I am setting up Windows AD authentication and SSO where there are multiple domains in a parent – child domain structure:
I have made the appropriate settings according to the documentation, and now users in the Parent domain can login through manual AD.
I can successfully run a test with a user in a Child domain using Kinit, but that user cannot login to BO using manual AD.
The BO server is in CHILD_DOMAIN1. The service account running BO is in PARENT_DOMAIN1. There are users in all parent and child domains.
In the CMS I have set:
AD Administration Name: PARENT_DOMAIN.COM\Service_Account
Default AD Group: PARENT_DOMAIN.COM
Service Principle Name: BO_SERVERNAME/Service_Account.PARENT_DOMAIN.COM
I have added AD Group: PARENT_DOMAIN\Group1
(This group does include the user in the child domain.)
SETSPN -a BO_SERVER/Service_Account.PARENT_DOMAIN.COM Service_Account
SETSPN -a HTTP/BO_SERVER.PARENT_DOMAIN.COM Service_Account
In krb5.ini I have:
default_realm = PARENT_DOMAIN.COM
dns_lookup_kdc = true
dns_lookup_realm = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
udp_preference_limit = 1
default_domain = PARENT_DOMAIN.COM
default_domain = CHILD_DOMAIN1.PARENT_DOMAIN.COM
default_domain = CHILD_DOMAIN2.PARENT_DOMAIN.COM
The Tomcat error log says (among other things):
jcsi.kerberos: Ticket service name is: HTTP/BO_SERVER.CHILD_DOMAIN1.PARENT_DOMAIN.COM@CHILD_DOMAIN1.PARENT_DOMAIN.COM
jcsi.kerberos: Using keytab entry for: Service_Account@PARENT_DOMAIN.COM
jcsi.kerberos: ** decrypting ticket .. ** with key Principal: Service_Account@PARENT_DOMAIN.COM
jcsi.kerberos: Could not decrypt service ticket with Key type 23, KVNO 2, Principal "HTTP/BO_SERVER.CHILD_DOMAIN1.PARENT_DOMAIN.COM@CHILD_DOMAIN1.PARENT_DOMAIN.COM"
Exception for this key was: com.dstc.security.kerberos.CryptoException: Integrity check failure
This seems to me like I have not setup the SPN's correctly?
Is that right? What would the correct SPN's, based upon the location of the BO
Any other indications of what is going wrong?