext = SESSION()APP()
15:08:04,930 DEBUG [http-8080-1] com.documentum.web.common.Trace - SessionState: Created Session Store for HTTP Session 906D889631A494289264D8C078100BA8
15:08:04,931 DEBUG [http-8080-1] com.documentum.web.common.Trace - SessionState: [906D889631A494289264D8C078100BA8] Set SessionConfigContext = SESSION()APP()
15:08:04,946 DEBUG [http-8080-1] com.documentum.web.common.Trace - SessionState: [906D889631A494289264D8C078100BA8] Set com.documentum.web.env.AbstractEnvironment = com.documentum.web.failover.TransientObjectWrapper@55b66aff
15:08:04,951 DEBUG [http-8080-1] com.documentum.web.common.Trace - SessionState: [906D889631A494289264D8C078100BA8] Set com.documentum.web.formext.config.IPreferenceStore = com.documentum.web.failover.TransientObjectWrapper@465f3bad
15:08:04,956 DEBUG [http-8080-1] com.documentum.web.common.Trace - SessionState: [906D889631A494289264D8C078100BA8] Set tempClientIdclientStore = []
15:08:04,968 DEBUG [http-8080-1] com.documentum.web.common.Trace - SessionState: [906D889631A494289264D8C078100BA8] Set com.documentum.web.common.ClientInfoService.SERVICE_INSTANCE_KEY = com.documentum.web.failover.TransientObjectWrapper@195092c0
15:08:05,006 DEBUG [http-8080-1] com.documentum.web.common.Trace - SessionState: [906D889631A494289264D8C078100BA8] Set com.documentum.web.contentxfer.ucf.UcfTransportManager.UcfSessionStore = com.documentum.web.contentxfer.ucf.UcfTransportManager$UcfSessionStore@40dec87
15:08:05,025 DEBUG [http-8080-1] com.documentum.web.common.Trace - SessionState: [906D889631A494289264D8C078100BA8] Set com.documentum.web.common.FileCleaner.SESSION_FILE_STORE = com.documentum.web.common.FileCleaner$SessionFileStore@22e6f970
15:08:05,025 DEBUG [http-8080-1] com.documentum.web.common.Trace - SessionState: [906D889631A494289264D8C078100BA8] Set com.documentum.web.contentxfer.ContentTransferConfig.SESSION_CONTENT_LOCATION = com.documentum.web.failover.TransientObjectWrapper@6a0239f6
15:08:05,043 DEBUG [http-8080-1] com.documentum.web.common.Trace - SessionState: [906D889631A494289264D8C078100BA8] Remove isRTLLocale
15:08:05,043 DEBUG [http-8080-1] com.documentum.web.common.Trace - SessionState: [906D889631A494289264D8C078100BA8] Set __dmfLocale = en_US
15:08:05,067 DEBUG [http-8080-1] com.documentum.web.common.Trace - SessionState: [906D889631A494289264D8C078100BA8] Set com.documentum.web.formext.config.ithemeresolver = com.documentum.web.common.BrandingService$ThemeResolverWrapper@71fb68f
15:08:05,077 DEBUG [http-8080-1] com.documentum.web.common.Trace - [1391350085076,Thread[http-8080-1,5,main],SessionSynch@3ac58af4[lockCount=0,lockOwner=null]] valueBound()
15:08:07,526 DEBUG [http-8080-1] com.documentum.web.common.Trace - SessionState: [906D889631A494289264D8C078100BA8] Set com.documentum.web.common.ErrorMessageService = com.documentum.web.failover.TransientObjectWrapper@5329645a
15:08:07,573 DEBUG [http-8080-1] com.documentum.web.common.Trace - SessionState: [906D889631A494289264D8C078100BA8] Set __dmfMessageList = com.documentum.webcomponent.library.messages.MessageService$MessageList@5faabc29
15:08:07,703 DEBUG [http-8080-1] com.documentum.web.common.Trace - SessionState: [906D889631A494289264D8C078100BA8] Set application.modalpopup.enabled = com.documentum.web.failover.TransientObjectWrapper@c4be179
15:08:07,707 DEBUG [http-8080-1] com.documentum.web.common.Trace - SessionState: [906D889631A494289264D8C078100BA8] Set initializedState = true
