Symantec Access Management

  • 1.  CA SSO Kerberos Linux PS, Linux SPS and Windows KDC

    Posted May 22, 2017 11:47 AM

    Hi,

     

    Has anyone got this set up working?

     

    Linux Policy Server

    Linux SPS server

    Windows KDC - Active Directory

     

    I've been struggling with this for a month or so. Every time, I end up at this error which I'm not able to get past. Has anyone got this working? Would you mind sharing your krb5.conf files?

     

    This is the error I'm always stuck at

     

    [05/22/2017][11:45:16][24943][140591385626368][fd35cb66-636a9db9-d4cd243b-9b03fb87-576c8e4c-a0c][SmKcc::getCredentials][Failed to validate remote GSSAPI token: Minor Status=0, Major Status=65536, Message=Unknown code 0]

     

    I've run through the usual suspects.

     

    DNS resolution forward and reverse is good from all servers.

    I've verified the HTTP and SMPS service principal with CA support.

     

    Regards,

    Anand.



  • 2.  Re: CA SSO Kerberos Linux PS, Linux SPS and Windows KDC
    Best Answer

    Posted Jun 04, 2017 07:25 PM

    How to setup SiteMinder Kerberos Authentication - Part 1 

     

    Have you followed the steps from above article?

    Above article is for Windows Platform but it also applies to linux environment as well.

     

    Best way to troubleshoot is to capture the network traffic from WebAgent(SPS) machine and review.

    Also, would need to look at the krb5 conf files when looking at the network packets.



  • 3.  Re: CA SSO Kerberos Linux PS, Linux SPS and Windows KDC

    Posted Jun 07, 2017 02:18 AM


  • 4.  Re: CA SSO Kerberos Linux PS, Linux SPS and Windows KDC

    Posted Jun 26, 2017 08:31 AM

    okay. I got this working. But I don't understand the message flow.

     

    Is there any documentation anywhere that shows what happens in the kerberos auth scheme?

     

    I know about service delegation and that's essentially what happens, but not clear on what the web server does and what the policy server does. If anyone has any insight on that that'll be phenomenal.



  • 5.  Re: CA SSO Kerberos Linux PS, Linux SPS and Windows KDC

    Posted Mar 27, 2018 12:03 PM

    Hello Anand,

     

    I have a similar issue trying to figure out how to get rid of this error. If you can share your knowledge that would be very helpful.

     

    Thanks

    Raj
    #anand3g #sunghoonkim



  • 6.  Re: CA SSO Kerberos Linux PS, Linux SPS and Windows KDC

    Posted Jun 26, 2017 09:01 AM

    I guess you are looking for this.

    The sequence of Kerberos Authentication. 



  • 7.  Re: CA SSO Kerberos Linux PS, Linux SPS and Windows KDC

    Posted Jun 26, 2017 09:04 AM

    Perfect. Thank you!

     

    I wonder why CA Support wasn't able to find me this KB Article!



  • 8.  Re: CA SSO Kerberos Linux PS, Linux SPS and Windows KDC

    Posted Jun 26, 2017 09:43 AM

    It is becaus I approved publishment of this article just a few days ago



  • 9.  Re: CA SSO Kerberos Linux PS, Linux SPS and Windows KDC

    Posted Jan 22, 2019 08:07 AM

    Hi Sung/Anand,

     

    anand3g SungHoon_Kim

    could you please help me with this issue, i have exactly the same error.

    I have followed exactly as in the documents shared here.

     

    however, I made few changes like:

    instead of HTTP/server03.domain.com, I have HTTP/server03 and for smps/server02.domain.com, i have smps/server02 with the domain, below is the screenshot,

     

    And below is the error message i see in the CA Access Gateway logs

     

     [01/22/2019][13:57:31][1130][139990733899520][be984003-5fff8f53-70f26e82-c252c005-8e4e4ec2-605][SmKcc::getCredentials][token length before validating is 56][][vm-ppweb-10.*****.***:61266-kerberos][Kerberos Protect test page][][GET][/krb/kerbtest.html]
    [01/22/2019][13:57:31][1130][139990733899520][be984003-5fff8f53-70f26e82-c252c005-8e4e4ec2-605][SmKcc::getCredentials][Failed to validate remote GSSAPI token: Minor Status=0, Major Status=65536, Message=Unknown code 0][][vm-ppweb-10.*****.***:61266-kerberos][Kerberos Protect test page][][GET][/krb/kerbtest.html]

     

    will this cause this issue?