AnsweredAssumed Answered

AWI: received a NTLM ticket instead of a kerberos ticket

Question asked by Michael_Lowry on Dec 6, 2018

I am running the AWI in a Platform-as-a-Service (PaaS) application cloud. Recently, I pushed the AWI to the cloud again, and discovered that Kerberos-based single sign-on (SSO) stopped working. I have compared working and non-working apps to try to find out where the problem is originating.

 

There is a message in both logs:

Requesting Authentication from client.

After this message, the working app shows this message:

received a kerberos token that appears to be valid

The not-working app shows this message instead:

received a NTLM ticket instead of a kerberos ticket. This can happen if the client is not in the same domain. Disable SSO for current user and downgrade to ECC authentication.

 

I enabled kerberos debugging by adding the following to JAVA_OPTS: '-Dsun.security.krb5.debug=true'. I can see in the log that the krb5 debug option is enabled, but I was not able to see any additional Kerberos debugging messages in the log.

 

I think something might have changed in the buildpack I'm using to push the app (java_buildpack), but I'm not sure what. Any ideas?

Outcomes