15:08:07,726 DEBUG [http-8080-1] com.documentum.web.common.Trace - SessionState: [906D889631A494289264D8C078100BA8] Set imagealtstate = false
15:08:07,727 DEBUG [http-8080-1] com.documentum.web.common.Trace - SessionState: [906D889631A494289264D8C078100BA8] Set keyboardAccessState = false
15:08:07,728 DEBUG [http-8080-1] com.documentum.web.common.Trace - SessionState: [906D889631A494289264D8C078100BA8] Set shortcutAccessState = false
15:08:07,729 DEBUG [http-8080-1] com.documentum.web.common.Trace - SessionState: [906D889631A494289264D8C078100BA8] Set com.documentum.web.common.ClientInfoService.CLIENT_SUPPORT_INSTANCE_KEY = com.documentum.web.failover.TransientObjectWrapper@45a1472d
15:08:07,756 DEBUG [http-8080-1] com.documentum.web.common.Trace - SessionState: [906D889631A494289264D8C078100BA8] Set default-fragmentbundle = com.documentum.web.formext.common.FragmentBundleService$Bundle@3103074e
15:08:07,756 DEBUG [http-8080-1] com.documentum.web.common.Trace - SessionState: [906D889631A494289264D8C078100BA8] Set default-fragmentbundle-flag = com.documentum.web.formext.common.FragmentBundleService$ValidityFlag@3dd4ab05
15:08:16,170 DEBUG [http-8080-1] com.documentum.web.common.Trace - SessionState: [http-8080-1] Set SessionConfigContext = SESSION()APP()
15:08:16,190 DEBUG [http-8080-1] com.documentum.web.common.Trace - SessionState: [906D889631A494289264D8C078100BA8] Set 1391350088883clientStore = [TestPreferenceRestorer=com.documentum.web.failover.TransientObjectWrapper@2eec0962, __dmwtWebtopContext=com.documentum.webtop.app.AppSessionContext@3e55a58f, TestCaseDriver=com.documentum.web.failover.TransientObjectWrapper@246d12a9]
15:08:22,051 DEBUG [http-8080-4] com.documentum.web.common.Trace - SessionState: [906D889631A494289264D8C078100BA8] Set 1391350101918clientStore = []
15:08:22,294 DEBUG [http-8080-4] com.documentum.web.common.Trace - SessionState: [http-8080-4] Set SessionConfigContext = SESSION()APP()
15:08:22,715 DEBUG [http-8080-4] com.documentum.web.common.Trace - SessionState: [906D889631A494289264D8C078100BA8] Set __dmfTimeZone = sun.util.calendar.ZoneInfo[id="Europe/Prague",offset=3600000,dstSavings=3600000,useDaylight=true,transitions=141,lastRule=java.util.SimpleTimeZone[id=Europe/Prague,offset=3600000,dstSavings=3600000,useDaylight=true,startYear=0,startMode=2,startMonth=2,startDay=-1,startDayOfWeek=1,startTime=3600000,startTimeMode=2,endMode=2,endMonth=9,endDay=-1,endDayOfWeek=1,endTime=3600000,endTimeMode=2]]
15:08:22,735 DEBUG [http-8080-4] com.documentum.web.common.Trace - set SSO enabled to false.  getChildValue returned NULL for ecs_plug_in
15:08:22,748 DEBUG [http-8080-4] com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOAuthenticationScheme:Kerberos enabled :true
15:08:22,749 DEBUG [http-8080-4] com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOAuthenticationScheme:Browser Supported :true
15:08:22,749 DEBUG [http-8080-4] com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOAuthenticationScheme:Kerberos domain = DEVENV.CORP
15:08:22,749 DEBUG [http-8080-4] com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOAuthenticationScheme:Server Name = dmsserver01.devenv.corp
15:08:22,756 DEBUG [http-8080-4] com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOAuthenticationScheme:Browser Supported :true
15:08:22,772 DEBUG [http-8080-4] com.documentum.web.common.Trace - SessionState: [906D889631A494289264D8C078100BA8] Set credential.service = com.documentum.web.env.CredentialService@27385846
