Question

Error initializing module Kerberos Single Sign On

1

We're trying to configure SSO in Mendix using the Kerberos Single Sign On module from the AppStore, but we're encountering the following error when starting our Mendix application: 2011-08-08 16:07:22.358 ERROR WinSSOjavax.security.auth.login.LoginException: Client not found in Kerberos database (6) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source) at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at javax.security.auth.login.LoginContext.invoke(Unknown Source) at javax.security.auth.login.LoginContext.access$000(Unknown Source) at javax.security.auth.login.LoginContext$5.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokeCreatorPriv(Unknown Source) at javax.security.auth.login.LoginContext.login(Unknown Source) at com.mendix.winauth.KerberosAuthenticator.createServiceSubject(KerberosAuthenticator.java:196) at com.mendix.winauth.KerberosAuthenticator.<init>(KerberosAuthenticator.java:166) at com.mendix.winauth.SSOConfiguration.start(SSOConfiguration.java:62) at winsso.actions.StartWinSSO.executeAction(StartWinSSO.java:29) at winsso.actions.StartWinSSO.executeAction(StartWinSSO.java:18) at com.mendix.systemwideinterfaces.core.UserAction.execute(SourceFile:49) at com.mendix.core.actionmanagement.CoreAction.call(SourceFile:473) at it.b(SourceFile:155) at com.mendix.core.Core.execute(SourceFile:191) at hi.a(SourceFile:70) at kM.a(SourceFile:67) at eR.executeAction(SourceFile:96) at com.mendix.systemwideinterfaces.core.UserAction.execute(SourceFile:49) at com.mendix.core.actionmanagement.CoreAction.call(SourceFile:473) at it.b(SourceFile:155) at com.mendix.core.Core.executeSync(SourceFile:167) at is.a(SourceFile:71) at kM.a(SourceFile:67) at eR.executeAction(SourceFile:96) at com.mendix.systemwideinterfaces.core.UserAction.execute(SourceFile:49) at com.mendix.core.actionmanagement.CoreAction.call(SourceFile:473) at it.b(SourceFile:155) at com.mendix.core.Core.executeSync(SourceFile:167) at er.f(SourceFile:74) at er.a(SourceFile:35) at dk.execute(SourceFile:106) at com.mendix.core.actionmanagement.CoreAction.call(SourceFile:473) at it.b(SourceFile:159) at com.mendix.core.MxRuntime.A(SourceFile:292) at com.mendix.core.MxRuntime.z(SourceFile:254) at com.mendix.core.MxRuntime.a(SourceFile:236) at ly.execute(SourceFile:54) at com.mendix.m2ee.server.handler.AdminHandler.handle(AdminHandler.java:84) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113) at org.eclipse.jetty.server.Server.handle(Server.java:334) at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:559) at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:992) at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:550) at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:203) at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:406) at org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:462) at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436) at java.lang.Thread.run(Unknown Source) Caused by: sun.security.krb5.KrbException: Client not found in Kerberos database (6) at sun.security.krb5.KrbAsRep.<init>(Unknown Source) at sun.security.krb5.KrbAsReq.getReply(Unknown Source) at sun.security.krb5.Credentials.sendASRequest(Unknown Source) at sun.security.krb5.Credentials.acquireTGT(Unknown Source) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source) at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at javax.security.auth.login.LoginContext.invoke(Unknown Source) at javax.security.auth.login.LoginContext.access$000(Unknown Source) at javax.security.auth.login.LoginContext$5.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokeCreatorPriv(Unknown Source) at javax.security.auth.login.LoginContext.login(Unknown Source) at com.mendix.winauth.KerberosAuthenticator.createServiceSubject(KerberosAuthenticator.java:196) at com.mendix.winauth.KerberosAuthenticator.