Liberty - CWWKS4310W: The client delegated GSSCredentials were expected to be received but were not found for user
I have configured SPNEGO on Open Liberty, but when I perform a SPNEGO login for user1 I recieve the following console message:
[WARNING ] CWWKS4310W: The client delegated GSSCredentials were expected to be received but were not found for user: user1@EXAMPLE.COM
My Liberty server.xml SPNEGO configuration:
<spnego
servicePrincipalNames="HTTP/liberty1.example.com"
krb5Config="C:/krb5.ini"
krb5Keytab="C:/krb5.keytab"
authFilterRef="myAuthFilter"
I was not expecting to see the warning message. I expected to see the GSS credential for user1 in the subject. For Example:
Private Credential: [GSSCredential: user1@EXAMPLE.COM 1.2.840.113554.1.2.2 Initiate
What am I missing?
The client GSSCredentials for user1 were not being sent because the SPN account for the Liberty server was not allowed to delegate the credentials.
if using Active Directory, this can be fixed with the setting below:
On the account for HTTP/liberty1.example.com, set "Trust this user for delegation to any service (Kerberos only)"
Alternatively, if you want constrained-delegation you can select the specific service SPN that delegation is allowed for.
- Mutual TLS connection from OpenLiberty with custom keystore
- How can I test the @Retry and @Fallback annotations in OpenLiberty?
- IBM Worklight - Can't run an app on WebSphere Application Server
- EJB Persistent Timer cancel
- IllegalStateException: Failed to introspect Class
- Websphere Application Server JVM Logs
- Why is hostname verification done even though verifyHostname is false?
- How to Resolve installFeature Errors with Various Gradle and Liberty 24?
- Configure Liberty to expose User Registry over JNDI
- Beta: WebSphere Liberty and tools (September 2016)
- WebSphere Liberty integration with Redis for HTTP Session Persistence
- Put JMS message properties in IBM MQ queue and access from other JMS client which run on Websphere liberty
- Classloader problem with JAXB internal implementation interface com.sun.xml.bind.namespacePrefixMapper
- WebSphere Liberty Profile: Context Root Not Found
- What is equivalent annotation in WebSphere Liberty for Jboss EJb3 annotation @SecurityDomain("") and WebSphere annotation @Webcontext
- FFDC Incident related to osgi cache in Websphere Liberty Core
- I get the `DSRA9122E: com.ibm.ws.rsadapter.jdbc.WSJdbcConnection@d3t7e556 does not wrap any objects of type oracle.jdbc.OracleConnection
- How do I view the merged Liberty server configuration after includes and configDropins are combined with the original server.xml?
- Liberty - CWWKS4310W: The client delegated GSSCredentials were expected to be received but were not found for user
- Open Liberty - Context Root Not Found error, ClassCastException, CWWKZ0013E
- ClassCastException using EclipseLink DescriptorCustomizer API in Liberty
- Can you encrypt regular variables in IBM/Open Liberty using securityUtility?
- OpenLiberty custom feature dataSource
- In Websphere Liberty (>= version 19) is there a way to configure the classloader for each module of an ear-file separately?
- NullpointerException while injecting by using @EJB
- Liberty Batch function not using database persistence for job repository
- How can I use same, single class loader for every WAR application packaged in my EAR application?
- Getting "Failed to notify project evaluation listener" using Liberty Gradle plugin
- How can I set the context root in Liberty using server configuration (server.xml) for my EAR-packaged WARs?
- Why isn't IBM Liberty Developer Tools or WebSphere Developer Tools (WDT) for Eclipse automatically creating a server to run my Maven project?