15:08:22,794 DEBUG [http-8080-4] com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOAuthenticationScheme:Browser Supported :true
15:08:22,810 DEBUG [http-8080-4] com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOAuthenticationScheme:Sending negotiation header to browser
15:08:23,116 DEBUG [http-8080-4] com.documentum.web.common.Trace - Login: Start URL = null
15:08:23,116 DEBUG [http-8080-4] com.documentum.web.common.Trace - Login: Start Component = main
15:08:23,116 DEBUG [http-8080-4] com.documentum.web.common.Trace - Login: Start Component Page = null
15:08:23,116 DEBUG [http-8080-4] com.documentum.web.common.Trace - Login: Start Component Args = '[__dmfClientId=1391350101918,__dmfTzoff=-60]'
15:08:23,309 DEBUG [http-8080-4] com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOLogin:Login fallback = false
15:08:23,310 DEBUG [http-8080-4] com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOLogin:Login Component entryPage = 'start'
15:08:23,329 DEBUG [http-8080-4] com.documentum.web.common.Trace - SessionState: [906D889631A494289264D8C078100BA8] Set __dmfDocbrokerClient = com.documentum.web.formext.session.SessionManagerHttpBinding$DocbrokerClientBinding@2b87514a
15:08:23,331 DEBUG [http-8080-4] com.documentum.web.common.Trace - SessionState: [906D889631A494289264D8C078100BA8] Set DocbaseMapsCache = []
15:08:23,380 DEBUG [http-8080-4] com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOAuthenticationScheme:Browser Supported :true
15:08:23,390 DEBUG [http-8080-4] com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOAuthenticationScheme:Token type = SPNEGO
15:08:23,392 DEBUG [http-8080-4] com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOAuthenticationScheme:Default docbase is null
15:08:23,396 DEBUG [http-8080-4] com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOAuthenticationScheme:Browser Supported :true
15:08:23,414 DEBUG [http-8080-4] com.documentum.web.common.Trace - Login: Start URL = null
15:08:23,414 DEBUG [http-8080-4] com.documentum.web.common.Trace - Login: Start Component = main
15:08:23,414 DEBUG [http-8080-4] com.documentum.web.common.Trace - Login: Start Component Page = null
15:08:23,414 DEBUG [http-8080-4] com.documentum.web.common.Trace - Login: Start Component Args = '[__dmfClientId=1391350101918,__dmfTzoff=-60]'
15:08:23,471 DEBUG [http-8080-4] com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOLogin:Login fallback = false
15:08:23,471 DEBUG [http-8080-4] com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOLogin:Login Component entryPage = 'repo_selection'
15:08:26,218 DEBUG [http-8080-4] com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOAuthenticationScheme:Browser Supported :true
15:08:26,219 DEBUG [http-8080-4] com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOAuthenticationScheme:Found SPNEGO token in client session
15:08:26,219 DEBUG [http-8080-4] com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOAuthenticationScheme:Token type = SPNEGO
15:08:26,219 DEBUG [http-8080-4] com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOAuthenticationScheme:Obtaining service token from SPNEGO
15:08:26,245 DEBUG [http-8080-4] com.documentum.web.common.Trace - com.documentum.web.formext.session.KerberosSSOAuthenticationScheme:Accepting service token for SPN HTTP/dmsserver01.devenv.corp@DEVENV.CORP
15:08:26,264 DEBUG [http-8080-4] com.documentum.web.common.Trace - invokeMethod() failed while calling: onLogin
Unable to obtain password from user