<init>(KerberosAuthenticator.java:166) at com.mendix.winauth.SSOConfiguration.start(SSOConfiguration.java:62) at winsso.actions.StartWinSSO.executeAction(StartWinSSO.java:29) at winsso.actions.StartWinSSO.executeAction(StartWinSSO.java:18) at com.mendix.systemwideinterfaces.core.UserAction.execute(SourceFile:49) at com.mendix.core.actionmanagement.CoreAction.call(SourceFile:473) at it.b(SourceFile:155) at com.mendix.core.Core.execute(SourceFile:191) at hi.a(SourceFile:70) at kM.a(SourceFile:67) at eR.executeAction(SourceFile:96) at com.mendix.systemwideinterfaces.core.UserAction.execute(SourceFile:49) at com.mendix.core.actionmanagement.CoreAction.call(SourceFile:473) at it.b(SourceFile:155) at com.mendix.core.Core.executeSync(SourceFile:167) at is.a(SourceFile:71) at kM.a(SourceFile:67) at eR.executeAction(SourceFile:96) at com.mendix.systemwideinterfaces.core.UserAction.execute(SourceFile:49) at com.mendix.core.actionmanagement.CoreAction.call(SourceFile:473) at it.b(SourceFile:155) at com.mendix.core.Core.executeSync(SourceFile:167) at er.f(SourceFile:74) at er.a(SourceFile:35) at dk.execute(SourceFile:106) at com.mendix.core.actionmanagement.CoreAction.call(SourceFile:473) at it.b(SourceFile:159) at com.mendix.core.MxRuntime.A(SourceFile:292) at com.mendix.core.MxRuntime.z(SourceFile:254) at com.mendix.core.MxRuntime.a(SourceFile:236) at ly.execute(SourceFile:54) at com.mendix.m2ee.server.handler.AdminHandler.handle(AdminHandler.java:84) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113) at org.eclipse.jetty.server.Server.handle(Server.java:334) at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:559) at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:992) at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:550) at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:203) at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:406) at org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:462) at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436) at java.lang.Thread.run(Unknown Source) Caused by: sun.security.krb5.Asn1Exception: Identifier doesn't match expected value (906) at sun.security.krb5.internal.KDCRep.init(Unknown Source) at sun.security.krb5.internal.ASRep.init(Unknown Source) at sun.security.krb5.internal.ASRep.<init>(Unknown Source) at sun.security.krb5.KrbAsRep.<init>(Unknown Source) at sun.security.krb5.KrbAsReq.getReply(Unknown Source) at sun.security.krb5.Credentials.sendASRequest(Unknown Source) at sun.security.krb5.Credentials.acquireTGT(Unknown Source) at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Unknown Source) at com.sun.security.auth.module.Krb5LoginModule.login(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at javax.security.auth.login.LoginContext.invoke(Unknown Source) at javax.security.auth.login.LoginContext.access$000(Unknown Source) at javax.security.auth.login.LoginContext$5.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokeCreatorPriv(Unknown Source) at javax.security.auth.login.LoginContext.login(Unknown Source) at com.mendix.winauth.KerberosAuthenticator.createServiceSubject(KerberosAuthenticator.java:196) at com.mendix.winauth.KerberosAuthenticator.