Troubleshooting OpenAM Windows SSO authenticator module

classic Classic list List threaded Threaded
34 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Troubleshooting OpenAM Windows SSO authenticator module

Robert Morschel

Hi,

 

I have configured a new OpenAM 12.0.0 instance with a realm called ad, containing a single authentication chain consisting of the Windows Desktop SSO module, but am really struggling to get it to work.  Logging in using http://vrtstoam001.iggroup.local:8080/openam/XUI/#login/&realm=ad (IE and Chrome) fails.   Turned Authentication debug on (setting it on the Windows SSO module appears to have no effect) and see the error “Kerberos token is not valid.”

 

Any suggestions for what may be wrong, or how to troubleshoot this further?

 

Regards,

Robert

 

 

Configuration:

 

Based on this article, http://troubleshootingrange.blogspot.co.uk/2012/08/kerberos-desktop-sso-with-openam-and.html, we generated a Kerberos keytab file as follows:

 

ktpass.exe -out HTTP.vrtstoam001.iggroup.local.keytab -pass *** -mapuser *** -princ HTTP/[hidden email] -ptype KRB5_NT_PRINCIPAL -target DMZ.LOCAL -kvno 0 -crypto RC4-HMAC-NT

 

and configured the SSO module as per the attached screenshot.

 

 

The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Troubleshooting OpenAM Windows SSO authenticator module

Brad Tumy
If I remember correctly there is a bug related to Windows Desktop SSO, XUI and Realms.  Can you test with XUI disabled to verify that it works without XUI?  I believe that ForgeRock issued a patch for a customer that I was working with when I found this issue before.  Unfortunately, I no longer have access to this customer's backstage account to validate this.

Brad Tumy  |   [hidden email]   |   240.215.4825  |   http://tumy-tech.com  |   linkedin.com/in/bradtumy


On Wed, Jan 20, 2016 at 10:27 AM, Robert Morschel <[hidden email]> wrote:

Hi,

 

I have configured a new OpenAM 12.0.0 instance with a realm called ad, containing a single authentication chain consisting of the Windows Desktop SSO module, but am really struggling to get it to work.  Logging in using http://vrtstoam001.iggroup.local:8080/openam/XUI/#login/&realm=ad (IE and Chrome) fails.   Turned Authentication debug on (setting it on the Windows SSO module appears to have no effect) and see the error “Kerberos token is not valid.”

 

Any suggestions for what may be wrong, or how to troubleshoot this further?

 

Regards,

Robert

 

 

Configuration:

 

Based on this article, http://troubleshootingrange.blogspot.co.uk/2012/08/kerberos-desktop-sso-with-openam-and.html, we generated a Kerberos keytab file as follows:

 

ktpass.exe -out HTTP.vrtstoam001.iggroup.local.keytab -pass *** -mapuser *** -princ HTTP/[hidden email] -ptype KRB5_NT_PRINCIPAL -target DMZ.LOCAL -kvno 0 -crypto RC4-HMAC-NT

 

and configured the SSO module as per the attached screenshot.

 

 

The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority.

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam



_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Troubleshooting OpenAM Windows SSO authenticator module

Bernhard Thalmayr
What is the value of the token? (check Authentication debug log).

If starts with '4e' the browser sent an NTML token (as it could not
require a Kerberos service ticket for the OpenAM service).

Real Kerberos tokens start with '60'.

-Bernhard

Am 20/01/16 um 17:29 schrieb Brad Tumy:

> If I remember correctly there is a bug related to Windows Desktop SSO,
> XUI and Realms.  Can you test with XUI disabled to verify that it works
> without XUI?  I believe that ForgeRock issued a patch for a customer
> that I was working with when I found this issue before.  Unfortunately,
> I no longer have access to this customer's backstage account to validate
> this.
>
> Brad Tumy  |   [hidden email] <mailto:[hidden email]>   |  
> 240.215.4825  |   http://tumy-tech.com  |   linkedin.com/in/bradtumy
> <http://linkedin.com/in/bradtumy>
>
>
> On Wed, Jan 20, 2016 at 10:27 AM, Robert Morschel
> <[hidden email] <mailto:[hidden email]>> wrote:
>
>     Hi,____
>
>     __ __
>
>     I have configured a new OpenAM 12.0.0 instance with a realm called
>     ad, containing a single authentication chain consisting of the
>     Windows Desktop SSO module, but am really struggling to get it to
>     work.  Logging in using
>     http://vrtstoam001.iggroup.local:8080/openam/XUI/#login/&realm=ad
>     (IE and Chrome) fails.   Turned Authentication debug on (setting it
>     on the Windows SSO module appears to have no effect) and see the
>     error “Kerberos token is not valid.”____
>
>     __ __
>
>     Any suggestions for what may be wrong, or how to troubleshoot this
>     further?____
>
>     __ __
>
>     Regards,____
>
>     Robert____
>
>     __ __
>
>     __ __
>
>     Configuration:____
>
>     __ __
>
>     Based on this article,
>     http://troubleshootingrange.blogspot.co.uk/2012/08/kerberos-desktop-sso-with-openam-and.html,
>     we generated a Kerberos keytab file as follows:____
>
>     __ __
>
>     ktpass.exe -out HTTP.vrtstoam001.iggroup.local.keytab -pass ***
>     -mapuser *** -princ HTTP/[hidden email] -ptype
>     KRB5_NT_PRINCIPAL -target DMZ.LOCAL -kvno 0 -crypto RC4-HMAC-NT____
>
>     __ __
>
>     and configured the SSO module as per the attached screenshot.____
>
>     __ __
>
>     ____
>
>     __ __
>
>     The information contained in this email is strictly confidential and
>     for the use of the addressee only, unless otherwise indicated. If
>     you are not the intended recipient, please do not read, copy, use or
>     disclose to others this message or any attachment. Please also
>     notify the sender by replying to this email or by telephone (+44(020
>     7896 0011) and then delete the email and any copies of it. Opinions,
>     conclusion (etc) that do not relate to the official business of this
>     company shall be understood as neither given nor endorsed by it. IG
>     is a trading name of IG Markets Limited (a company registered in
>     England and Wales, company number 04008957) and IG Index Limited (a
>     company registered in England and Wales, company number 01190902).
>     Registered address at Cannon Bridge House, 25 Dowgate Hill, London
>     EC4R 2YA. Both IG Markets Limited (register number 195355) and IG
>     Index Limited (register number 114059) are authorised and regulated
>     by the Financial Conduct Authority.
>
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>
>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Troubleshooting OpenAM Windows SSO authenticator module

Robert Morschel
It is:
4e 54 4c 4d 53 53 50 00 01 00 00 00 97 82 08 e2
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
06 01 b1 1d 00 00 00 0f

Any ideas why the browser would do this?

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
Sent: 20 January 2016 16:41
To: [hidden email]
Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO authenticator module

What is the value of the token? (check Authentication debug log).

If starts with '4e' the browser sent an NTML token (as it could not require a Kerberos service ticket for the OpenAM service).

Real Kerberos tokens start with '60'.

-Bernhard

Am 20/01/16 um 17:29 schrieb Brad Tumy:

> If I remember correctly there is a bug related to Windows Desktop SSO,
> XUI and Realms.  Can you test with XUI disabled to verify that it
> works without XUI?  I believe that ForgeRock issued a patch for a
> customer that I was working with when I found this issue before.
> Unfortunately, I no longer have access to this customer's backstage
> account to validate this.
>
> Brad Tumy  |   [hidden email] <mailto:[hidden email]>   |
> 240.215.4825  |   http://tumy-tech.com  |   linkedin.com/in/bradtumy
> <http://linkedin.com/in/bradtumy>
>
>
> On Wed, Jan 20, 2016 at 10:27 AM, Robert Morschel
> <[hidden email] <mailto:[hidden email]>> wrote:
>
>     Hi,____
>
>     __ __
>
>     I have configured a new OpenAM 12.0.0 instance with a realm called
>     ad, containing a single authentication chain consisting of the
>     Windows Desktop SSO module, but am really struggling to get it to
>     work.  Logging in using
>     http://vrtstoam001.iggroup.local:8080/openam/XUI/#login/&realm=ad
>     (IE and Chrome) fails.   Turned Authentication debug on (setting it
>     on the Windows SSO module appears to have no effect) and see the
>     error "Kerberos token is not valid."____
>
>     __ __
>
>     Any suggestions for what may be wrong, or how to troubleshoot this
>     further?____
>
>     __ __
>
>     Regards,____
>
>     Robert____
>
>     __ __
>
>     __ __
>
>     Configuration:____
>
>     __ __
>
>     Based on this article,
>     http://troubleshootingrange.blogspot.co.uk/2012/08/kerberos-desktop-sso-with-openam-and.html,
>     we generated a Kerberos keytab file as follows:____
>
>     __ __
>
>     ktpass.exe -out HTTP.vrtstoam001.iggroup.local.keytab -pass ***
>     -mapuser *** -princ HTTP/[hidden email] -ptype
>     KRB5_NT_PRINCIPAL -target DMZ.LOCAL -kvno 0 -crypto
> RC4-HMAC-NT____
>
>     __ __
>
>     and configured the SSO module as per the attached screenshot.____
>
>     __ __
>
>     ____
>
>     __ __
>
>     The information contained in this email is strictly confidential and
>     for the use of the addressee only, unless otherwise indicated. If
>     you are not the intended recipient, please do not read, copy, use or
>     disclose to others this message or any attachment. Please also
>     notify the sender by replying to this email or by telephone (+44(020
>     7896 0011) and then delete the email and any copies of it. Opinions,
>     conclusion (etc) that do not relate to the official business of this
>     company shall be understood as neither given nor endorsed by it. IG
>     is a trading name of IG Markets Limited (a company registered in
>     England and Wales, company number 04008957) and IG Index Limited (a
>     company registered in England and Wales, company number 01190902).
>     Registered address at Cannon Bridge House, 25 Dowgate Hill, London
>     EC4R 2YA. Both IG Markets Limited (register number 195355) and IG
>     Index Limited (register number 114059) are authorised and regulated
>     by the Financial Conduct Authority.
>
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>
>
>
>
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Troubleshooting OpenAM Windows SSO authenticator module

Bernhard Thalmayr
Am 20/01/16 um 17:45 schrieb Robert Morschel:
> It is:
> 4e 54 4c 4d 53 53 50 00 01 00 00 00 97 82 08 e2
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 06 01 b1 1d 00 00 00 0f
>
> Any ideas why the browser would do this?

because IE and Chrome (as it mimics IE) somewhat violates the SPNEGO
protocol? SPNEGO does not really offer a way to mandate a specific token
type, hence IE decides to send an NTLM token as no Kerberos token is
available.

You need to check on client why the Kerberos request against KDC failed.

I assume the SPN is not set up properly in AD.

'klist' on client shows all tickets. if the URL of OpenAM is not listed,
then no service ticket could be obtained.

Something to discuss with AD guys ... OpenAM can not do something here.

-Bernhard

>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
> Sent: 20 January 2016 16:41
> To: [hidden email]
> Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO authenticator module
>
> What is the value of the token? (check Authentication debug log).
>
> If starts with '4e' the browser sent an NTML token (as it could not require a Kerberos service ticket for the OpenAM service).
>
> Real Kerberos tokens start with '60'.
>
> -Bernhard
>
> Am 20/01/16 um 17:29 schrieb Brad Tumy:
>> If I remember correctly there is a bug related to Windows Desktop SSO,
>> XUI and Realms.  Can you test with XUI disabled to verify that it
>> works without XUI?  I believe that ForgeRock issued a patch for a
>> customer that I was working with when I found this issue before.
>> Unfortunately, I no longer have access to this customer's backstage
>> account to validate this.
>>
>> Brad Tumy  |   [hidden email] <mailto:[hidden email]>   |
>> 240.215.4825  |   http://tumy-tech.com  |   linkedin.com/in/bradtumy
>> <http://linkedin.com/in/bradtumy>
>>
>>
>> On Wed, Jan 20, 2016 at 10:27 AM, Robert Morschel
>> <[hidden email] <mailto:[hidden email]>> wrote:
>>
>>     Hi,____
>>
>>     __ __
>>
>>     I have configured a new OpenAM 12.0.0 instance with a realm called
>>     ad, containing a single authentication chain consisting of the
>>     Windows Desktop SSO module, but am really struggling to get it to
>>     work.  Logging in using
>>     http://vrtstoam001.iggroup.local:8080/openam/XUI/#login/&realm=ad
>>     (IE and Chrome) fails.   Turned Authentication debug on (setting it
>>     on the Windows SSO module appears to have no effect) and see the
>>     error "Kerberos token is not valid."____
>>
>>     __ __
>>
>>     Any suggestions for what may be wrong, or how to troubleshoot this
>>     further?____
>>
>>     __ __
>>
>>     Regards,____
>>
>>     Robert____
>>
>>     __ __
>>
>>     __ __
>>
>>     Configuration:____
>>
>>     __ __
>>
>>     Based on this article,
>>     http://troubleshootingrange.blogspot.co.uk/2012/08/kerberos-desktop-sso-with-openam-and.html,
>>     we generated a Kerberos keytab file as follows:____
>>
>>     __ __
>>
>>     ktpass.exe -out HTTP.vrtstoam001.iggroup.local.keytab -pass ***
>>     -mapuser *** -princ HTTP/[hidden email] -ptype
>>     KRB5_NT_PRINCIPAL -target DMZ.LOCAL -kvno 0 -crypto
>> RC4-HMAC-NT____
>>
>>     __ __
>>
>>     and configured the SSO module as per the attached screenshot.____
>>
>>     __ __
>>
>>     ____
>>
>>     __ __
>>
>>     The information contained in this email is strictly confidential and
>>     for the use of the addressee only, unless otherwise indicated. If
>>     you are not the intended recipient, please do not read, copy, use or
>>     disclose to others this message or any attachment. Please also
>>     notify the sender by replying to this email or by telephone (+44(020
>>     7896 0011) and then delete the email and any copies of it. Opinions,
>>     conclusion (etc) that do not relate to the official business of this
>>     company shall be understood as neither given nor endorsed by it. IG
>>     is a trading name of IG Markets Limited (a company registered in
>>     England and Wales, company number 04008957) and IG Index Limited (a
>>     company registered in England and Wales, company number 01190902).
>>     Registered address at Cannon Bridge House, 25 Dowgate Hill, London
>>     EC4R 2YA. Both IG Markets Limited (register number 195355) and IG
>>     Index Limited (register number 114059) are authorised and regulated
>>     by the Financial Conduct Authority.
>>
>>     _______________________________________________
>>     Visit the OpenAM forum at
>>     https://forgerock.org/forum/fr-projects/openam/
>>     OpenAM mailing list
>>     [hidden email] <mailto:[hidden email]>
>>     https://lists.forgerock.org/mailman/listinfo/openam
>>
>>
>>
>>
>> _______________________________________________
>> Visit the OpenAM forum at
>> https://forgerock.org/forum/fr-projects/openam/
>> OpenAM mailing list
>> [hidden email]
>> https://lists.forgerock.org/mailman/listinfo/openam
>>
>
>
> --
> Painstaking Minds
> IT-Consulting Bernhard Thalmayr
> Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
> Tel: +49 (0)8062 7769174
> Mobile: +49 (0)176 55060699
>
> [hidden email] - Solution Architect http://www.xing.com/profile/Bernhard_Thalmayr
> http://de.linkedin.com/in/bernhardthalmayr
>
> This e-mail may contain confidential and/or privileged information.If you are not the intended recipient (or have received this email in
> error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
> The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority.
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Troubleshooting OpenAM Windows SSO authenticator module