15:08:26,266 ERROR [http-8080-4] com.documentum.web.common.Trace - invokeMethod() failed while calling: onLogin
Unable to obtain password from user

java.lang.IllegalArgumentException: Unable to obtain password from user

    at com.emc.documentum.kerberos.utility.KerberosUtility.getLoginSubject(KerberosUtility.java:170)
    at com.emc.documentum.kerberos.utility.KerberosUtility.accept(KerberosUtility.java:45)
    at com.documentum.web.formext.session.KerberosSSOAuthenticationScheme.authenticate(KerberosSSOAuthenticationScheme.java:214)
    at com.documentum.web.formext.session.AuthenticationService.authenticate(AuthenticationService.java:195)
    at com.documentum.web.formext.session.KerberosSSOLogin.authenticate(KerberosSSOLogin.java:181)
    at com.documentum.web.formext.session.KerberosSSOLogin.onLogin(KerberosSSOLogin.java:134)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at com.documentum.web.form.FormProcessor.invokeMethod(FormProcessor.java:1646)
    at com.documentum.web.form.FormProcessor.invokeMethod(FormProcessor.java:1500)
    at com.documentum.web.form.FormProcessor.fireActionEvent(FormProcessor.java:1305)
    at com.documentum.web.form.RecallOperation.execute(RecallOperation.java:101)
    at com.documentum.web.form.FormProcessor.processAction(FormProcessor.java:115)
    at com.documentum.web.form.FormAction.processAction(FormAction.java:107)
    at com.documentum.web.env.WDKController.doStartRequest(WDKController.java:202)
    at com.documentum.web.env.WDKController.processRequest(WDKController.java:95)
    at com.documentum.web.env.WDKController.doFilter(WDKController.java:86)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
    at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:864)
    at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:579)
    at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1665)
    at java.lang.Thread.run(Thread.java:619)
Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user

    at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:789)
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:654)
    at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
    at com.emc.documentum.kerberos.utility.KerberosUtility.getLoginSubject(KerberosUtility.java:164)
    ... 30 more
javax.security.auth.login.LoginException: Unable to obtain password from user

    at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:789)
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:654)
    at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
    at com.emc.documentum.kerberos.utility.KerberosUtility.getLoginSubject(KerberosUtility.java:164)
    at com.emc.documentum.kerberos.utility.KerberosUtility.accept(KerberosUtility.java:45)
    at com.documentum.web.formext.session.KerberosSSOAuthenticationScheme.authenticate(KerberosSSOAuthenticationScheme.java:214)
    at com.documentum.web.formext.session.AuthenticationService.authenticate(AuthenticationService.java:195)
    at com.documentum.web.formext.session.KerberosSSOLogin.authenticate(KerberosSSOLogin.java:181)
    at com.documentum.web.formext.session.KerberosSSOLogin.onLogin(KerberosSSOLogin.java:134)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at com.documentum.web.form.FormProcessor.invokeMethod(FormProcessor.java:1646)
    at com.documentum.web.form.FormProcessor.invokeMethod(FormProcessor.java:1500)
    at com.documentum.web.form.FormProcessor.fireActionEvent(FormProcessor.java:1305)
    at com.documentum.web.form.RecallOperation.execute(RecallOperation.java:101)
    at com.documentum.web.form.FormProcessor.processAction(FormProcessor.java:115)
    at com.documentum.web.form.FormAction.processAction(FormAction.java:107)
    at com.documentum.web.env.WDKController.doStartRequest(WDKController.java:202)
    at com.documentum.web.env.WDKController.processRequest(WDKController.java:95)
    at com.documentum.web.env.WDKController.doFilter(WDKController.java:86)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
    at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:864)
    at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:579)
    at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1665)
    at java.lang.Thread.run(Thread.java:619)

15:08:26,315 DEBUG [http-8080-4] com.documentum.web.common.Trace - SessionState: [906D889631A494289264D8C078100BA8] Set __dmfLastError = java.lang.IllegalArgumentException: Unable to obtain password from user

15:08:26,524 DEBUG [http-8080-4] com.documentum.web.common.Trace - SessionState: [906D889631A494289264D8C078100BA8] Set __dmfLastError = java.lang.IllegalArgumentException: Unable to obtain password from user

15:38:40,895 DEBUG [ContainerBackgroundProcessor[StandardEngine[Catalina]]] com.documentum.web.common.Trace - [1391351920895,Thread[ContainerBackgroundProcessor[StandardEngine[Catalina]],5,main],SessionSynch@3ac58af4[lockCount=0,lockOwner=null]] valueUnbound()

In krb5.ini is:

[libdefaults]
    default_realm = DEVENV.CORP
    forwardable = true
    ticket_lifetime = 24h
    clockskew = 72000

[realms]
    DEVENV.CORP = {
        kdc = adserver.devenv.corp
        admin_server = adserver.devenv.corp
    }

[domain_realm]
    .devenv.corp = devenv.corp

can anybody help me with this please?


Solution

  • Our application doesn't work with encryption key AES-256 bit. This problem was solved when We generated kaytab with encryption key AES-128 bit.