GSSException for Kerberos on OpenAM13.5, Ubuntu 16.04

Tagged: , ,

This topic has 4 replies, 2 voices, and was last updated 5 years, 1 month ago by Peter Major.

  • Author
    Posts
  • #16758
     Gertjan_Al
    Participant

    Hi everyone,

    We currently want to upgrade from OpenAM 11 to OpenAM 13.5.
    In our current production cluster Kerberos authentication on OpenAM 11 works,
    but I’m unable to configure the same Kerberos authn on OpenAM 13.

    The debug log shows:

    
    amAuthWindowsDesktopSSO:04/03/2017 12:51:28:384 PM CEST: Thread[http-nio-127.0.0.1-8443-exec-2,5,main]: TransactionId[009ce092-e6f7-47c6-8a3d-ca36b73cc531-3020]
    ERROR: kerberos token is not valid.
    amAuthWindowsDesktopSSO:04/06/2017 01:07:09:752 PM CEST: Thread[http-nio-127.0.0.1-8443-exec-6,5,main]: TransactionId[009ce092-e6f7-47c6-8a3d-ca36b73cc531-3190]
    ERROR: Authentication failed with PrivilegedActionException wrapped GSSException. Stack Trace
    GSSException: Unsupported mechanism requested: 1.3.6.1.5.2.5
    	at sun.security.jgss.ProviderList.getMechFactory(ProviderList.java:204)
    	at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:234)
    	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:320)
    	at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
    	at com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDesktopSSO$1.run(WindowsDesktopSSO.java:265)
    	at java.security.AccessController.doPrivileged(Native Method)
    	at javax.security.auth.Subject.doAs(Subject.java:422)
    	at com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDesktopSSO.authenticateToken(WindowsDesktopSSO.java:257)
    	at com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDesktopSSO.process(WindowsDesktopSSO.java:192)
    	at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:1056)
    	at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1224)
    

    It says both “kerberos token is not valid” and “Unsupported mechanism requested: 1.3.6.1.5.2.5”. As the Kerberos authn works on OpenAM 11, I doubt that my token is invalid…

    The only difference I can think of is in the machines:
    Old:
    Ubuntu 14.04.3 LTS
    Java(TM) SE Runtime Environment (build 1.7.0_67-b01)
    Tomcat 7
    libgssapi-krb5-2: 1.12+dfsg-2ubuntu5.2

    New:
    Ubuntu 16.04.2 LTS
    Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
    Tomcat 8
    libgssapi-krb5-2: 1.13.2+dfsg-5ubuntu2

    Does anyone have Kerberos working on OpenAM 13.5 and if so, what is your server configuration?

    • This topic was modified 5 years, 1 month ago by Gertjan_Al.
    #16817
     Peter Major
    Moderator

    Since the WindowsDesktopSSO authentication module relies on the JDK’s kerberos implementation, you may want to test your 13.5 instance by running it with the same JDK7 version first.

    #16892
     Gertjan_Al
    Participant

    Thanks for your response, but we still get the same Exception with the “unsupported mechanism”. Any other hints we might want to check?

    #16894
     Gertjan_Al
    Participant

    We noticed that the message
    “ERROR: kerberos token is not valid.” is shown when using NTLM (via Windows), but “GSSException: Unsupported mechanism requested: 1.3.6.1.5.2.5” only shown when using Kerberos via Linux

    #16897
     Peter Major
    Moderator

    The WindowsDesktopSSO authentication module only supports Kerberos, it does not support NTLM. You should focus on the Kerberos related error.

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?