Robert Morschel
In reply to this post by Brad Tumy

Hi Brad, thanks for the suggestion.  It doesn’t appear to have made a difference with XUI disabled (apart from the look and feel).

 

Regards,

Robert

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Brad Tumy
Sent: 20 January 2016 16:30
To: Users <[hidden email]>
Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO authenticator module

 

If I remember correctly there is a bug related to Windows Desktop SSO, XUI and Realms.  Can you test with XUI disabled to verify that it works without XUI?  I believe that ForgeRock issued a patch for a customer that I was working with when I found this issue before.  Unfortunately, I no longer have access to this customer's backstage account to validate this.


Brad Tumy  |   [hidden email]   |   240.215.4825  |   http://tumy-tech.com  |   linkedin.com/in/bradtumy

 

 

On Wed, Jan 20, 2016 at 10:27 AM, Robert Morschel <[hidden email]> wrote:

Hi,

 

I have configured a new OpenAM 12.0.0 instance with a realm called ad, containing a single authentication chain consisting of the Windows Desktop SSO module, but am really struggling to get it to work.  Logging in using http://vrtstoam001.iggroup.local:8080/openam/XUI/#login/&realm=ad (IE and Chrome) fails.   Turned Authentication debug on (setting it on the Windows SSO module appears to have no effect) and see the error “Kerberos token is not valid.”

 

Any suggestions for what may be wrong, or how to troubleshoot this further?

 

Regards,

Robert

 

 

Configuration:

 

Based on this article, http://troubleshootingrange.blogspot.co.uk/2012/08/kerberos-desktop-sso-with-openam-and.html, we generated a Kerberos keytab file as follows:

 

ktpass.exe -out HTTP.vrtstoam001.iggroup.local.keytab -pass *** -mapuser *** -princ [hidden email] -ptype KRB5_NT_PRINCIPAL -target DMZ.LOCAL -kvno 0 -crypto RC4-HMAC-NT

 

and configured the SSO module as per the attached screenshot.

 

 

The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority.


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam

 


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Troubleshooting OpenAM Windows SSO authenticator module

Brad Tumy
I am pretty sure the bug we encountered was specific to XUI.  If you are seeing it in both UI and XUI then more than likely Bernhard's suggestions are on the right track.

On Wednesday, January 20, 2016, Robert Morschel <[hidden email]> wrote:

Hi Brad, thanks for the suggestion.  It doesn’t appear to have made a difference with XUI disabled (apart from the look and feel).

 

Regards,

Robert

 

From: <a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;openam-bounces@forgerock.org&#39;);" target="_blank">openam-bounces@... [mailto:<a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;openam-bounces@forgerock.org&#39;);" target="_blank">openam-bounces@...] On Behalf Of Brad Tumy
Sent: 20 January 2016 16:30
To: Users <<a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;openam@forgerock.org&#39;);" target="_blank">openam@...>
Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO authenticator module

 

If I remember correctly there is a bug related to Windows Desktop SSO, XUI and Realms.  Can you test with XUI disabled to verify that it works without XUI?  I believe that ForgeRock issued a patch for a customer that I was working with when I found this issue before.  Unfortunately, I no longer have access to this customer's backstage account to validate this.


Brad Tumy  |   <a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;brad.tumy@gmail.com&#39;);" target="_blank">brad.tumy@...   |   240.215.4825  |   http://tumy-tech.com  |   linkedin.com/in/bradtumy

 

 

On Wed, Jan 20, 2016 at 10:27 AM, Robert Morschel <<a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;Robert.Morschel@ig.com&#39;);" target="_blank">Robert.Morschel@...> wrote:

Hi,

 

I have configured a new OpenAM 12.0.0 instance with a realm called ad, containing a single authentication chain consisting of the Windows Desktop SSO module, but am really struggling to get it to work.  Logging in using http://vrtstoam001.iggroup.local:8080/openam/XUI/#login/&realm=ad (IE and Chrome) fails.   Turned Authentication debug on (setting it on the Windows SSO module appears to have no effect) and see the error “Kerberos token is not valid.”

 

Any suggestions for what may be wrong, or how to troubleshoot this further?

 

Regards,

Robert

 

 

Configuration:

 

Based on this article, http://troubleshootingrange.blogspot.co.uk/2012/08/kerberos-desktop-sso-with-openam-and.html, we generated a Kerberos keytab file as follows:

 

ktpass.exe -out HTTP.vrtstoam001.iggroup.local.keytab -pass *** -mapuser *** -princ <a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;HTTP/vrtstoam001.iggroup.local@DMZ.LOCAL&#39;);" target="_blank">HTTP/vrtstoam001.iggroup.local@... -ptype KRB5_NT_PRINCIPAL -target DMZ.LOCAL -kvno 0 -crypto RC4-HMAC-NT

 

and configured the SSO module as per the attached screenshot.

 

 

The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority.


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
<a href="javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;OpenAM@forgerock.org&#39;);" target="_blank">OpenAM@...
https://lists.forgerock.org/mailman/listinfo/openam

 


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Troubleshooting OpenAM Windows SSO authenticator module

Jari Ahonen
In reply to this post by Bernhard Thalmayr


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
Sent: Wednesday, January 20, 2016 5:50 PM
To: [hidden email]
Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO authenticator module

> You need to check on client why the Kerberos request against KDC failed.

Unfortunately I have found this to be one of the trickiest things to do in practice and in some cases there isn't any logical explanation to be found. :(

That said if you have a system with MIT Kerberos (RedHat/CentOS box would do nicely) it would be easy to check if you can get the appropriate ticket from KDC:
$ kinit userid@REALM (this logs you into KDC and gets a TGT)
$ kvno HTTP/server.fully.qualified.domain.name (Gets a service ticket for your web server and also shows the kvno of that ticket)
$ klist (shows your cached tickets)

Doing the above successfully proves that your KDC works and the problem is likely on the client side.

Whatever it's worth I'm pretty sure kvno 0 is not correct on the ktpass command line. The kvno is incremented every time the password of the active directory account associated with the service changes. When you run ktpass on a newly created account the resulting kvno is IIRC 3 and any updates increment this value.

HTH

- Jari

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Troubleshooting OpenAM Windows SSO authenticator module

Paul Figura
In reply to this post by Robert Morschel
Hi Robert,

Maybe this is unrelated, but i'll drop some info here, just in case.

There are many, many things that could cause Kerberos to fail. Firstly, are you using IE to do your tests? Check if it works in chrome and FF. If you do a wireshark, or Charles, do you see "content-length: 0" in your headers? That can be a smoking gun.

Take a look at this bug:
https://bugster.forgerock.org/jira/browse/OPENAM-2613

The "Fix" is to set DisableNTLMPreauth on all client computers. See if that works, and if it does, you have to convince your windows team to push a GPO update!

BTW, This SHOULD NOT HAPPEN if you are in production, it can happen if you are using a production machine on a OpenAM that connects to a non-prod AD for Kerberos Authentication (because there is a mismatch between AD realms).


BEST EXPLANATION:
http://stackoverflow.com/questions/328281/why-content-length-0-in-post-requests

More info:
http://blogs.msdn.com/b/david.wang/archive/2005/12/01/http-post-fails-for-anonymous-authentication.aspx

I hope that helps!

Regards,
Paul Figura
Identity & Access Management Architect
Indigo Consulting Canada
Tel: 514-432-6233
Email: [hidden email]  http://www.indigoconsulting.ca
   
On 1/20/2016 10:27 AM, Robert Morschel wrote:

Hi,

 

I have configured a new OpenAM 12.0.0 instance with a realm called ad, containing a single authentication chain consisting of the Windows Desktop SSO module, but am really struggling to get it to work.  Logging in using http://vrtstoam001.iggroup.local:8080/openam/XUI/#login/&realm=ad (IE and Chrome) fails.   Turned Authentication debug on (setting it on the Windows SSO module appears to have no effect) and see the error “Kerberos token is not valid.”

 

Any suggestions for what may be wrong, or how to troubleshoot this further?

 

Regards,

Robert

 

 

Configuration:

 

Based on this article, http://troubleshootingrange.blogspot.co.uk/2012/08/kerberos-desktop-sso-with-openam-and.html, we generated a Kerberos keytab file as follows:

 

ktpass.exe -out HTTP.vrtstoam001.iggroup.local.keytab -pass *** -mapuser *** -princ [hidden email] -ptype KRB5_NT_PRINCIPAL -target DMZ.LOCAL -kvno 0 -crypto RC4-HMAC-NT

 

and configured the SSO module as per the attached screenshot.

 

 

The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority.

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Troubleshooting OpenAM Windows SSO authenticator module

Robert Morschel
In reply to this post by Jari Ahonen
Hi,

Thanks for the help so far.   So more details.

From the OpenAM server I can happily run kinit and kvno with my credentials.  Incidentally, OpenAM runs as a server tomcat account not present in AD.

When I try from Chrome to login via: http://vrdevdoc001.iggroup.local:8080/openam?realm=ad, Fiddler shows the request POST http://vrdevdoc1.iggroup.local/openam/json/authenticate?realm=%2Fad HTTP/1.1 is presenting a Kerberos Authorization Header, even though the OpenAM authentication debug log says: Authorization Header not set in request:

