on 05-03-2017 6:23 PM
lb-trace.pngHello Experts,
We are trying to make F5 load Balancer work on top of two Tomcats (both are clustered and SSO working as expected). When tried the LB URL following error pops up. For last few days searching for solution on the forum but couldn't find matching scenario.
HTTP Status 500 - com.wedgetail.idm.sso.ProtocolException: com.wedgetail.idm.spnego.server.SpnegoException: GSSException: Failure unspecified at GSS-API level (Mechanism level: com.dstc.security.kerberos.KerberosException: Could not decrypt service ticket with Key type 23, KVNO 6, Principal "HTTP/bi41.domain.com@ABC.DOMAIN.COM" using key: Principal: [1] SSOACOUNT@ABC.DOMAIN.COM TimeStamp: Wed May 03 10:47:11 EDT 2017 KVNO: -1 EncType: 23 Key: 16 bytes, fingerprint = [e7 55 40 ed 86 e5 b a 39 36 36 71 f0 bf 77 26] Exception for this key was: com.dstc.security.kerberos.CryptoException: Integrity check failure[Note: principal names are different; this may or may not be a problem] [Note: KVNO used wildcard match, not exact match; perhaps the password used to generate this key is not the most recent password?] )
When packet captured done following information was revealed
1.Accessing the site via chrome without proxy
2.Accessing the site via chrome with Proxy
Attached is the Trace where "500 internal Server Error" shows.
Env: BI 4.1 SP8 on windows server 2012 R2
Thanks,
Mohammad
Test the load balancer URL using http://loadbalancerurl/BOE/BI/logonNoSso.jsp
If that works (not the SSO but the page, the the load balancer is probably ok
Then SSO works based on SPN's as notes above and in KBA 1631734
If you setspn -s http/loadbalancerurl domain\global.propertiesserviceaccount (idm.princ)
and setspn -s http/loadbalancerFQDNurl domain\global.propertiesserviceaccount (idm.princ)
Then SSO should work, if not packet scan the failure (we usually use wireshark) perform a klist purge prior and verify the HTTP SPN that is being requested. Sometimes the URL in the browser does not match the URL in DNS and only packet scanning will usually show that but most times the URL in the browser (hostname and FQDN) is fine for setting the SPNs
Regards,
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Tim for the response.
We found out that it was actually issue with DNS name (improper domain)
SPN was using different domain (i.e server.domain.com and DNS had server.domain1.com)
As soon as network guys changed the DNS that matched with SPN, Load Balancer url start working and users are routed as per Round Robin approach.
Thank You again,
Mohammad
Much appreciate your response Dennis and Joe!
We went thru many trials and errors in last few days...
...4.1 SP08 was recently installed with new servers, while keeping the old server names (Same IP).
Old system had three Tomcats. We drop one BI Launchpad URL out of three (previous Version) URLs.
Then Error was resolved however LB urls (both FQDN and IP) still asks for LOGIN credentials.
Next step...We are asking to create a C record for FQDN url (by DNS team).
We are still working on it. I appreciate if there are more suggestions.
Mohammad
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
90 | |
10 | |
10 | |
10 | |
7 | |
7 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.