<init>(KerberosAuthenticator.java:166) at com.mendix.winauth.SSOConfiguration.start(SSOConfiguration.java:62) at winsso.actions.StartWinSSO.executeAction(StartWinSSO.java:29) at winsso.actions.StartWinSSO.executeAction(StartWinSSO.java:18) at com.mendix.systemwideinterfaces.core.UserAction.execute(SourceFile:49) at com.mendix.core.actionmanagement.CoreAction.call(SourceFile:473) at it.b(SourceFile:155) at com.mendix.core.Core.execute(SourceFile:191) at hi.a(SourceFile:70) at kM.a(SourceFile:67) at eR.executeAction(SourceFile:96) at com.mendix.systemwideinterfaces.core.UserAction.execute(SourceFile:49) at com.mendix.core.actionmanagement.CoreAction.call(SourceFile:473) at it.b(SourceFile:155) at com.mendix.core.Core.executeSync(SourceFile:167) at is.a(SourceFile:71) at kM.a(SourceFile:67) at eR.executeAction(SourceFile:96) at com.mendix.systemwideinterfaces.core.UserAction.execute(SourceFile:49) at com.mendix.core.actionmanagement.CoreAction.call(SourceFile:473) at it.b(SourceFile:155) at com.mendix.core.Core.executeSync(SourceFile:167) at er.f(SourceFile:74) at er.a(SourceFile:35) at dk.execute(SourceFile:106) at com.mendix.core.actionmanagement.CoreAction.call(SourceFile:473) at it.b(SourceFile:159) at com.mendix.core.MxRuntime.A(SourceFile:292) at com.mendix.core.MxRuntime.z(SourceFile:254) at com.mendix.core.MxRuntime.a(SourceFile:236) at ly.execute(SourceFile:54) at com.mendix.m2ee.server.handler.AdminHandler.handle(AdminHandler.java:84) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:113) at org.eclipse.jetty.server.Server.handle(Server.java:334) at org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:559) at org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:992) at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:550) at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:203) at org.eclipse.jetty.server.HttpConnection.handle(HttpConnection.java:406) at org.eclipse.jetty.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:462) at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:436) at java.lang.Thread.run(Unknown Source) I've enabled the debug logging in sso.properties, which logs the following: Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is D:\Bouwfonds Klantinzicht 254\Application\model\resources\mendixtest.keytab refreshKrb5Config is false principal is HTTP/rvwnlms005.corp.bouwfonds.com tryFirstPass is false useFirstPass is false storePass is false clearPass is false Config name: C:\WINDOWS\krb5.ini >>> KeyTabInputStream, readName(): CORP.BOUWFONDS.COM >>> KeyTabInputStream, readName(): HTTP >>> KeyTabInputStream, readName(): rvwnlms005.corp.bouwfonds.com >>> KeyTab: load() entry length: 88; type: 23 Added key: 23version: 3 Ordering keys wrt default_tkt_enctypes list Using builtin default etypes for default_tkt_enctypes default etypes for default_tkt_enctypes: 3 1 23 16 17 18. principal's key obtained from the keytab Acquire TGT using AS Exchange Using builtin default etypes for default_tkt_enctypes default etypes for default_tkt_enctypes: 3 1 23 16 17 18. >>> KrbAsReq calling createMessage >>> KrbAsReq in createMessage >>> KrbKdcReq send: kdc=10.33.130.93 UDP:88, timeout=30000, number of retries =3, #bytes=178 >>> KDCCommunication: kdc=10.33.130.93 UDP:88, timeout=30000,Attempt =1, #bytes=178 >>> KrbKdcReq send: #bytes read=108 >>> KrbKdcReq send: #bytes read=108 >>> KDCRep: init() encoding tag is 126 req type is 11 >>>KRBError: sTime is Mon Aug 08 17:26:27 CEST 2011 1312817187000 suSec is 985540 error code is 6 error Message is Client not found in Kerberos database realm is CORP.BOUWFONDS.COM sname is krbtgt/CORP.BOUWFONDS.COM msgType is 30 [Krb5LoginModule] authentication failed Client not found in Kerberos database (6) Settings in sso.properties: domain = corp.bouwfonds.com active_directory_server = 10.33.130.93 kerberos_servername = rvwnlms005 kerberos_keytab_file = mendixtest.keytab kerberos_protocol = http debug = true Does anyone (Michel?) have any suggestions what we're doing wrong, or at least whether this is a configuration problem at the Mendix or SSO/AD side?

asked 2011-08-09

Alexander Willemsen

1 answers

Michel Weststrate · Answer 1 · 2011-08-09

This is a configuration problem, your rvwnlms005 server seems not to be setup/ authorized correctly in the AD.