Symantec Access Management

  • Private Community

  • 1.  Siteminder Kerberos Linux PS, Linux SPS & Windows KDC

    Posted Mar 27, 2018 05:38 PM

    Siteminder - 12.7 SP1
    OS - Linux (PS & SPS)
    AD - KDC - Windows 2012

     

     

    Error - Failed to validate remote GSSAPI token.

    I am trying to resolve Kerberos, I see the above error message  in SPSTrace couldn't find a way to resolve the issue. I see similar posts in the community but there is not much info how it is been resolved. 

     

    Commands run successfully -
    klist, kinit,

    klist -k -t -K -e /etc/krb5/krbsmps.keytab
    kinit -V -k -t /etc/krb5/krbsmps.keytab smps/servername.cs.company.com@RealmName

     

     

    SPSTrace

    [03/27/2018][13:08:03][1721][140712551311104][SmKCC.cpp:124][SmKcc::getCredentials][ee219184-9f89714b-a0c49990-ff8f7add-e3924685-98b][*172.20.155.163][][*****][/rpi_11/logon.do?logon=true&uid=Z900006&sessionid=UNAVAILABLE&sessionspec=UNAVAILABLE][][token length before validating is 56]
    [03/27/2018][13:08:03][1721][140712551311104][SmKCC.cpp:139][SmKcc::getCredentials][ee219184-9f89714b-a0c49990-ff8f7add-e3924685-98b][*172.20.155.163][][******][/rpi_11/logon.do?logon=true&uid=Z900006&sessionid=UNAVAILABLE&sessionspec=UNAVAILABLE][][Failed to validate remote GSSAPI token: Minor Status=0, Major Status=65536, Message=Unknown code 0]
    [03/27/2018][13:08:03][1721][140712551311104][CSmCredentialManager.cpp:242][CSmCredentialManager::GatherAdvancedAuthCredentials][ee219184-9f89714b-a0c49990-ff8f7add-e3924685-98b][*172.20.155.163][][*******[/rpi_11/logon.do?logon=true&uid=Z900006&sessionid=UNAVAILABLE&sessionspec=UNAVAILABLE][][SM_WAF_HTTP_PLUGIN->ProcessAdvancedAuthCredentials returned SmExit.]
    [03/27/2018][13:08:03][1721][140712551311104][CSmHighLevelAgent.cpp:1138][ProcessAdvancedAuthentication][ee219184-9f89714b-a0c49990-ff8f7add-e3924685-98b][*172.20.155.163][][******][/rpi_11/logon.do?logon=true&uid=Z900006&sessionid=UNAVAILABLE&sessionspec=UNAVAILABLE][][CredentialManager returned SmExit, end new request.]
    [03/27/2018][13:08:03][1721][140712551311104][CSmLowLevelAgent.cpp:3722][ReportHealthData][][][][][][][Accumulating HealthMonitorCtxt.]

     

    Thanks

    Raj



  • 2.  Re: Siteminder Kerberos Linux PS, Linux SPS & Windows KDC

    Posted Mar 28, 2018 12:15 AM

    Hi SSO_RajKiran,

     

    Have you followed the steps from above article?
    Above article is for Windows Platform but it also applies to linux environment as well.

     

    How to setup SiteMinder Kerberos Authentication - Part 1 

     

    Kerberos Troubleshooting steps :

    ========================== 

    https://communities.ca.com/docs/DOC-231177811-kerberos-troubleshooting#jive_content_id_CA_Single_SignOn_Agent_Configurat… 

     

    Thanks,

    Shankar



  • 3.  Re: Siteminder Kerberos Linux PS, Linux SPS & Windows KDC

    Posted Mar 28, 2018 01:01 PM

    Hello Shankar,

     

    I also followed the Linux platform document. https://communities.ca.com/docs/DOC-231172118

    And gone through the troubleshooting steps from the above document which you have provided. Is their anything where we need to disable NTLM request and enable Kerberos. Does my statement make anything from it ?

     

    Thanks

    Raj



  • 4.  Re: Siteminder Kerberos Linux PS, Linux SPS & Windows KDC

    Broadcom Employee
    Posted Mar 28, 2018 04:37 PM

    RajKiran,  Questions:

    Have you set  HTTP principal and Sm PS principal to the account?

    Also, please check that the KVNO from the user on the KDC is the same as for the key in the KEYTAB file?

     

    We suggest you open a case with CA Spt if the above suggestions / docs don't help.

    Thanks, - Vijay



  • 5.  Re: Siteminder Kerberos Linux PS, Linux SPS & Windows KDC

    Broadcom Employee
    Posted Mar 30, 2018 02:56 PM

    Hi Raj ,

    Based on what was discussed in your Case 00974970 , your Windows machine that you are triggering the Kerberos Auth from is not added to the AD Domain Controller used for Kerberos hence why you have  a token size of

    [token length before validating is 56]


    Authorization Header is present: Negotiate 4E 54 4C 4D 53 53 50 00 01 00 00 00 97 82 08 E2 NTLMSSP.....??.â
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    06 01 B1 1D 00 00 00 0F ..±.....


    -[NTLM Type1: Negotiation]------------------------------
    Provider: NTLMSSP
    Type: 1
    OS Version: 6.1:7601
    Flags: 0xe2088297
    Unicode supported in security buffer.
    OEM strings supported in security buffer.
    Request server's authentication realm included in Type2 reply.
    Sign (integrity)
    NTLM authentication.
    Negotiate Always Sign.
    Negotiate NTLM2 Key.
    Supports 56-bit encryption.
    Supports 128-bit encryption.
    Client will provide master key in Type 3 Session Key field.
    Domain_Offset: 0; Domain_Length: 0; Domain_Length2: 0
    Host_Offset: 0; Host_Length: 0; Host_Length2: 0
    Host:
    Domain:
    ------------------------------------

    This token causing the Following error in your Agent

    [Failed to validate remote GSSAPI token: Minor Status=0, Major Status=65536, Message=Unknown code 0]


    As a Next action, please work with your Microsoft team Or use a Machine connected to the Kerberos AD Domain Controller with valid Kerberos token so you are able to test the Flow with a valid Kerberos Token

    Regards
    Joe