0

I am running a forgerock environment with AM running on top of Tomcat container which resides on RHEL8. My users are coming from AD and they need to authenticate against AM while using Kerberos authentication.

To this purpose a tree node was set up in AM side specifiying the SPN, trusted realms, domains and so on. We are having an F5 load balancer and also an HTTPD reverse proxy as well as McAfee firewall in between.

When trying to access the URL from a user which is already logged in AD I get prompted for credentials. Browser is set correctly either Firefox or Edge. If I input the credentials I'm getting logged in.

Now when analyzing the debug logs I get the following when prompted for credentials:

DEBUG: nodeType product-KerberosNode

DEBUG: realm /dev/hsa

[CONTINUED] tree wdsso

[CONTINUED] outcome NEED_INPUT

[CONTINUED] sharedState { "realm": "/dev/hsa", "authLevel": 0, "userGotoOnFailParam": "/eam/" }

o.f.o.c.r.a.t.AuthTrees: Thread[https-jsse-nio-8443-exec-4]: 

DEBUG: resolvedFailureUrl /eam/

DEBUG: resolvedSuccessUrl /eam/console

o.f.o.c.r.a.c.RestAuthHttpCallbackHandler: : Thread[https-jsse-nio-8443-exec-4]: TransactionId[xxxxxxxxxxxxxxxx]

DEBUG: Authorization Header not set in request.

o.f.o.c.r.a.h.AuthenticationServiceV1: Thread[https-jsse-nio-8443-exec-4]: TransactionId[xxxxxxxxxx]

DEBUG: AuthenticationService.authenticate() :: Exception from CallbackHandler

org.forgerock.openam.core.rest.authn.exceptions.RetryRestAuthResponseException: { "failure": true, "reason": "http-auth-failed" }

[CONTINUED]    at org.forgerock.openam.core.rest.authn.callbackhandlers.RestAuthHttpCallbackHandler.updateCallbackFromRequest(RestAuthHttpCallbackHandler.java:60)

Tomcat policy logs:

org.forgerock.openam.core.rest.authn.http.AuthenticationServiceV2: Thread[https-jsse-nio-8443-exec-4]: TransactionId[xxxxxxxxxxx]
WARN: Authentication encountered an error: [Status: 401 Unauthorized]
org.forgerock.openam.core.rest.authn.exceptions.RetryRestAuthResponseException: { "failure": true, "reason": "http-auth-failed" }
at org.forgerock.openam.core.rest.authn.callbackhandlers.RestAuthHttpCallbackHandler.updateCallbackFromRequest(RestAuthHttpCallbackHandler.java:60)

We are getting a Kerberos ticket for the initialized sessions as I can see SPNEGO in logs happening, and the Kerberos ticket is consumed if I input the credentials.

I don't understand why I get the above errors. Anyone got a clue?

Update: Update: it was the SPN not configured correctly, we are using it with a DNS alias and the keytab file associated with it. Hope it will help other in the future.

forgerocker84
  • 1
  • 1
  • Update: we did a cross meeting with support guys, we are seeing the the kerberos ticket getting passed through the reverse proxy BUT still the first prompt we get according to the Proxy logs is 400 Unauthorized and the Negociate: ticket and then 200. We are inclined to believe there is a Browser issue and the Header is not presented. – forgerocker84 Aug 11 '23 at 14:09
  • That sounds normal – without a 401 Unauthorized (not 400), the browser won't know it _needs_ to get a ticket in the first place. – user1686 Aug 16 '23 at 07:43
  • @user1686 thanks for correcting, but if the Unauthorized 401 is happening, then why the kerberos ticket doesn't get presented but instead i get a prompt to enter my credentials? then only things that comes to mind is that the Browser group policy is messing with the Authorization Header. We did a trace on the Firewall and we are seeing the Kerberos Ticket passing through and from the Reverse Proxy side as well. – forgerocker84 Aug 16 '23 at 10:12
  • Update: it was the SPN not configured correctly, we are using it with a DNS alias and the keytab file associated with it. Hope it will help other in the future. – forgerocker84 Aug 23 '23 at 12:07

0 Answers0