Negotiate YIIhNgYGKwYBBQUCoIIhKjCCISagMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCIPAEgiDsYIIg6AYJKoZIhvcSAQICAQBugiDXMIIg06ADAgEFoQMCAQ6iBwMFACAAAACjgh9bYYIfVzCCH1OgAwIBBaEOGwxJR0kuSUcuTE9DQUyiLDAqoAMCAQKhIzAhGwRIVFRQGxl2cmRldmRvYzAwMS5pZ2dyb3VwLmxvY2Fso4IfDDCCHwigAwIBF6EDAgEEooIe+gSCHvarYHqPqDFqNctIuncG01QxndAQTgzDkxEjIW+a1uIVf9FYK3VuweyV5uTP2gCEWJtcukENip1eZyWmVDRx2si1Lm2g9AZ3+lV984H5I78qCPDRgbmUzqyz1ZU70rY6q0e70d+0c8cLj3sQLMKQRq8OwXCiCkjiLs+aZeQ9B7PKGgYIxGzof7B9S7Zm9P/oYzA/zoZq6C142TzCSsPlZDJw7iYNueCmaeLix7vFtceStpK9U+OiaOsRpm6xNqPx/dOzu61QU6afEyuWIoSoSD10c1eoV402nMUGdRb9Rmv6CEfazwtPBjlg5yeBR4A4zQgSEi+k3DUVk3pufMkyLyisCZmQsk0DGnEZs/q+u4ZjLuCzEg+6b/kBiX4P7Szo1lY/4IZv6KGrvl48RfU2DQwKlyT7zBKTCX4rCksCGG46uAjs5HshlF8Qs+8ibc6tVdIjuGgH4K3tHcmrGJjay64LEzmkzqtYMx2nzMeaJAtM5FdjTk5bP+l2XXBfGuhxHfhFBxnvupMvPUtu/S4VA13w5gtusCq11aOOvo2M/KTA7lumO0hwWA7UdFI3m4JZyZPlTofx5WYCs1YK/QvrISebUL8rH9jgRxMVVeSHGG4o/9W5k0Om3XeOuUls//Ixr7MXssnwKSFSg+xxDH7GasepRRb13Rmj3LxiBLaO
 HeU81BKgre+zv9zdF0vxMzEOGdbJO7Gb+E06vICc5vY5NvUr9pofMsYhtSySvzhIXHZtiw+o0/zdLWTtFTga/KghysIRWVQha2Y8nYxh/7momDaGrWFPUWS35OWYqXdHBY5o9Q7njuAbGIdluUWG3nBBuZ4AqzrBOYN9dTHGQaptrQYllQjz53PmtVAH+DQGc73Q7ycM//sqExyqcdwQjFfnDYmI/CEurtccpgy8XH1Inqd/oib/AaqiJI5KkEU554yMzzDTfoDCZ9Lf1LtcSCSZTw0AVrAlDhtmTewog5xe1xzbP6tqOwDpW1cu0vW4drqH8HVKPHudJOpXYlT89ZvvtPr3o9hjfye2vm7KTcKyn37xm/yJTdJTsQU3/7IqlzuhOaVTF64wauCdx7SEq3zv0UlSxzmtAqN2meh7+1wMIhAHn6utwPVwqwFm+Yr/53UziYjjStmSG8Hw/kPXGaDPXmmKdJfiTcAxc14mOo1yvz9l8g2/FW4yrXj5VWxcXNWGnfwnoB54Jj3RVVHgV2dE2xygGROXuFEMufE1+MfvV6QsvLKHBKFYB4A/mPEYELWsBqABXN6w+eKmJZVJGYc37XTtj6cIWnD9yYFuBHgsIwt1f6CJIfxXOsTT8vlN0vczAHUnOwvhBZiCo2gdQYANtTLH5HrnBm+Df17tyDbnhZfDOjlc1mBnB597YM1Re5+JWrUK3BXCA54sOPU0+PntYOyajdfysvM1envp3mYkiM2YrTTM8WmpPGVyYxOx1tfyLNDBNdDhOwbnKickzKMiv8gsw29PjC4b5Ord3G+3kwk2s30bWP1lLNauhnbsznCdBaTXZw3m2odFGZ2ziE9Od+mXc3L/cmsjuZd7bw3iVmW8keo4cHWZd6WJ+PilFi9AVvbx6q0FAQAcfclsgxuFwX3LQowTrVmhUSZGHY8d7MQaOa+gFyZFb/12KWTHeyBMSD3v8L3eP8EeGVo9HXU5ptsGS
 5A0ghBKdi2VCyoNwAho4a3L1ZnoveBfcsGARJBo6sixfONq27hXCJJDd4WEzdXdqMGTcOeA1XxYcS6aYEr886NcR34hgP43EjTUseo0ZaK7P85LzGqPutOXCBi8QQekN5CaBPpgnf3MSeQPqU8tR8zfLRztSGi/lGZ0JqvLQCVCyiyVZq+Hm9eF6LXMExnlUfANqztzkLAdo+qBWHg8NM6lHnN8uLEh62DuPmUdCiqWK5ABkO/P3E57Li7wTL7+SEYTrscvBTTxnH0OOCVkyNtf4F+T+4J9tk6crsAo+pSeF7Nyx+GyDJ9uvLgjNhhpKtrpH5pzePLJGd1xw291elGo7hPJRHKWxwquZkTpl2m0Er0kBd3LwqgbxZz4iCjDwlaF+g7X5JXPHsblpMAYVqvYoWaGqHFc6rcsZuV4lCPxEwb81ZXcWFMADB0SHQh8z66aNnJjhfL6JY1EnpoXERHcE+AxPlX+9wmkEKxcL3pLlVkvVLOlUbR4e6QkQihrwos/nMvas5sdF9E8m14E1EaMN2cFFhpfBTyV6WNiOvVxL3RiE3c9EMuosRIKZunYNGhXvD1sjYQMx+Sp+1BMT/Ga/zF0aB3IL4ALerExFOFPpICzabwsVB7ll/8LfoPgJkKNE8+G4nwO2yPMGUAZEWfzdj8RDtCineX6CQgAgfteZJCQjLHGe3IKQm3ojQ+p3P+FXMTA/FcjF6+rAYF9NNmnqTgKIrki1JHBaMLaEvU0kQQlWRTorePUJik487B2cPRo8uMkuHdMdw7tLu4eFSas9ZcwR0E3iXRImMi0OCXPdE4V/F8tj3aPcGQsOHRMVQtC8E040VKzM0UO/5KVgy/Q1QhC/7nyeOch7uW5Uc8KZ29ox99yAM8pYu8a7cfUtbgrECk2LGWpwSvFFNh8njqp8NeFPGb2OMNqF6EEGExoPMb7vg/sW8/y/Sy+tNAmtWcUF18EtBp1zjmjNR0yw4OuJ1Oej4
 l5fQD930Wm1aPFHkaLbNn7SHm1DjbzToFXly2jh7yRn33Sw8U5KusPkRcLIWVyh71Sj0SIaQ8sxql0jBDQzrTTJ4YpjCYwSZlQdStVPu7hseLlKQyToU8SUns/J1KlXNs7C7POsg9TdooWbpF5kO8ARkpbD2r6PyZpRojTiK5A5QeB3uxnZsN36ILeq5jAQzVVU/Jsj8HuL8XTuy4e6NdMMCOCkScNXdEI0U2txQqfj4EqcbfDG3wEzmd4jGwrw3iTc1KybBs+9YV6P1juYoXPWxK0JlVSZrQ6rpfHBOqP/I9dif66mT583U9UQdX+tbdeDiymowuaFo9MRyvw68K+3/EJskgHE1bhaGYd12brjEeYzj4nBEUThBgE07WbGM6WVGbydbf5xyQc+d/HxWou/y1me4iCxpmJx7pvSCOL0NiUqLhyfsYMbHo0WEj3ivoFATk0jEk2viLZwcuSIPDc7CdUEzuGGyFDqZU1X7R4Uy5+xgIk46jt8J7KQiMt03zlxinaInidl6T2CSjW0v+J9+UaTQQ/AyH4dt+LWAEqAz1d8wi3EO3wfXpCudc3j45ftURuXWPrJLIxhac05aQAFpn6R2/uLaaOUGhGSNoBzHDw3tc73Y/B+ijol642EZNBeKQFLx9dSFNPDcR/LySiHPncbEkA3M7oSLJhJEjItAKy4ojJYm1uPnBxDD8iU3t8dVRC/4aeqCe4X1Evwtr/EuGwHmTugk4cqwiw4bVl9NNyTKk31ICVlKn6oqKYRjrgh+a38pCdDPyEMc8bKWIx9PRGlyDYH+zh1Dg2E8axYimOk+YHRqs7lJMODuKXFNmQQCSOxJ/5supB1MU4rsYOXXgr3OwYtqhs+p6U+mD1N83oGpBbNOkH3s6sqtAmIthAtwlpq2bDjaSTipgRiyznDQE5KrYmcxjB1QlwFPk2oalkf6MpSNAJrxTMv3X2aAezpyXer1Bgt6rQDIh5eAOGDO9h2dS
 ImGMqnk2KzGYzcElxNuUc0BwSM+4kZFfrz536L10TLX32Wi9xukT6qq1GKSOg+fuqdlRINsh/ogRp1zA239Th/yLqkQMx6or2tz2s8ubV4dIiKd0rjYVBwkw8LMY3uKBnyrSiItQ8ArI2c7C6zzdEg+3bC5hBc+gNkQjTPcQD1ASiL9TdV3PMqHH3dOPe8GO1wnzP+6Up+m7qBr8TD1kLS/RLdzSzM5xhjHj6HV3lD6FFCV0C30vlQchBx5a0i2JWCUjKUY1o41vT/7vXcWplkXTddxXJbvbdc58sHfhEfPyx+qHlpMK7ztct2oz0M6T2e8vr6fe1UdY2PUsUMQDN0/R5ue7+r+ztThg122k8o08pnUm75xINL5DsG5Krhx1eWL62goZwYLkJEPu/yb7Lq3andXXSemBXeZlJyrebe2XCgSg2Lxo293y3DWW8ZhWTPuRuiLn3hwkVj5r+XoRQmY2zTjCp2HSYCq2huARhe7VxV0p4/uYtAXzVr53CN6rM4hXRyuYX3bl4QZne+nRwUvUoXNCJMCsd6bew7Whw/9GJHezWp5/GgF6eXELDhfSmYTpSHKPo3GCr4Mypi7t6PR7ixE6UnkwKplsjcdE6hVYaxcxPWpGShcZxXhaeWNgs9mrcUv8RkZgsUtLHrmV0tFE0Za3aLJIXC4PUW03G7vmANMAPHqkUmbZoCfoDAMNgZisAmDFlBHjoyc9UTylS6HHrZsdG3tsLCdpFFYqbV9hvu7QENC7m4U1vP6Q2cfudAs5b6NyPtGnmQf/SJ9jNwDDWvAqBNmGEKelxK63gaeRY1tGzLvojuXBfo5ZR+1cO8rdcR6Zk8rYzDNKwBDA3rIY8z/X+VI/TDjGZIyp5h125T2CKL8HorWglQjRsI8/fxM3iHPW7WgU7VhXEysty29uLVfZ/0RphIk3TYfK5KBFHb8ECaBr9EFF2G9Vnv/x/74EKOuLqwms8WNkc2UJJblN1Un3X
 cv6OaNxdu42dxD2YMF/LFxb5zn8qy+NPLXC1U7Z1ThgiQK5vX1pGwtLPu+b7ebbGnJBwaBCD8AXooqonPF5PA2w+dID8gKcnjZOzbeWP+j+90iZ2hvCeQQd7cs4HMu0raWbenlUFzmkJp1tZ9FCHHBo+Hem3ZD+gp0AnRFEZwQF3mMqyLrk3YeuGubSmBPWE/Ffkdni2lmPWmT8TVogZWxXP8sem9RIIdimzWjDRnvtsnewWGiJsVxG2qxAtNF/zKz8l95kxJr5Laf0NaziPlGZr8t1fh7qaX1hQ170l+y4JSKHwWfLfqBKLQGFq3NjdhqQwJUVaR7rU1ij+o8zgoLyqgDdhhb5A36/tm2xw1n0cgC0FeSJtF7sQ2Q0dJnz6GLGzoVM5PxViqXurnnbKZNnCDhsNxdRVVcARJigRGWIjc2kwYFB9XzXlgrtrU4CoXDjQxQiEzsYhDvHJJg0si1RNu4t3CxQQROhyCrsTiMdV+KAom76lKFvXYIkPFg5kcEFy8MmShz4ACO4jkUQ74Y+IEMMDfr2UhXdXIl75cH4SqdAEeLsyebb3sAz7VjrynF4hlj1Sng9grbmrb1hsZ6nhrbSlKuc7sSYoo/g5wbNYp1Xf/mvLg8NiTT/BnAY+fu1woFr6yriHEoxrfI6+SuCk5bIw9eiZsyDdSpGfU6xyALm24TPVM+U2Nv0nyJyIY63WoeofhX97jz8PxecI1eFl+BeokiNJ5TP/q0KacaBx4+LBRskM34h8/TJNAAo7A7X+rLAi328cQspf5ANHJGrzPQaASQ5OaJf5P2D8FIU+eP5KhB5/8hDLw8UCG7IadUzxEWVsKAKaqA+5bsM7BIjxo1EIAJgzj3moIz1IVle6/YoZK37Y/0QLG499LZrHX6SHKNPGy/IptDS/0seChNN6BCSory+1Pw1BljrQUQi8cKLhaE9lieGVBI0maJnmMVa+1XH7Z1vyHXbeupTy+D+Osz2e2
 5fqeAmcMN4STdOQvyHB/cR9SB8CNQjYjcT05DuKPhIDYbo1uJLlKdApTQHv1SQElOew3IqtiXU9/qnQC0bWkamB17QQWqS4VBUN8GFZlHRfAnLMnuOCYi7pscgkLYjEOth3NzP69ZCuKGm8wJ++LP/EOo4/vzV4iZfO6xJqKi80JgqMh2ZXKAHfyjQyfc/32lbyoesnaOGqVZ3W7JbEzEjkQ4UeQjjC0VQC9791f5DskYMUNaVWvWlQHnet4C3+EF56jjdIlNOPxseIQ/CONi6SdUeRxpnhvCwmLXQQwpgnme+WyLZq7NWv/JKPPjdZBW/UDt0/FxPy9hsiLv9LhH0D5eaGuGslim3iUXDuNuPFxQWDBbb/G1QbVpYUmXsWQ2nnQaJEeYed1PTHi51stZhmxa0AMlBfHEDHu26KbWArZjkk05Itmzd/bdtoO7RQT8vRDWmFDU1+qx4HZckNPtZLRCFA3RPxDrpVoLTDoc67EnRvsmSzFcTuUdm+mGsSshFzDMUyisZpk8/Qa8sux6B+7gyYvJCqamwpg+61NcLBYkcFKP1svxSQw/CIDsSzlAGavDIcVlgZuDRxfhrpRPfbLhkQn3tC68NB2F1KUjkMl4WXkMkJc8vGuioEH2tIR5f5DxC6xfBJ2P2C2pGGuyff9KlZ/kGQ67JJzvQ1z7O7X80PSvXUW5NpAKbY6uDJoGW7u4+7GkqpCrf+4+/5UJYZni4OmdsDwd0+MV3WjSTCGADZn9pfZH/NacWuncYhOhbTps+piD/vVEmuSFbAIMoqu76ZUVlrZqIPowzE8iWZjj4YO3LKXnxuB2OQv1mwIuF+yqIEM9atcDiy2HSRT5pAmEQqSHjWKquwCd0JiQItgnwMpFIe84JtDdwEawPMwM2kToJxPnI95BoBfREG5te0nv3duSxUS7mOTTtkgpgD1FqMM6hoCtZY2hMQVZaj825C7rXLPnYpB5s5h0xb9kDHyJlsNY
 bK8lcocbr+Sm48Li8KOquHCL3hKgBrgcxhnbRGKOwqBi+ymRVBXInRbguOxPTbyaORekjHOC2xQ70usue/ebs/aNNzWQEYffZg030Wn3uIqjO6t+PuRyyv62V+LKjjbyKBlaFEd/KwncKJAvXWd7DNM4vSx4d851OYlpj/ZDepBS/yBbe0NnrdNL19YW1rTUWIxhPkx+fLm6ksfGkzwZXoA9B/WPCHv+DUMcxNmRUyUfbmR1hX4i0mdz6XyMnpBab/sq7Q7PEN4AZv2Hyu3u7Y7w6atgmGXn2Fm+dAKC9eVLtSgNTX3Bsy+SJttK7mBNG8rNwbWe+/2+s1SqDlxDjNyWKbsNsvN6PaYeaEygpqd8BEkvdefQRmLdPdU+44l/A0mLFhjuyxSM5w9fw7rPqwWkvQ8cItpHOooUhRri3Yrljt7Ao8EagYDgHfM5MiVqrxgW4VCYlz/Bb6yzPMB1n6gbmfFQY8/CqZo/CGNoBrRN4zEHwhd9qJBFNSSrnNTMJ4sSQfv22WeWzza2yJX5v0V6o5MF4RDzFFOpktvCSF/Q4DGydmRiHl0r+7I/zUvdcPyUOpxCXJcrF6Rf0HLGDojImMhGq7JVcL0NUpglq2zEtvsj8XNxhB+zDcnwkc/HuOz+t3xx1e/85qJEFXjxfTNy6AX979Yyuv+w13GSHpDU6AhWgAjNmCivH1+h63i7o4qrBjN2wd1MAEe0sr8OrLE5URZdBusVOYoSZMWbrUpBcGT2/X/iYdnoIxy7BaumDsRdppd1q6nJsadPgNHYGYnHOzfHixTHhr2CIypn994S8oNp5P2wxW5vD7Q0O5BOZczAr8nEZpJKfvxRwmGSg4NOtMXpKWkiL6qwgTuMFHRaSOcay1GMOrRAHTebm0nX0Ue77Qnut1P5Uz3xu5+bYaTjyXgy/+HzhgTJFGFK4kpxtBO/9LJIS5b7TtS5aKLn0KyE9oADJkh1jMqe2xuhOpaeBbzH+
 PmTq4v0oR/Q9JyNxyWdNAUvqJ5ty1ViiH6Z3KT3+hCtDstvq5/QFCPkTr6T87VmF+f4fQ5K0sWC6shxE4HjurWYdLpniC5ODjsfT+cK/saIpPAR7ghGZckXV7W3N6nP+F/S7uPLA6dRcpR64IN3FQQMD9625okbVUuM8ghOpaMEQ7wd8B+JInthEsjVJWkgXrNKpGOzKLjp/VHzH1qFs5ww3gHkxmisWLe0Q2VLN7RV+OsPDNHy1aVYQfyqbdVrMrOsAMk/ZAw8wqYso8QaXtBNzG+gvt+PIG0HKJ5UD7UID3p9BxwpPSGDxoBpUWksTfg4hJAP2Na+ddu4rIRqRqejG4bhmd4k4j7pGaJihazJoIhd2VkHGlssQjR6HnwV18cjnhjR1v+QAWxPtS7KSus8UbTlqYSlFpjrHQJ3rI5YXEVSIaHgs7CEHrbzf5rhrwDOKF3lhihCc+Ivsmjru2b4xenYY2XCCwEVSsZy4sJEHPZi2/01DNDMG9Iru0dmYREX3FH+BSgJ9oYrLgAUbBT+uKVicxsUINuvSCOGixwi9Gqlgv6wmgoxE5BNwGah7Z7zcaYgsevNs145lzruALdZ0WVoZRxz5J1Jyp9bto2bTD2G0ZrSpVxsh/VJQcbKTyVYZUS5FYSHD7E/PgaGBUIGWHe+GtNKZpIusIMujP3brdCKQi8e1StjOkcgbVm2a5zQXqFv59PLMEDH3yy0jDRgZ869jRsPhd91X2+loLlaMB4zd1QMmEPzA1mc/lh/F3iyIM0UpfUQJ8dMEtX8mLGhpOTYTTRmG2+2H43d8KxwFselZmVzKkbgmKpTdG9lFGNe+gig+YLRI64u7fnf2hxuBi7a2XEdwwWtsdHk4dlqLeri0n5urGkWwwHMRHYOGGNkhYynZFB7rG1brEQ4XpWcQuBx8jNiNc7heS0rVGfHEO1Kbcae8Pjzz9mE86r+pQojKtCkvE4T7OSb1xNGa5kUrhET4x
 oh35v2eayZcQfbcoZnB3n3gDOaOL8dRGwO6JNwX3XoZmyyBOvoAYzHo9LSfcWt7Jnj1i6JAvSp9CZ0gVjq9sNlQIb8NBA8P5dKrQjF8pBSS/J5jYY180ExNXKrcE1m+cPCVLgtt1V4nNToYm8jciGMbFR+GrEmL54jQndZmCgNrxLB5tJRy0oGr+dMk49UxFVF+RZ3ihnw4y2bXIExr0Umnbm/pvvxLsW8qxd0xtL67FMsOMH+mJiL7KITqQgDZw4Gvf/p4lW6JzXiMPn08BxUX8lVxzxFQiQtbdHLuzwWHCy6u8mZEChqVygQlU+40O0LkdjNNjrpvyOWOKw9jOEAuPIKrPXdNUj9IYyOb7NQH7Gr9cF9PQIyvuH1+aibCK2aB25Iq5DgQ8kE/xWZWK7KVhNj3aa30ZFTCNQR1907MwQzYvpqjdXND0ImefNOXLbJTaV0E7iJLpOvHRF33teKb/rF5L6ROGPL0vpR8DZtXavhaolhq6By3PS6+81iEqEduh9lp4z1bDc3bU1v5PYGR5jWWtaAb1vTI6bQxP10yeYQ6LgeFTzugh1CS4fqYbk/u+NRAYAk93d/H4RrdA+ZI6PV6H4z9tOutRINJVyo6vkeVjnfX7WYN+FQUAGkUCawbvkMKKbRDJ6HBPc5ed9nlBPN3p9oLwJWr/nwYxPqAvM7oyJKbAOFO/fiIBuc5XE0CIqoM3lJ+tpN3B8qV3jzfSS1OclmVHnplERMcPceiJUkUoAzDQGTUYLXSb9bNEnCaRD42Iu9V7uWVNMeAq7sHYH67eQZ7o5u+rRyZVk/JeFtbS8CBRLqxu3q/Gv2rYpKWhMsHt7Rpy9rLGXhni2QErEB0pHcC9vQ5RuZ6IpfwjCnxojLTcp4cyFyJOpHJEsl9/b+dI2Wxy71L1tvBgYzjHXpggwUXKzFXKrJfZIKKi5bfMjvBQ350jYMZffIw4pWjF+piv9l8l5kiYFvDDCN/+5dS4O
 vvISLehNkZLsc1qpeobAQkHoin2t8plXzHv5jO+c6PR1JWNkrAMIoRj7y2Pnmc3IFlglBMV4ZpMmpLVhfIfgPT1+RgemxKeaXmCWLXz8VY36l8vxs85S8+3GJNFne3/JkfXoRJtwQ4l43RMshIf4bEhS3jq387xw/npG4E5Z/ky/Qwknio5qSZgkGXQklOajcekGv5qyqSidPIxE5hEgXTFPwhNka6Ym+ggiCpkvOvjLUDkEPy/Dx4pKib81taxQz8QnHPQo5pqj8CW1MxrJuKDJ/ZBKLTJqfxqy+bK08GJfrRKoN5ibSJNTOueaLFb98AL/bOu79tAZlO5ILGLsYVQwwdR+8vB+kCLBjLMoGWabbOdf0zjJI/h3+A6N3Jo5F+/VnkryL/Z2/WvVkXuIvOLLDHP9K+Zeh/Xb2fYpFjgVoW33WAEpHChi4P4gbEvvAJtuaMchvQ7TTYTdl7qmdRa2Pn/W8gBU9LyfAVeFCdc6BIeVpDqgqIC9JcNkRNoDLhs2vSZVnp4hxYJQHwxh8iL6n9/g4sYMAFzzqI65NA2JHJxEsQmATge7jEOuI/0wBX60jlsxL+O39RaFGeEbqXappBnzQqjKleU/cqG84+hxj0lP3DXjHdy9P/c1CteI/ErFZmnvDSphnPiez2r5lXINWJYC7mK+EFzjIwpfWP5eS1fk2k4e4i/VYq0FHnCtPSTPuq37OMm7ZGZOcNJRSFQEBJjc+cdZm060ydD2XVwPUr7i9gfgUfvaUgD0GLx2m2CJgNSzlhdA7gWmudyL/2SZxifa0AcuEbewhSnWbLz7U0C7AylAo7rPKYr9HtBy8PYSF3dgA0PDNYqHfGbG93mBF/qv5abbtiKkN181MgwqEUsZKx2DRBtx/I0hzYUltUggNa77HXZeu6wmnRRE1G4NFjfZZ/UMqF9DAg67WBY1tNSX/qCoXNAnDAAOUiZY35WiHiNRjvw6/WPigBHv3f5BWK6P3
 SkggFdMIIBWaADAgEXooIBUASCAUxkr8t7cf2R4KHh35HHZ7SWDz0IGmG06EWdT8x6ZpTTlzRueusNXU2iMXRT2Z/fm5lQ2LxwG74r7OXYbbVy/j35pbiO54UAi5dpbMtCdaYoMqVJM4CRXyh4p6V2YMQvi5XHBwd5NDWNLpMeJolfDKhACU9lZSoaXze3xJ1QNanPQlq6PNvYgxxj9+LZBoz3quCvUQ9MxvfW06fVR2gekl52K+3pzetKHQ/msYc3RJTEi2k0JaAjdUbEHl2pE49vQSxwYrAasYVIWf8/UtGdSi6RrZvCs71MfUaOziG0nv8tDGVXi8KgbAxi+hn45VOMH7pWhgeyj4l3puTIC6uKuMTSXP36WD0ESF85nAMPGwoQK+bic7aPdP2P3LhgeuEQ5xdaqtQIXfUb0lCgOs/isHAvgSogxBXTOa2AESJqOziz1x0DYGDxQ4xA30lt0w==

