U00045013 The SPN 'UC4_EXP/uc4-a.mycompany.com' will be used by this JWP.Thanks to message U00045013, we can see what SPN the JWP will be using. With the benefit of this knowledge, I realized that the server would actually need only two SPNs. We now have just the SPNs we need:
C:\>setspn -L UC41Our AE server keytab also now contains keys for just these two SPNs:
Registered ServicePrincipalNames for CN=UC4 ,OU=SPC,OU=SpecialUser,DC=corp,DC=mycompany,DC=com:
UC4_EXP/uc4-a.mycompany.com
UC4_EXP/uc4-b.mycompany.com
($:/usr/local/ae/server) klist -ek UC4_EXP_FQDN.keytabNote also that the SPNs have a realm based on the fully-qualified Active Directory domain name CORP.MYCOMPANY.COM. We found that it did not work if we created the SPNs with a realm based on just the short form of the AD domain, CORP.
Keytab name: FILE:UC4_EXP_FQDN.keytab
KVNO Principal
---- --------------------------------------------------------------------------
47 UC4_EXP/uc4-a.mycompany.com@CORP.MYCOMPANY.COM (DES cbc mode with CRC-32)
...
48 UC4_EXP/uc4-b.mycompany.com@CORP.MYCOMPANY.COM (DES cbc mode with RSA-MD5)
...
$JAVA_HOME/lib/security
. This must be done for both the JRE running the JWP, and the JRE running the UC4 GUI. Thesingle sign-on documentationdid not make this clear before, but it has since been updated.lib
directory. TheJWP installation documentationdescribes this pretty well.java -Xmx512M -Dsun.security.krb5.debug=true -jar ucsrvjp.jar ...
I have found that in AE systems running on mulitple nodes, the JWP does not reliably select its SPN based on the hostname of the node where it is running.I have discovered that the SPN used by the JWP to identify itself to the KDC is based on the CP to which the User Interface connected. If the Automation Engine runs on more than one node, this can result in the following situation:
Because it is not possible to predict to which CP the GUI will connect, the keytab on both hosts must contain keys for both SPNs. In other words, it is not possible to use a unique keytab for each node/host, with the keytab containing only the key for that particular host’s SPN.Service Principal Names (SPN) must then be created with the following description:
<AE System Name>/<CP Host Name>[@<Realm>]
<AE System Name>/<Fully qualified Domain Name of the CP Host>[@<Realm>]Automic recommends creating SPNs for each CP host (one SPN with the host name and one with the fully qualified domain name).
The SPNs must be assigned to the previously created KDC service user.This suggests that defining the service principals independently of the service user, as would be standard in non-AD environments, may not work.
Yeah, Start the JWP from the command line, with Kerberos debugging enabled. E.g.,Brandon McClure said:I am on 11.2 and I cannot get SSON to work at all even running as admin.
I am not getting the U00045013 message, did you need to turn something on to get this?
I am currently running on 1 server with all my CPs, WPs, and JWP on that, I see it loading the KeyTab, but always “U00003210 Logon error: Access denied”.
I'm not sure where else to look, any suggestions?
java -Xmx512M -Dsun.security.krb5.debug=true -jar ucsrvjp.jar ...
[T]he KDC does not find the SPNs that have been defined on the service user, unless the userPrincipalName is also set to the SPN being used to authenticate. Obviously, this is not a solution because there are four potential SPNs that the JWP could use, but the user can have only one UPN defined.
AE node host name | Service user | UPN | SPN |
---|---|---|---|
uc4a.mycompany.com |
uc4a |
UC4/uc4a.mycompany.com@MYREALM | UC4/uc4a.mycompany.com@MYREALM |
uc4b.mycompany.com | uc4b | UC4/uc4b.mycompany.com@MYREALM | UC4/uc4b.mycompany.com@MYREALM |
This morning I received an email via a colleague from a AE admin at another company. He was asking for help getting SSO working with the Automation Engine. I wrote up a summary of recommendations and findings based on my experience with this topic. I thought it might be worthwhile to post this summary here.
$JAVA_HOME/lib/security
. This must be done for both
the JRE running the JWP, and the JRE running the UC4 GUI. The single sign-on documentation did not make this clear
before, but it has since been updated.jdbc:oracle:thin:@ldap://oraclenameserver…
do not work with the JWP. We
had to stick with a basic connection string likejdbc:oracle:thin:@oracleserver...
java ... -Dsun.security.krb5.debug=true -jar
ucsrvjp.jar ...
The Automic SSO documentation claims that SSO will work in AE systems running on more than one node. However, I was never able to figure out how to make it work reliably. Firstly, the Automic documentation fails to mention something very important:
1. A separate service user must be defined for each node on which the Automation Engine runs.
A service user (or technical user) must be created to run the JWP. The JWP, running as this user, connects to the KDC to authenticate. The KDC will not be able to find an SPN defined on the service user, unless the userPrincipalName of the currently logged-in user is also set to the SPN being used to authenticate.