Any other thoughts gratefully received.

Regards,
Robert

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Jari Ahonen
Sent: 20 January 2016 18:48
To: Users <[hidden email]>
Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO authenticator module



-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
Sent: Wednesday, January 20, 2016 5:50 PM
To: [hidden email]
Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO authenticator module

> You need to check on client why the Kerberos request against KDC failed.

Unfortunately I have found this to be one of the trickiest things to do in practice and in some cases there isn't any logical explanation to be found. :(

That said if you have a system with MIT Kerberos (RedHat/CentOS box would do nicely) it would be easy to check if you can get the appropriate ticket from KDC:
$ kinit userid@REALM (this logs you into KDC and gets a TGT) $ kvno HTTP/server.fully.qualified.domain.name (Gets a service ticket for your web server and also shows the kvno of that ticket) $ klist (shows your cached tickets)

Doing the above successfully proves that your KDC works and the problem is likely on the client side.

Whatever it's worth I'm pretty sure kvno 0 is not correct on the ktpass command line. The kvno is incremented every time the password of the active directory account associated with the service changes. When you run ktpass on a newly created account the resulting kvno is IIRC 3 and any updates increment this value.

HTH

- Jari

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Troubleshooting OpenAM Windows SSO authenticator module

Robert Morschel
Hi,

We now have this working on Chrome (but not IE or FF), but only on one desktop, which is good news from an OpenAM perspective, but a mystery why it refuses to work on other browsers/desktops, particularly as we already do Windows SSO with ADFS.

Regards,
Robert

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Robert Morschel
Sent: 21 January 2016 13:53
To: Users <[hidden email]>
Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO authenticator module

Hi,

Thanks for the help so far.   So more details.

From the OpenAM server I can happily run kinit and kvno with my credentials.  Incidentally, OpenAM runs as a server tomcat account not present in AD.