Andreas at Automic Development confirmed that it won’t work to use the same service user on both nodes, because the UPN must match the SPN. This means that if you run the AE on two nodes, then you must create two separate users. Each service user must be associated with just one AE node. The userPrincipalName attribute of each user must be set to the same thing as the servicePrincipalName. For example:
AE node host name |
Service user |
UPN |
SPN |
uc4a.mycompany.com |
uc4a |
||
uc4b.mycompany.com |
uc4b |
We opened problem ticket PRB00119215 with Automic about this omission from the documentation. They have promised to update the documentation to make it clear that a separate service/technical user must be defined for each AE node.
2. Even with a separate service user defined on each node, SSO may not work reliably in multi-node AE systems
The reason, I believe, is that the JWP does not select the SPN it uses to authenticate with the KDC based on the hostname of the node where the JWP is running, but instead based on the node where the CP to which the UI connected is running.
I’ll explain this in a bit more detail. When the User Interface connects to the AE, it connects to a communications process (CP). Which CP the UI connects to is somewhat unpredictable. (It depends on the order of addresses in the CP list in the uc4config.xml file.) During single sign-on, the process works like this: 1. User Interface connects to CP 2. CP connects to JWP 3. JWP authenticates with KDC If all CPs and WPs are running on the same node, it’s simple and will work fine every time.
If however, if the Automation Engine processes are running on multiple nodes, as depicted in the figure to the left, then about half of the time, the CP will connect to a JWP running on a different node. E.g.: 1. User Interface connects to CP on uc4a 2. CP on uc4a connects to JWP on uc4b 3. JWP on uc4b tries to authenticate with KDC using an SPN like UC4/uc4a.mycompany.com@MYREALM |
I suspect that because of the above problem, SSO will not work reliably in systems with more than one AE node, even if a unique service user is defined for each AE node.
Automic is
investigating this in PRB00111313.
I will update this discussion thread soon as I have news from Automic. One possible way of fixing this
problem would be to force the CP connect to a JWP running on the same node.
(This would mean that at least one JWP would have to be running on any node running a CP.)
The summary above did help me a lot with installing Kerberos for AE 11.2. especially the hint to start the JWP from the command line, with Kerberos debugging enabled was very helpful.
There is one issue left:
Although AllowTGTSessionKeyin Windows is enabled I have to start the UI as an administrative user.
Anybody with any ideas?
This discussion starts with the question 'Has anyone been able to getsingle sign-onto work in v11.1?'
Has anyone?
I keep on getting: U00045043 The User Interface did not send a kerberos ticket, therefore a validation is not possible.
Our productive AE 11.1 is running on Solaris (SPARC) and the JWP uses SPNUC4/uc4b@MYREALM (without.mycompany.com as it wasn't working with it)
I guess thet the UI did send a Kerberos ticket. But the JWP wasn't happy with it.
'U00045043 The User Interface did not send a kerberos ticket, therefore a validation is not possible.' was caused by the fact that the UI didn't find a corresponding SPN (there was no one with the domain in the name; see above).
After defining both SPNs (as recommended in the documentation) I face another problem this time from the JWP: 'Client not found in Kerberos database (6)' caused by 'Identifier doesn't match expected value (906)'.
This means that the JWP doesn't find the corresponding UPN anylonger. But why?
With these options, the SPNs and keys need only the long form of the host name (the one with the fully-qualified domain name).dns_canonicalize_hostname = true
rdns = false
In a conference call with Automic Support & Development today, I learned some important requirements that are not clearly and explicitly stated in the AWA v12 Setting up single sign-on documentation page:
The Automation Engine system UC4_MAIN runs on two nodes, mars and venus.
The AWI server for this system runs on two nodes, oak and elm.
The company DNS domain name is example.com
The company Kerberos realm name is CORP.EXAMPLE.COM
In this environment, you would create four service users:
Node | User | UPN | SPN |
---|---|---|---|
mars | user1 | UC4_MAIN/mars.example.com@CORP.EXAMPLE.COM | UC4_MAIN/mars.example.com |
venus | user2 | UC4_MAIN/venus.example.com@CORP.EXAMPLE.COM | UC4_MAIN/venus.example.com |
oak | user3 | HTTP/oak.example.com@CORP.EXAMPLE.COM | HTTP/oak.example.com |
elm | user4 | HTTP/elm.example.com@CORP.EXAMPLE.COM | HTTP/elm.example.com |
The Automation Engine (or at least the CPs) must then run as user1 on mars, and as user2 on venus. The keytab must contain four keys: one for each service user.
I am in the process of reconfiguring the service users and keytab to conform to these requirements. I will post an update when I have confirmed that it works correctly.
Update 2016.11.22 18.26 CET: Following these guidelines, I was able to get SSO working in the Java User Interface. I am still trying to figure out how to get SSO working reliably in the AWI.
Hi Michael
I have created a PowerPoint that explaines our implementation of Kerberos for the UI and AWI/ECC that might help you with your implementation. I did talk about this matter at the ERFA Meeting in Bendern (Liechtenstein) last month. As the PowerPoint is in German I can't post it here. However, it must be available in your firm.