When I try from Chrome to login via: http://vrdevdoc001.iggroup.local:8080/openam?realm=ad, Fiddler shows the request POST http://vrdevdoc1.iggroup.local/openam/json/authenticate?realm=%2Fad HTTP/1.1 is presenting a Kerberos Authorization Header, even though the OpenAM authentication debug log says: Authorization Header not set in request:

Negotiate YIIhNgYGKwYBBQUCoIIhKjCCISagMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCIPAEgiDsYIIg6AYJKoZIhvcSAQICAQBugiDXMIIg06ADAgEFoQMCAQ6iBwMFACAAAACjgh9bYYIfVzCCH1OgAwIBBaEOGwxJR0kuSUcuTE9DQUyiLDAqoAMCAQKhIzAhGwRIVFRQGxl2cmRldmRvYzAwMS5pZ2dyb3VwLmxvY2Fso4IfDDCCHwigAwIBF6EDAgEEooIe+gSCHvarYHqPqDFqNctIuncG01QxndAQTgzDkxEjIW+a1uIVf9FYK3VuweyV5uTP2gCEWJtcukENip1eZyWmVDRx2si1Lm2g9AZ3+lV984H5I78qCPDRgbmUzqyz1ZU70rY6q0e70d+0c8cLj3sQLMKQRq8OwXCiCkjiLs+aZeQ9B7PKGgYIxGzof7B9S7Zm9P/oYzA/zoZq6C142TzCSsPlZDJw7iYNueCmaeLix7vFtceStpK9U+OiaOsRpm6xNqPx/dOzu61QU6afEyuWIoSoSD10c1eoV402nMUGdRb9Rmv6CEfazwtPBjlg5yeBR4A4zQgSEi+k3DUVk3pufMkyLyisCZmQsk0DGnEZs/q+u4ZjLuCzEg+6b/kBiX4P7Szo1lY/4IZv6KGrvl48RfU2DQwKlyT7zBKTCX4rCksCGG46uAjs5HshlF8Qs+8ibc6tVdIjuGgH4K3tHcmrGJjay64LEzmkzqtYMx2nzMeaJAtM5FdjTk5bP+l2XXBfGuhxHfhFBxnvupMvPUtu/S4VA13w5gtusCq11aOOvo2M/KTA7lumO0hwWA7UdFI3m4JZyZPlTofx5WYCs1YK/QvrISebUL8rH9jgRxMVVeSHGG4o/9W5k0Om3XeOuUls//Ixr7MXssnwKSFSg+xxDH7GasepRRb13Rmj3LxiBLaO
 HeU81BKgre+zv9zdF0vxMzEOGdbJO7Gb+E06vICc5vY5NvUr9pofMsYhtSySvzhIXHZtiw+o0/zdLWTtFTga/KghysIRWVQha2Y8nYxh/7momDaGrWFPUWS35OWYqXdHBY5o9Q7njuAbGIdluUWG3nBBuZ4AqzrBOYN9dTHGQaptrQYllQjz53PmtVAH+DQGc73Q7ycM//sqExyqcdwQjFfnDYmI/CEurtccpgy8XH1Inqd/oib/AaqiJI5KkEU554yMzzDTfoDCZ9Lf1LtcSCSZTw0AVrAlDhtmTewog5xe1xzbP6tqOwDpW1cu0vW4drqH8HVKPHudJOpXYlT89ZvvtPr3o9hjfye2vm7KTcKyn37xm/yJTdJTsQU3/7IqlzuhOaVTF64wauCdx7SEq3zv0UlSxzmtAqN2meh7+1wMIhAHn6utwPVwqwFm+Yr/53UziYjjStmSG8Hw/kPXGaDPXmmKdJfiTcAxc14mOo1yvz9l8g2/FW4yrXj5VWxcXNWGnfwnoB54Jj3RVVHgV2dE2xygGROXuFEMufE1+MfvV6QsvLKHBKFYB4A/mPEYELWsBqABXN6w+eKmJZVJGYc37XTtj6cIWnD9yYFuBHgsIwt1f6CJIfxXOsTT8vlN0vczAHUnOwvhBZiCo2gdQYANtTLH5HrnBm+Df17tyDbnhZfDOjlc1mBnB597YM1Re5+JWrUK3BXCA54sOPU0+PntYOyajdfysvM1envp3mYkiM2YrTTM8WmpPGVyYxOx1tfyLNDBNdDhOwbnKickzKMiv8gsw29PjC4b5Ord3G+3kwk2s30bWP1lLNauhnbsznCdBaTXZw3m2odFGZ2ziE9Od+mXc3L/cmsjuZd7bw3iVmW8keo4cHWZd6WJ+PilFi9AVvbx6q0FAQAcfclsgxuFwX3LQowTrVmhUSZGHY8d7MQaOa+gFyZFb/12KWTHeyBMSD3v8L3eP8EeGVo9HXU5ptsGS
 5A0ghBKdi2VCyoNwAho4a3L1ZnoveBfcsGARJBo6sixfONq27hXCJJDd4WEzdXdqMGTcOeA1XxYcS6aYEr886NcR34hgP43EjTUseo0ZaK7P85LzGqPutOXCBi8QQekN5CaBPpgnf3MSeQPqU8tR8zfLRztSGi/lGZ0JqvLQCVCyiyVZq+Hm9eF6LXMExnlUfANqztzkLAdo+qBWHg8NM6lHnN8uLEh62DuPmUdCiqWK5ABkO/P3E57Li7wTL7+SEYTrscvBTTxnH0OOCVkyNtf4F+T+4J9tk6crsAo+pSeF7Nyx+GyDJ9uvLgjNhhpKtrpH5pzePLJGd1xw291elGo7hPJRHKWxwquZkTpl2m0Er0kBd3LwqgbxZz4iCjDwlaF+g7X5JXPHsblpMAYVqvYoWaGqHFc6rcsZuV4lCPxEwb81ZXcWFMADB0SHQh8z66aNnJjhfL6JY1EnpoXERHcE+AxPlX+9wmkEKxcL3pLlVkvVLOlUbR4e6QkQihrwos/nMvas5sdF9E8m14E1EaMN2cFFhpfBTyV6WNiOvVxL3RiE3c9EMuosRIKZunYNGhXvD1sjYQMx+Sp+1BMT/Ga/zF0aB3IL4ALerExFOFPpICzabwsVB7ll/8LfoPgJkKNE8+G4nwO2yPMGUAZEWfzdj8RDtCineX6CQgAgfteZJCQjLHGe3IKQm3ojQ+p3P+FXMTA/FcjF6+rAYF9NNmnqTgKIrki1JHBaMLaEvU0kQQlWRTorePUJik487B2cPRo8uMkuHdMdw7tLu4eFSas9ZcwR0E3iXRImMi0OCXPdE4V/F8tj3aPcGQsOHRMVQtC8E040VKzM0UO/5KVgy/Q1QhC/7nyeOch7uW5Uc8KZ29ox99yAM8pYu8a7cfUtbgrECk2LGWpwSvFFNh8njqp8NeFPGb2OMNqF6EEGExoPMb7vg/sW8/y/Sy+tNAmtWcUF18EtBp1zjmjNR0yw4OuJ1Oej4
 l5fQD930Wm1aPFHkaLbNn7SHm1DjbzToFXly2jh7yRn33Sw8U5KusPkRcLIWVyh71Sj0SIaQ8sxql0jBDQzrTTJ4YpjCYwSZlQdStVPu7hseLlKQyToU8SUns/J1KlXNs7C7POsg9TdooWbpF5kO8ARkpbD2r6PyZpRojTiK5A5QeB3uxnZsN36ILeq5jAQzVVU/Jsj8HuL8XTuy4e6NdMMCOCkScNXdEI0U2txQqfj4EqcbfDG3wEzmd4jGwrw3iTc1KybBs+9YV6P1juYoXPWxK0JlVSZrQ6rpfHBOqP/I9dif66mT583U9UQdX+tbdeDiymowuaFo9MRyvw68K+3/EJskgHE1bhaGYd12brjEeYzj4nBEUThBgE07WbGM6WVGbydbf5xyQc+d/HxWou/y1me4iCxpmJx7pvSCOL0NiUqLhyfsYMbHo0WEj3ivoFATk0jEk2viLZwcuSIPDc7CdUEzuGGyFDqZU1X7R4Uy5+xgIk46jt8J7KQiMt03zlxinaInidl6T2CSjW0v+J9+UaTQQ/AyH4dt+LWAEqAz1d8wi3EO3wfXpCudc3j45ftURuXWPrJLIxhac05aQAFpn6R2/uLaaOUGhGSNoBzHDw3tc73Y/B+ijol642EZNBeKQFLx9dSFNPDcR/LySiHPncbEkA3M7oSLJhJEjItAKy4ojJYm1uPnBxDD8iU3t8dVRC/4aeqCe4X1Evwtr/EuGwHmTugk4cqwiw4bVl9NNyTKk31ICVlKn6oqKYRjrgh+a38pCdDPyEMc8bKWIx9PRGlyDYH+zh1Dg2E8axYimOk+YHRqs7lJMODuKXFNmQQCSOxJ/5supB1MU4rsYOXXgr3OwYtqhs+p6U+mD1N83oGpBbNOkH3s6sqtAmIthAtwlpq2bDjaSTipgRiyznDQE5KrYmcxjB1QlwFPk2oalkf6MpSNAJrxTMv3X2aAezpyXer1Bgt6rQDIh5eAOGDO9h2dS
 ImGMqnk2KzGYzcElxNuUc0BwSM+4kZFfrz536L10TLX32Wi9xukT6qq1GKSOg+fuqdlRINsh/ogRp1zA239Th/yLqkQMx6or2tz2s8ubV4dIiKd0rjYVBwkw8LMY3uKBnyrSiItQ8ArI2c7C6zzdEg+3bC5hBc+gNkQjTPcQD1ASiL9TdV3PMqHH3dOPe8GO1wnzP+6Up+m7qBr8TD1kLS/RLdzSzM5xhjHj6HV3lD6FFCV0C30vlQchBx5a0i2JWCUjKUY1o41vT/7vXcWplkXTddxXJbvbdc58sHfhEfPyx+qHlpMK7ztct2oz0M6T2e8vr6fe1UdY2PUsUMQDN0/R5ue7+r+ztThg122k8o08pnUm75xINL5DsG5Krhx1eWL62goZwYLkJEPu/yb7Lq3andXXSemBXeZlJyrebe2XCgSg2Lxo293y3DWW8ZhWTPuRuiLn3hwkVj5r+XoRQmY2zTjCp2HSYCq2huARhe7VxV0p4/uYtAXzVr53CN6rM4hXRyuYX3bl4QZne+nRwUvUoXNCJMCsd6bew7Whw/9GJHezWp5/GgF6eXELDhfSmYTpSHKPo3GCr4Mypi7t6PR7ixE6UnkwKplsjcdE6hVYaxcxPWpGShcZxXhaeWNgs9mrcUv8RkZgsUtLHrmV0tFE0Za3aLJIXC4PUW03G7vmANMAPHqkUmbZoCfoDAMNgZisAmDFlBHjoyc9UTylS6HHrZsdG3tsLCdpFFYqbV9hvu7QENC7m4U1vP6Q2cfudAs5b6NyPtGnmQf/SJ9jNwDDWvAqBNmGEKelxK63gaeRY1tGzLvojuXBfo5ZR+1cO8rdcR6Zk8rYzDNKwBDA3rIY8z/X+VI/TDjGZIyp5h125T2CKL8HorWglQjRsI8/fxM3iHPW7WgU7VhXEysty29uLVfZ/0RphIk3TYfK5KBFHb8ECaBr9EFF2G9Vnv/x/74EKOuLqwms8WNkc2UJJblN1Un3X
 cv6OaNxdu42dxD2YMF/LFxb5zn8qy+NPLXC1U7Z1ThgiQK5vX1pGwtLPu+b7ebbGnJBwaBCD8AXooqonPF5PA2w+dID8gKcnjZOzbeWP+j+90iZ2hvCeQQd7cs4HMu0raWbenlUFzmkJp1tZ9FCHHBo+Hem3ZD+gp0AnRFEZwQF3mMqyLrk3YeuGubSmBPWE/Ffkdni2lmPWmT8TVogZWxXP8sem9RIIdimzWjDRnvtsnewWGiJsVxG2qxAtNF/zKz8l95kxJr5Laf0NaziPlGZr8t1fh7qaX1hQ170l+y4JSKHwWfLfqBKLQGFq3NjdhqQwJUVaR7rU1ij+o8zgoLyqgDdhhb5A36/tm2xw1n0cgC0FeSJtF7sQ2Q0dJnz6GLGzoVM5PxViqXurnnbKZNnCDhsNxdRVVcARJigRGWIjc2kwYFB9XzXlgrtrU4CoXDjQxQiEzsYhDvHJJg0si1RNu4t3CxQQROhyCrsTiMdV+KAom76lKFvXYIkPFg5kcEFy8MmShz4ACO4jkUQ74Y+IEMMDfr2UhXdXIl75cH4SqdAEeLsyebb3sAz7VjrynF4hlj1Sng9grbmrb1hsZ6nhrbSlKuc7sSYoo/g5wbNYp1Xf/mvLg8NiTT/BnAY+fu1woFr6yriHEoxrfI6+SuCk5bIw9eiZsyDdSpGfU6xyALm24TPVM+U2Nv0nyJyIY63WoeofhX97jz8PxecI1eFl+BeokiNJ5TP/q0KacaBx4+LBRskM34h8/TJNAAo7A7X+rLAi328cQspf5ANHJGrzPQaASQ5OaJf5P2D8FIU+eP5KhB5/8hDLw8UCG7IadUzxEWVsKAKaqA+5bsM7BIjxo1EIAJgzj3moIz1IVle6/YoZK37Y/0QLG499LZrHX6SHKNPGy/IptDS/0seChNN6BCSory+1Pw1BljrQUQi8cKLhaE9lieGVBI0maJnmMVa+1XH7Z1vyHXbeupTy+D+Osz2e2
 5fqeAmcMN4STdOQvyHB/cR9SB8CNQjYjcT05DuKPhIDYbo1uJLlKdApTQHv1SQElOew3IqtiXU9/qnQC0bWkamB17QQWqS4VBUN8GFZlHRfAnLMnuOCYi7pscgkLYjEOth3NzP69ZCuKGm8wJ++LP/EOo4/vzV4iZfO6xJqKi80JgqMh2ZXKAHfyjQyfc/32lbyoesnaOGqVZ3W7JbEzEjkQ4UeQjjC0VQC9791f5DskYMUNaVWvWlQHnet4C3+EF56jjdIlNOPxseIQ/CONi6SdUeRxpnhvCwmLXQQwpgnme+WyLZq7NWv/JKPPjdZBW/UDt0/FxPy9hsiLv9LhH0D5eaGuGslim3iUXDuNuPFxQWDBbb/G1QbVpYUmXsWQ2nnQaJEeYed1PTHi51stZhmxa0AMlBfHEDHu26KbWArZjkk05Itmzd/bdtoO7RQT8vRDWmFDU1+qx4HZckNPtZLRCFA3RPxDrpVoLTDoc67EnRvsmSzFcTuUdm+mGsSshFzDMUyisZpk8/Qa8sux6B+7gyYvJCqamwpg+61NcLBYkcFKP1svxSQw/CIDsSzlAGavDIcVlgZuDRxfhrpRPfbLhkQn3tC68NB2F1KUjkMl4WXkMkJc8vGuioEH2tIR5f5DxC6xfBJ2P2C2pGGuyff9KlZ/kGQ67JJzvQ1z7O7X80PSvXUW5NpAKbY6uDJoGW7u4+7GkqpCrf+4+/5UJYZni4OmdsDwd0+MV3WjSTCGADZn9pfZH/NacWuncYhOhbTps+piD/vVEmuSFbAIMoqu76ZUVlrZqIPowzE8iWZjj4YO3LKXnxuB2OQv1mwIuF+yqIEM9atcDiy2HSRT5pAmEQqSHjWKquwCd0JiQItgnwMpFIe84JtDdwEawPMwM2kToJxPnI95BoBfREG5te0nv3duSxUS7mOTTtkgpgD1FqMM6hoCtZY2hMQVZaj825C7rXLPnYpB5s5h0xb9kDHyJlsNY
 bK8lcocbr+Sm48Li8KOquHCL3hKgBrgcxhnbRGKOwqBi+ymRVBXInRbguOxPTbyaORekjHOC2xQ70usue/ebs/aNNzWQEYffZg030Wn3uIqjO6t+PuRyyv62V+LKjjbyKBlaFEd/KwncKJAvXWd7DNM4vSx4d851OYlpj/ZDepBS/yBbe0NnrdNL19YW1rTUWIxhPkx+fLm6ksfGkzwZXoA9B/WPCHv+DUMcxNmRUyUfbmR1hX4i0mdz6XyMnpBab/sq7Q7PEN4AZv2Hyu3u7Y7w6atgmGXn2Fm+dAKC9eVLtSgNTX3Bsy+SJttK7mBNG8rNwbWe+/2+s1SqDlxDjNyWKbsNsvN6PaYeaEygpqd8BEkvdefQRmLdPdU+44l/A0mLFhjuyxSM5w9fw7rPqwWkvQ8cItpHOooUhRri3Yrljt7Ao8EagYDgHfM5MiVqrxgW4VCYlz/Bb6yzPMB1n6gbmfFQY8/CqZo/CGNoBrRN4zEHwhd9qJBFNSSrnNTMJ4sSQfv22WeWzza2yJX5v0V6o5MF4RDzFFOpktvCSF/Q4DGydmRiHl0r+7I/zUvdcPyUOpxCXJcrF6Rf0HLGDojImMhGq7JVcL0NUpglq2zEtvsj8XNxhB+zDcnwkc/HuOz+t3xx1e/85qJEFXjxfTNy6AX979Yyuv+w13GSHpDU6AhWgAjNmCivH1+h63i7o4qrBjN2wd1MAEe0sr8OrLE5URZdBusVOYoSZMWbrUpBcGT2/X/iYdnoIxy7BaumDsRdppd1q6nJsadPgNHYGYnHOzfHixTHhr2CIypn994S8oNp5P2wxW5vD7Q0O5BOZczAr8nEZpJKfvxRwmGSg4NOtMXpKWkiL6qwgTuMFHRaSOcay1GMOrRAHTebm0nX0Ue77Qnut1P5Uz3xu5+bYaTjyXgy/+HzhgTJFGFK4kpxtBO/9LJIS5b7TtS5aKLn0KyE9oADJkh1jMqe2xuhOpaeBbzH+
 PmTq4v0oR/Q9JyNxyWdNAUvqJ5ty1ViiH6Z3KT3+hCtDstvq5/QFCPkTr6T87VmF+f4fQ5K0sWC6shxE4HjurWYdLpniC5ODjsfT+cK/saIpPAR7ghGZckXV7W3N6nP+F/S7uPLA6dRcpR64IN3FQQMD9625okbVUuM8ghOpaMEQ7wd8B+JInthEsjVJWkgXrNKpGOzKLjp/VHzH1qFs5ww3gHkxmisWLe0Q2VLN7RV+OsPDNHy1aVYQfyqbdVrMrOsAMk/ZAw8wqYso8QaXtBNzG+gvt+PIG0HKJ5UD7UID3p9BxwpPSGDxoBpUWksTfg4hJAP2Na+ddu4rIRqRqejG4bhmd4k4j7pGaJihazJoIhd2VkHGlssQjR6HnwV18cjnhjR1v+QAWxPtS7KSus8UbTlqYSlFpjrHQJ3rI5YXEVSIaHgs7CEHrbzf5rhrwDOKF3lhihCc+Ivsmjru2b4xenYY2XCCwEVSsZy4sJEHPZi2/01DNDMG9Iru0dmYREX3FH+BSgJ9oYrLgAUbBT+uKVicxsUINuvSCOGixwi9Gqlgv6wmgoxE5BNwGah7Z7zcaYgsevNs145lzruALdZ0WVoZRxz5J1Jyp9bto2bTD2G0ZrSpVxsh/VJQcbKTyVYZUS5FYSHD7E/PgaGBUIGWHe+GtNKZpIusIMujP3brdCKQi8e1StjOkcgbVm2a5zQXqFv59PLMEDH3yy0jDRgZ869jRsPhd91X2+loLlaMB4zd1QMmEPzA1mc/lh/F3iyIM0UpfUQJ8dMEtX8mLGhpOTYTTRmG2+2H43d8KxwFselZmVzKkbgmKpTdG9lFGNe+gig+YLRI64u7fnf2hxuBi7a2XEdwwWtsdHk4dlqLeri0n5urGkWwwHMRHYOGGNkhYynZFB7rG1brEQ4XpWcQuBx8jNiNc7heS0rVGfHEO1Kbcae8Pjzz9mE86r+pQojKtCkvE4T7OSb1xNGa5kUrhET4x
 oh35v2eayZcQfbcoZnB3n3gDOaOL8dRGwO6JNwX3XoZmyyBOvoAYzHo9LSfcWt7Jnj1i6JAvSp9CZ0gVjq9sNlQIb8NBA8P5dKrQjF8pBSS/J5jYY180ExNXKrcE1m+cPCVLgtt1V4nNToYm8jciGMbFR+GrEmL54jQndZmCgNrxLB5tJRy0oGr+dMk49UxFVF+RZ3ihnw4y2bXIExr0Umnbm/pvvxLsW8qxd0xtL67FMsOMH+mJiL7KITqQgDZw4Gvf/p4lW6JzXiMPn08BxUX8lVxzxFQiQtbdHLuzwWHCy6u8mZEChqVygQlU+40O0LkdjNNjrpvyOWOKw9jOEAuPIKrPXdNUj9IYyOb7NQH7Gr9cF9PQIyvuH1+aibCK2aB25Iq5DgQ8kE/xWZWK7KVhNj3aa30ZFTCNQR1907MwQzYvpqjdXND0ImefNOXLbJTaV0E7iJLpOvHRF33teKb/rF5L6ROGPL0vpR8DZtXavhaolhq6By3PS6+81iEqEduh9lp4z1bDc3bU1v5PYGR5jWWtaAb1vTI6bQxP10yeYQ6LgeFTzugh1CS4fqYbk/u+NRAYAk93d/H4RrdA+ZI6PV6H4z9tOutRINJVyo6vkeVjnfX7WYN+FQUAGkUCawbvkMKKbRDJ6HBPc5ed9nlBPN3p9oLwJWr/nwYxPqAvM7oyJKbAOFO/fiIBuc5XE0CIqoM3lJ+tpN3B8qV3jzfSS1OclmVHnplERMcPceiJUkUoAzDQGTUYLXSb9bNEnCaRD42Iu9V7uWVNMeAq7sHYH67eQZ7o5u+rRyZVk/JeFtbS8CBRLqxu3q/Gv2rYpKWhMsHt7Rpy9rLGXhni2QErEB0pHcC9vQ5RuZ6IpfwjCnxojLTcp4cyFyJOpHJEsl9/b+dI2Wxy71L1tvBgYzjHXpggwUXKzFXKrJfZIKKi5bfMjvBQ350jYMZffIw4pWjF+piv9l8l5kiYFvDDCN/+5dS4O
 vvISLehNkZLsc1qpeobAQkHoin2t8plXzHv5jO+c6PR1JWNkrAMIoRj7y2Pnmc3IFlglBMV4ZpMmpLVhfIfgPT1+RgemxKeaXmCWLXz8VY36l8vxs85S8+3GJNFne3/JkfXoRJtwQ4l43RMshIf4bEhS3jq387xw/npG4E5Z/ky/Qwknio5qSZgkGXQklOajcekGv5qyqSidPIxE5hEgXTFPwhNka6Ym+ggiCpkvOvjLUDkEPy/Dx4pKib81taxQz8QnHPQo5pqj8CW1MxrJuKDJ/ZBKLTJqfxqy+bK08GJfrRKoN5ibSJNTOueaLFb98AL/bOu79tAZlO5ILGLsYVQwwdR+8vB+kCLBjLMoGWabbOdf0zjJI/h3+A6N3Jo5F+/VnkryL/Z2/WvVkXuIvOLLDHP9K+Zeh/Xb2fYpFjgVoW33WAEpHChi4P4gbEvvAJtuaMchvQ7TTYTdl7qmdRa2Pn/W8gBU9LyfAVeFCdc6BIeVpDqgqIC9JcNkRNoDLhs2vSZVnp4hxYJQHwxh8iL6n9/g4sYMAFzzqI65NA2JHJxEsQmATge7jEOuI/0wBX60jlsxL+O39RaFGeEbqXappBnzQqjKleU/cqG84+hxj0lP3DXjHdy9P/c1CteI/ErFZmnvDSphnPiez2r5lXINWJYC7mK+EFzjIwpfWP5eS1fk2k4e4i/VYq0FHnCtPSTPuq37OMm7ZGZOcNJRSFQEBJjc+cdZm060ydD2XVwPUr7i9gfgUfvaUgD0GLx2m2CJgNSzlhdA7gWmudyL/2SZxifa0AcuEbewhSnWbLz7U0C7AylAo7rPKYr9HtBy8PYSF3dgA0PDNYqHfGbG93mBF/qv5abbtiKkN181MgwqEUsZKx2DRBtx/I0hzYUltUggNa77HXZeu6wmnRRE1G4NFjfZZ/UMqF9DAg67WBY1tNSX/qCoXNAnDAAOUiZY35WiHiNRjvw6/WPigBHv3f5BWK6P3
 SkggFdMIIBWaADAgEXooIBUASCAUxkr8t7cf2R4KHh35HHZ7SWDz0IGmG06EWdT8x6ZpTTlzRueusNXU2iMXRT2Z/fm5lQ2LxwG74r7OXYbbVy/j35pbiO54UAi5dpbMtCdaYoMqVJM4CRXyh4p6V2YMQvi5XHBwd5NDWNLpMeJolfDKhACU9lZSoaXze3xJ1QNanPQlq6PNvYgxxj9+LZBoz3quCvUQ9MxvfW06fVR2gekl52K+3pzetKHQ/msYc3RJTEi2k0JaAjdUbEHl2pE49vQSxwYrAasYVIWf8/UtGdSi6RrZvCs71MfUaOziG0nv8tDGVXi8KgbAxi+hn45VOMH7pWhgeyj4l3puTIC6uKuMTSXP36WD0ESF85nAMPGwoQK+bic7aPdP2P3LhgeuEQ5xdaqtQIXfUb0lCgOs/isHAvgSogxBXTOa2AESJqOziz1x0DYGDxQ4xA30lt0w==

Any other thoughts gratefully received.

Regards,
Robert

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Jari Ahonen
Sent: 20 January 2016 18:48
To: Users <[hidden email]>
Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO authenticator module



-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
Sent: Wednesday, January 20, 2016 5:50 PM
To: [hidden email]
Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO authenticator module

> You need to check on client why the Kerberos request against KDC failed.

Unfortunately I have found this to be one of the trickiest things to do in practice and in some cases there isn't any logical explanation to be found. :(

That said if you have a system with MIT Kerberos (RedHat/CentOS box would do nicely) it would be easy to check if you can get the appropriate ticket from KDC:
$ kinit userid@REALM (this logs you into KDC and gets a TGT) $ kvno HTTP/server.fully.qualified.domain.name (Gets a service ticket for your web server and also shows the kvno of that ticket) $ klist (shows your cached tickets)

Doing the above successfully proves that your KDC works and the problem is likely on the client side.

Whatever it's worth I'm pretty sure kvno 0 is not correct on the ktpass command line. The kvno is incremented every time the password of the active directory account associated with the service changes. When you run ktpass on a newly created account the resulting kvno is IIRC 3 and any updates increment this value.

HTH

- Jari

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Troubleshooting OpenAM Windows SSO authenticator module

Paul Figura
Hi Robert,

Are you sure the OUTBOUND (from browser) content-length header is indeed not size 0? It really does seem it could be the problem to me, and it only affects IE.