We don't run the AE (any process) with any of the KDC Service Users. We run the AE the way we always did it before Kerberos. We had to change UC_SYSTEM_SETTINGS, UC_KDC_SETTINGS and UC_USER_LOGON only. Another Change was made for the UI in ucdj.ini: -D[client] instead of -C[client]
I can read German. Feel free to post it to the German forum, or to send it directly to me.I have created a PowerPoint that explaines our implementation of Kerberos for the UI and AWI/ECC that might help you with your implementation. I did talk about this matter at the ERFA Meeting in Bendern (Liechtenstein) last month. As the PowerPoint is in German I can't post it here. However, it must be available in your firm.
We don't run the AE (any process) with any of the KDC Service Users. We run the AE the way we always did it before Kerberos. We had to change UC_SYSTEM_SETTINGS, UC_KDC_SETTINGS and UC_USER_LOGON only. Another Change was made for the UI in ucdj.ini: -D[client] instead of -C[client]As I understand it, in your environment, the service users on which the SPNs are defined are completely different from the users running the Automation Engine. Is this correct? In my experience, this is okay for the service users associated with the AWI, but not for the ones for the Java User Interface. Do you have SSO working in just the AWI, or also the JUI?
Hi Michael
You asked:
As I understand it, in your environment, the service users on which the SPNs are defined are completely different from the users running the Automation Engine. Is this correct?
Do you have SSO working in just the AWI, or also the JUI?
Yes, service users and users running the AE are completely different. AWI and JUI are both working with SSO.
René Stocker
:Thank Michael for posting this.. the discussion was helpful in understanding more.. I have followed the SSO documentation along with suggestions from the discussion and did the following.. I m trying to enable SSO only at the AWI level. we have AE Server running on linux and AWI running on windows.
--Installation steps for Automation Engine and AWI
Step 1 = set Windows Regsitry Variable. "allowtgtsessionkey"=dword:00000001
Step 2 = Install JCE. Installed this on all jre/lib/security locations on both AE and AWI Servers/
Step 3 = create krb5.conf, place it in jre/lib/security locations on AWI Server.
Step 4 = in UC_SYSTEM_SETTINGS , set KDC = Y
--Installation steps for the JWP
Step1 = Reqeusted Keytab file using below command on the AD Server.
ktpass -princ HTTP/AWI_SERVER_NAME@FQDN -mapuser domain\serverUserId -pass ****** -crypto all -ptype KRB5_NT_PRINCIPAL -out c:\ktfile.keytab
Step2 = create the KEY KEYTAB in UC_KDC_SETTINGS, C:\Automic\SSO\ktfile.keytab
KEYTAB = C:\Automic\SSO\ktfile.keytab
HTTP = HTTP/AWI_SERVER_NAME@FQDN
NOTE: JWP was started using following command.
nohup java -Xmx512M -jar /u1/software/automic/server/bin/ucsrvjp.jar &
--Enabling single sign on AWI
Step1 = Add the sso.enabled=true in the C:\Automic\AWI\Tomcat\webapps\awi\config\config.properties file.
The Kerberos enabled option appears but, it keeps loading forever and does not come up with the next option. It currently says "Kerberos login not available".
?= do we have to Place the keytab file on the AWI Server or AE Server? I have placed it on the AWI Server and pointed this location on the AWI GUI.
?= how do we enable kerberos logging? I did not find any logs containing kerberos logs. will this be on the AE Server or AWI server?
Thank you in advance!!
rK
Hi,
I'm having similar troubles..
Setup is two AE-nodes, .. One 'Primary Node', One Standby...
On each node a AWI is implemented..
Keytab, JCE, SPN's as indicated...
SSO works fine when calling the first node... (User+PWD also ok)
Access Denied when using the second node...Both SSO and User+PWD fail. (Department mapping to domain..)
The only thing is... 'Have A JWP Running on both nodes...' -> On the Primary Node this is working as designed.
On the 'Standby Node', the JWP switches to NWP ?
Could that cause SSO to fail on the second node ?
Any thought welcome...
Lieven
1. There appears to be no way to use a department in UC4 that differs from the fully qualified domain used for authentication. We have always used the short form of our AD domain name as the department, and this has never posed a problem until now. The DOMAIN_ALIAS server setting does not appear to work as documented. The only way around this problem that we have found is to change the user object so that the part after the slash (/) — that is, the department — is the fully-qualified domain name.
2. “U0003127 Logon error: Access denied” error when turning on the integrated authentication check box in the login window if the GUI was started as a non-administrative user. The only work-around is to start the GUI as a member of the local Administrators group.
3. “U00003210 Logon error: Access denied” error if the GUI is started as an administrative user, integrated authentication is enabled, and OK is clicked to log in. The GUI fetches a TGT from the AD server, and then prints this to the console:
Then a bunch of hexadecimal data appears in the console, and the error message appears in the GUI.
We would be grateful if anyone could provide work-arounds or suggestions for troubleshooting.