For Firefox, did you enable the extra steps in the browser advanced config (negociate options) to allow kerberos authentication?
  • In the URL bar, type “<a class="moz-txt-link-freetext" href="about:config”">about:config”
  • Search for settings “network.negotiate-auth.trusted-uris” and network.negotiate-auth.delegation-uris
  • add your AD server domain to these settings. (starts with ".", example: .iggroup.local)
Regards,
Paul Figura
Identity & Access Management Architect
Indigo Consulting Canada
Tel: 514-432-6233
Email: [hidden email]  http://www.indigoconsulting.ca
   
On 1/21/2016 11:30 AM, Robert Morschel wrote:
Hi,

We now have this working on Chrome (but not IE or FF), but only on one desktop, which is good news from an OpenAM perspective, but a mystery why it refuses to work on other browsers/desktops, particularly as we already do Windows SSO with ADFS.

Regards,
Robert

-----Original Message-----
From: [hidden email] [[hidden email]] On Behalf Of Robert Morschel
Sent: 21 January 2016 13:53
To: Users [hidden email]
Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO authenticator module

Hi,

Thanks for the help so far.   So more details.

>From the OpenAM server I can happily run kinit and kvno with my credentials.  Incidentally, OpenAM runs as a server tomcat account not present in AD.

When I try from Chrome to login via: http://vrdevdoc001.iggroup.local:8080/openam?realm=ad, Fiddler shows the request POST http://vrdevdoc1.iggroup.local/openam/json/authenticate?realm=%2Fad HTTP/1.1 is presenting a Kerberos Authorization Header, even though the OpenAM authentication debug log says: Authorization Header not set in request:

Negotiate YIIhNgYGKwYBBQUCoIIhKjCCISagMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCIPAEgiDsYIIg6AYJKoZIhvcSAQICAQBugiDXMIIg06ADAgEFoQMCAQ6iBwMFACAAAACjgh9bYYIfVzCCH1OgAwIBBaEOGwxJR0kuSUcuTE9DQUyiLDAqoAMCAQKhIzAhGwRIVFRQGxl2cmRldmRvYzAwMS5pZ2dyb3VwLmxvY2Fso4IfDDCCHwigAwIBF6EDAgEEooIe+gSCHvarYHqPqDFqNctIuncG01QxndAQTgzDkxEjIW+a1uIVf9FYK3VuweyV5uTP2gCEWJtcukENip1eZyWmVDRx2si1Lm2g9AZ3+lV984H5I78qCPDRgbmUzqyz1ZU70rY6q0e70d+0c8cLj3sQLMKQRq8OwXCiCkjiLs+aZeQ9B7PKGgYIxGzof7B9S7Zm9P/oYzA/zoZq6C142TzCSsPlZDJw7iYNueCmaeLix7vFtceStpK9U+OiaOsRpm6xNqPx/dOzu61QU6afEyuWIoSoSD10c1eoV402nMUGdRb9Rmv6CEfazwtPBjlg5yeBR4A4zQgSEi+k3DUVk3pufMkyLyisCZmQsk0DGnEZs/q+u4ZjLuCzEg+6b/kBiX4P7Szo1lY/4IZv6KGrvl48RfU2DQwKlyT7zBKTCX4rCksCGG46uAjs5HshlF8Qs+8ibc6tVdIjuGgH4K3tHcmrGJjay64LEzmkzqtYMx2nzMeaJAtM5FdjTk5bP+l2XXBfGuhxHfhFBxnvupMvPUtu/S4VA13w5gtusCq11aOOvo2M/KTA7lumO0hwWA7UdFI3m4JZyZPlTofx5WYCs1YK/QvrISebUL8rH9jgRxMVVeSHGG4o/9W5k0Om3XeOuUls//Ixr7MXssnwKSFSg+xxDH7GasepRRb13Rmj3LxiBLaO
 HeU81BKgre+zv9zdF0vxMzEOGdbJO7Gb+E06vICc5vY5NvUr9pofMsYhtSySvzhIXHZtiw+o0/zdLWTtFTga/KghysIRWVQha2Y8nYxh/7momDaGrWFPUWS35OWYqXdHBY5o9Q7njuAbGIdluUWG3nBBuZ4AqzrBOYN9dTHGQaptrQYllQjz53PmtVAH+DQGc73Q7ycM//sqExyqcdwQjFfnDYmI/CEurtccpgy8XH1Inqd/oib/AaqiJI5KkEU554yMzzDTfoDCZ9Lf1LtcSCSZTw0AVrAlDhtmTewog5xe1xzbP6tqOwDpW1cu0vW4drqH8HVKPHudJOpXYlT89ZvvtPr3o9hjfye2vm7KTcKyn37xm/yJTdJTsQU3/7IqlzuhOaVTF64wauCdx7SEq3zv0UlSxzmtAqN2meh7+1wMIhAHn6utwPVwqwFm+Yr/53UziYjjStmSG8Hw/kPXGaDPXmmKdJfiTcAxc14mOo1yvz9l8g2/FW4yrXj5VWxcXNWGnfwnoB54Jj3RVVHgV2dE2xygGROXuFEMufE1+MfvV6QsvLKHBKFYB4A/mPEYELWsBqABXN6w+eKmJZVJGYc37XTtj6cIWnD9yYFuBHgsIwt1f6CJIfxXOsTT8vlN0vczAHUnOwvhBZiCo2gdQYANtTLH5HrnBm+Df17tyDbnhZfDOjlc1mBnB597YM1Re5+JWrUK3BXCA54sOPU0+PntYOyajdfysvM1envp3mYkiM2YrTTM8WmpPGVyYxOx1tfyLNDBNdDhOwbnKickzKMiv8gsw29PjC4b5Ord3G+3kwk2s30bWP1lLNauhnbsznCdBaTXZw3m2odFGZ2ziE9Od+mXc3L/cmsjuZd7bw3iVmW8keo4cHWZd6WJ+PilFi9AVvbx6q0FAQAcfclsgxuFwX3LQowTrVmhUSZGHY8d7MQaOa+gFyZFb/12KWTHeyBMSD3v8L3eP8EeGVo9HXU5ptsGS
 5A0ghBKdi2VCyoNwAho4a3L1ZnoveBfcsGARJBo6sixfONq27hXCJJDd4WEzdXdqMGTcOeA1XxYcS6aYEr886NcR34hgP43EjTUseo0ZaK7P85LzGqPutOXCBi8QQekN5CaBPpgnf3MSeQPqU8tR8zfLRztSGi/lGZ0JqvLQCVCyiyVZq+Hm9eF6LXMExnlUfANqztzkLAdo+qBWHg8NM6lHnN8uLEh62DuPmUdCiqWK5ABkO/P3E57Li7wTL7+SEYTrscvBTTxnH0OOCVkyNtf4F+T+4J9tk6crsAo+pSeF7Nyx+GyDJ9uvLgjNhhpKtrpH5pzePLJGd1xw291elGo7hPJRHKWxwquZkTpl2m0Er0kBd3LwqgbxZz4iCjDwlaF+g7X5JXPHsblpMAYVqvYoWaGqHFc6rcsZuV4lCPxEwb81ZXcWFMADB0SHQh8z66aNnJjhfL6JY1EnpoXERHcE+AxPlX+9wmkEKxcL3pLlVkvVLOlUbR4e6QkQihrwos/nMvas5sdF9E8m14E1EaMN2cFFhpfBTyV6WNiOvVxL3RiE3c9EMuosRIKZunYNGhXvD1sjYQMx+Sp+1BMT/Ga/zF0aB3IL4ALerExFOFPpICzabwsVB7ll/8LfoPgJkKNE8+G4nwO2yPMGUAZEWfzdj8RDtCineX6CQgAgfteZJCQjLHGe3IKQm3ojQ+p3P+FXMTA/FcjF6+rAYF9NNmnqTgKIrki1JHBaMLaEvU0kQQlWRTorePUJik487B2cPRo8uMkuHdMdw7tLu4eFSas9ZcwR0E3iXRImMi0OCXPdE4V/F8tj3aPcGQsOHRMVQtC8E040VKzM0UO/5KVgy/Q1QhC/7nyeOch7uW5Uc8KZ29ox99yAM8pYu8a7cfUtbgrECk2LGWpwSvFFNh8njqp8NeFPGb2OMNqF6EEGExoPMb7vg/sW8/y/Sy+tNAmtWcUF18EtBp1zjmjNR0yw4OuJ1Oej4
 l5fQD930Wm1aPFHkaLbNn7SHm1DjbzToFXly2jh7yRn33Sw8U5KusPkRcLIWVyh71Sj0SIaQ8sxql0jBDQzrTTJ4YpjCYwSZlQdStVPu7hseLlKQyToU8SUns/J1KlXNs7C7POsg9TdooWbpF5kO8ARkpbD2r6PyZpRojTiK5A5QeB3uxnZsN36ILeq5jAQzVVU/Jsj8HuL8XTuy4e6NdMMCOCkScNXdEI0U2txQqfj4EqcbfDG3wEzmd4jGwrw3iTc1KybBs+9YV6P1juYoXPWxK0JlVSZrQ6rpfHBOqP/I9dif66mT583U9UQdX+tbdeDiymowuaFo9MRyvw68K+3/EJskgHE1bhaGYd12brjEeYzj4nBEUThBgE07WbGM6WVGbydbf5xyQc+d/HxWou/y1me4iCxpmJx7pvSCOL0NiUqLhyfsYMbHo0WEj3ivoFATk0jEk2viLZwcuSIPDc7CdUEzuGGyFDqZU1X7R4Uy5+xgIk46jt8J7KQiMt03zlxinaInidl6T2CSjW0v+J9+UaTQQ/AyH4dt+LWAEqAz1d8wi3EO3wfXpCudc3j45ftURuXWPrJLIxhac05aQAFpn6R2/uLaaOUGhGSNoBzHDw3tc73Y/B+ijol642EZNBeKQFLx9dSFNPDcR/LySiHPncbEkA3M7oSLJhJEjItAKy4ojJYm1uPnBxDD8iU3t8dVRC/4aeqCe4X1Evwtr/EuGwHmTugk4cqwiw4bVl9NNyTKk31ICVlKn6oqKYRjrgh+a38pCdDPyEMc8bKWIx9PRGlyDYH+zh1Dg2E8axYimOk+YHRqs7lJMODuKXFNmQQCSOxJ/5supB1MU4rsYOXXgr3OwYtqhs+p6U+mD1N83oGpBbNOkH3s6sqtAmIthAtwlpq2bDjaSTipgRiyznDQE5KrYmcxjB1QlwFPk2oalkf6MpSNAJrxTMv3X2aAezpyXer1Bgt6rQDIh5eAOGDO9h2dS
 ImGMqnk2KzGYzcElxNuUc0BwSM+4kZFfrz536L10TLX32Wi9xukT6qq1GKSOg+fuqdlRINsh/ogRp1zA239Th/yLqkQMx6or2tz2s8ubV4dIiKd0rjYVBwkw8LMY3uKBnyrSiItQ8ArI2c7C6zzdEg+3bC5hBc+gNkQjTPcQD1ASiL9TdV3PMqHH3dOPe8GO1wnzP+6Up+m7qBr8TD1kLS/RLdzSzM5xhjHj6HV3lD6FFCV0C30vlQchBx5a0i2JWCUjKUY1o41vT/7vXcWplkXTddxXJbvbdc58sHfhEfPyx+qHlpMK7ztct2oz0M6T2e8vr6fe1UdY2PUsUMQDN0/R5ue7+r+ztThg122k8o08pnUm75xINL5DsG5Krhx1eWL62goZwYLkJEPu/yb7Lq3andXXSemBXeZlJyrebe2XCgSg2Lxo293y3DWW8ZhWTPuRuiLn3hwkVj5r+XoRQmY2zTjCp2HSYCq2huARhe7VxV0p4/uYtAXzVr53CN6rM4hXRyuYX3bl4QZne+nRwUvUoXNCJMCsd6bew7Whw/9GJHezWp5/GgF6eXELDhfSmYTpSHKPo3GCr4Mypi7t6PR7ixE6UnkwKplsjcdE6hVYaxcxPWpGShcZxXhaeWNgs9mrcUv8RkZgsUtLHrmV0tFE0Za3aLJIXC4PUW03G7vmANMAPHqkUmbZoCfoDAMNgZisAmDFlBHjoyc9UTylS6HHrZsdG3tsLCdpFFYqbV9hvu7QENC7m4U1vP6Q2cfudAs5b6NyPtGnmQf/SJ9jNwDDWvAqBNmGEKelxK63gaeRY1tGzLvojuXBfo5ZR+1cO8rdcR6Zk8rYzDNKwBDA3rIY8z/X+VI/TDjGZIyp5h125T2CKL8HorWglQjRsI8/fxM3iHPW7WgU7VhXEysty29uLVfZ/0RphIk3TYfK5KBFHb8ECaBr9EFF2G9Vnv/x/74EKOuLqwms8WNkc2UJJblN1Un3X
 cv6OaNxdu42dxD2YMF/LFxb5zn8qy+NPLXC1U7Z1ThgiQK5vX1pGwtLPu+b7ebbGnJBwaBCD8AXooqonPF5PA2w+dID8gKcnjZOzbeWP+j+90iZ2hvCeQQd7cs4HMu0raWbenlUFzmkJp1tZ9FCHHBo+Hem3ZD+gp0AnRFEZwQF3mMqyLrk3YeuGubSmBPWE/Ffkdni2lmPWmT8TVogZWxXP8sem9RIIdimzWjDRnvtsnewWGiJsVxG2qxAtNF/zKz8l95kxJr5Laf0NaziPlGZr8t1fh7qaX1hQ170l+y4JSKHwWfLfqBKLQGFq3NjdhqQwJUVaR7rU1ij+o8zgoLyqgDdhhb5A36/tm2xw1n0cgC0FeSJtF7sQ2Q0dJnz6GLGzoVM5PxViqXurnnbKZNnCDhsNxdRVVcARJigRGWIjc2kwYFB9XzXlgrtrU4CoXDjQxQiEzsYhDvHJJg0si1RNu4t3CxQQROhyCrsTiMdV+KAom76lKFvXYIkPFg5kcEFy8MmShz4ACO4jkUQ74Y+IEMMDfr2UhXdXIl75cH4SqdAEeLsyebb3sAz7VjrynF4hlj1Sng9grbmrb1hsZ6nhrbSlKuc7sSYoo/g5wbNYp1Xf/mvLg8NiTT/BnAY+fu1woFr6yriHEoxrfI6+SuCk5bIw9eiZsyDdSpGfU6xyALm24TPVM+U2Nv0nyJyIY63WoeofhX97jz8PxecI1eFl+BeokiNJ5TP/q0KacaBx4+LBRskM34h8/TJNAAo7A7X+rLAi328cQspf5ANHJGrzPQaASQ5OaJf5P2D8FIU+eP5KhB5/8hDLw8UCG7IadUzxEWVsKAKaqA+5bsM7BIjxo1EIAJgzj3moIz1IVle6/YoZK37Y/0QLG499LZrHX6SHKNPGy/IptDS/0seChNN6BCSory+1Pw1BljrQUQi8cKLhaE9lieGVBI0maJnmMVa+1XH7Z1vyHXbeupTy+D+Osz2e2
 5fqeAmcMN4STdOQvyHB/cR9SB8CNQjYjcT05DuKPhIDYbo1uJLlKdApTQHv1SQElOew3IqtiXU9/qnQC0bWkamB17QQWqS4VBUN8GFZlHRfAnLMnuOCYi7pscgkLYjEOth3NzP69ZCuKGm8wJ++LP/EOo4/vzV4iZfO6xJqKi80JgqMh2ZXKAHfyjQyfc/32lbyoesnaOGqVZ3W7JbEzEjkQ4UeQjjC0VQC9791f5DskYMUNaVWvWlQHnet4C3+EF56jjdIlNOPxseIQ/CONi6SdUeRxpnhvCwmLXQQwpgnme+WyLZq7NWv/JKPPjdZBW/UDt0/FxPy9hsiLv9LhH0D5eaGuGslim3iUXDuNuPFxQWDBbb/G1QbVpYUmXsWQ2nnQaJEeYed1PTHi51stZhmxa0AMlBfHEDHu26KbWArZjkk05Itmzd/bdtoO7RQT8vRDWmFDU1+qx4HZckNPtZLRCFA3RPxDrpVoLTDoc67EnRvsmSzFcTuUdm+mGsSshFzDMUyisZpk8/Qa8sux6B+7gyYvJCqamwpg+61NcLBYkcFKP1svxSQw/CIDsSzlAGavDIcVlgZuDRxfhrpRPfbLhkQn3tC68NB2F1KUjkMl4WXkMkJc8vGuioEH2tIR5f5DxC6xfBJ2P2C2pGGuyff9KlZ/kGQ67JJzvQ1z7O7X80PSvXUW5NpAKbY6uDJoGW7u4+7GkqpCrf+4+/5UJYZni4OmdsDwd0+MV3WjSTCGADZn9pfZH/NacWuncYhOhbTps+piD/vVEmuSFbAIMoqu76ZUVlrZqIPowzE8iWZjj4YO3LKXnxuB2OQv1mwIuF+yqIEM9atcDiy2HSRT5pAmEQqSHjWKquwCd0JiQItgnwMpFIe84JtDdwEawPMwM2kToJxPnI95BoBfREG5te0nv3duSxUS7mOTTtkgpgD1FqMM6hoCtZY2hMQVZaj825C7rXLPnYpB5s5h0xb9kDHyJlsNY
 bK8lcocbr+Sm48Li8KOquHCL3hKgBrgcxhnbRGKOwqBi+ymRVBXInRbguOxPTbyaORekjHOC2xQ70usue/ebs/aNNzWQEYffZg030Wn3uIqjO6t+PuRyyv62V+LKjjbyKBlaFEd/KwncKJAvXWd7DNM4vSx4d851OYlpj/ZDepBS/yBbe0NnrdNL19YW1rTUWIxhPkx+fLm6ksfGkzwZXoA9B/WPCHv+DUMcxNmRUyUfbmR1hX4i0mdz6XyMnpBab/sq7Q7PEN4AZv2Hyu3u7Y7w6atgmGXn2Fm+dAKC9eVLtSgNTX3Bsy+SJttK7mBNG8rNwbWe+/2+s1SqDlxDjNyWKbsNsvN6PaYeaEygpqd8BEkvdefQRmLdPdU+44l/A0mLFhjuyxSM5w9fw7rPqwWkvQ8cItpHOooUhRri3Yrljt7Ao8EagYDgHfM5MiVqrxgW4VCYlz/Bb6yzPMB1n6gbmfFQY8/CqZo/CGNoBrRN4zEHwhd9qJBFNSSrnNTMJ4sSQfv22WeWzza2yJX5v0V6o5MF4RDzFFOpktvCSF/Q4DGydmRiHl0r+7I/zUvdcPyUOpxCXJcrF6Rf0HLGDojImMhGq7JVcL0NUpglq2zEtvsj8XNxhB+zDcnwkc/HuOz+t3xx1e/85qJEFXjxfTNy6AX979Yyuv+w13GSHpDU6AhWgAjNmCivH1+h63i7o4qrBjN2wd1MAEe0sr8OrLE5URZdBusVOYoSZMWbrUpBcGT2/X/iYdnoIxy7BaumDsRdppd1q6nJsadPgNHYGYnHOzfHixTHhr2CIypn994S8oNp5P2wxW5vD7Q0O5BOZczAr8nEZpJKfvxRwmGSg4NOtMXpKWkiL6qwgTuMFHRaSOcay1GMOrRAHTebm0nX0Ue77Qnut1P5Uz3xu5+bYaTjyXgy/+HzhgTJFGFK4kpxtBO/9LJIS5b7TtS5aKLn0KyE9oADJkh1jMqe2xuhOpaeBbzH+
 PmTq4v0oR/Q9JyNxyWdNAUvqJ5ty1ViiH6Z3KT3+hCtDstvq5/QFCPkTr6T87VmF+f4fQ5K0sWC6shxE4HjurWYdLpniC5ODjsfT+cK/saIpPAR7ghGZckXV7W3N6nP+F/S7uPLA6dRcpR64IN3FQQMD9625okbVUuM8ghOpaMEQ7wd8B+JInthEsjVJWkgXrNKpGOzKLjp/VHzH1qFs5ww3gHkxmisWLe0Q2VLN7RV+OsPDNHy1aVYQfyqbdVrMrOsAMk/ZAw8wqYso8QaXtBNzG+gvt+PIG0HKJ5UD7UID3p9BxwpPSGDxoBpUWksTfg4hJAP2Na+ddu4rIRqRqejG4bhmd4k4j7pGaJihazJoIhd2VkHGlssQjR6HnwV18cjnhjR1v+QAWxPtS7KSus8UbTlqYSlFpjrHQJ3rI5YXEVSIaHgs7CEHrbzf5rhrwDOKF3lhihCc+Ivsmjru2b4xenYY2XCCwEVSsZy4sJEHPZi2/01DNDMG9Iru0dmYREX3FH+BSgJ9oYrLgAUbBT+uKVicxsUINuvSCOGixwi9Gqlgv6wmgoxE5BNwGah7Z7zcaYgsevNs145lzruALdZ0WVoZRxz5J1Jyp9bto2bTD2G0ZrSpVxsh/VJQcbKTyVYZUS5FYSHD7E/PgaGBUIGWHe+GtNKZpIusIMujP3brdCKQi8e1StjOkcgbVm2a5zQXqFv59PLMEDH3yy0jDRgZ869jRsPhd91X2+loLlaMB4zd1QMmEPzA1mc/lh/F3iyIM0UpfUQJ8dMEtX8mLGhpOTYTTRmG2+2H43d8KxwFselZmVzKkbgmKpTdG9lFGNe+gig+YLRI64u7fnf2hxuBi7a2XEdwwWtsdHk4dlqLeri0n5urGkWwwHMRHYOGGNkhYynZFB7rG1brEQ4XpWcQuBx8jNiNc7heS0rVGfHEO1Kbcae8Pjzz9mE86r+pQojKtCkvE4T7OSb1xNGa5kUrhET4x
 oh35v2eayZcQfbcoZnB3n3gDOaOL8dRGwO6JNwX3XoZmyyBOvoAYzHo9LSfcWt7Jnj1i6JAvSp9CZ0gVjq9sNlQIb8NBA8P5dKrQjF8pBSS/J5jYY180ExNXKrcE1m+cPCVLgtt1V4nNToYm8jciGMbFR+GrEmL54jQndZmCgNrxLB5tJRy0oGr+dMk49UxFVF+RZ3ihnw4y2bXIExr0Umnbm/pvvxLsW8qxd0xtL67FMsOMH+mJiL7KITqQgDZw4Gvf/p4lW6JzXiMPn08BxUX8lVxzxFQiQtbdHLuzwWHCy6u8mZEChqVygQlU+40O0LkdjNNjrpvyOWOKw9jOEAuPIKrPXdNUj9IYyOb7NQH7Gr9cF9PQIyvuH1+aibCK2aB25Iq5DgQ8kE/xWZWK7KVhNj3aa30ZFTCNQR1907MwQzYvpqjdXND0ImefNOXLbJTaV0E7iJLpOvHRF33teKb/rF5L6ROGPL0vpR8DZtXavhaolhq6By3PS6+81iEqEduh9lp4z1bDc3bU1v5PYGR5jWWtaAb1vTI6bQxP10yeYQ6LgeFTzugh1CS4fqYbk/u+NRAYAk93d/H4RrdA+ZI6PV6H4z9tOutRINJVyo6vkeVjnfX7WYN+FQUAGkUCawbvkMKKbRDJ6HBPc5ed9nlBPN3p9oLwJWr/nwYxPqAvM7oyJKbAOFO/fiIBuc5XE0CIqoM3lJ+tpN3B8qV3jzfSS1OclmVHnplERMcPceiJUkUoAzDQGTUYLXSb9bNEnCaRD42Iu9V7uWVNMeAq7sHYH67eQZ7o5u+rRyZVk/JeFtbS8CBRLqxu3q/Gv2rYpKWhMsHt7Rpy9rLGXhni2QErEB0pHcC9vQ5RuZ6IpfwjCnxojLTcp4cyFyJOpHJEsl9/b+dI2Wxy71L1tvBgYzjHXpggwUXKzFXKrJfZIKKi5bfMjvBQ350jYMZffIw4pWjF+piv9l8l5kiYFvDDCN/+5dS4O
 vvISLehNkZLsc1qpeobAQkHoin2t8plXzHv5jO+c6PR1JWNkrAMIoRj7y2Pnmc3IFlglBMV4ZpMmpLVhfIfgPT1+RgemxKeaXmCWLXz8VY36l8vxs85S8+3GJNFne3/JkfXoRJtwQ4l43RMshIf4bEhS3jq387xw/npG4E5Z/ky/Qwknio5qSZgkGXQklOajcekGv5qyqSidPIxE5hEgXTFPwhNka6Ym+ggiCpkvOvjLUDkEPy/Dx4pKib81taxQz8QnHPQo5pqj8CW1MxrJuKDJ/ZBKLTJqfxqy+bK08GJfrRKoN5ibSJNTOueaLFb98AL/bOu79tAZlO5ILGLsYVQwwdR+8vB+kCLBjLMoGWabbOdf0zjJI/h3+A6N3Jo5F+/VnkryL/Z2/WvVkXuIvOLLDHP9K+Zeh/Xb2fYpFjgVoW33WAEpHChi4P4gbEvvAJtuaMchvQ7TTYTdl7qmdRa2Pn/W8gBU9LyfAVeFCdc6BIeVpDqgqIC9JcNkRNoDLhs2vSZVnp4hxYJQHwxh8iL6n9/g4sYMAFzzqI65NA2JHJxEsQmATge7jEOuI/0wBX60jlsxL+O39RaFGeEbqXappBnzQqjKleU/cqG84+hxj0lP3DXjHdy9P/c1CteI/ErFZmnvDSphnPiez2r5lXINWJYC7mK+EFzjIwpfWP5eS1fk2k4e4i/VYq0FHnCtPSTPuq37OMm7ZGZOcNJRSFQEBJjc+cdZm060ydD2XVwPUr7i9gfgUfvaUgD0GLx2m2CJgNSzlhdA7gWmudyL/2SZxifa0AcuEbewhSnWbLz7U0C7AylAo7rPKYr9HtBy8PYSF3dgA0PDNYqHfGbG93mBF/qv5abbtiKkN181MgwqEUsZKx2DRBtx/I0hzYUltUggNa77HXZeu6wmnRRE1G4NFjfZZ/UMqF9DAg67WBY1tNSX/qCoXNAnDAAOUiZY35WiHiNRjvw6/WPigBHv3f5BWK6P3
 SkggFdMIIBWaADAgEXooIBUASCAUxkr8t7cf2R4KHh35HHZ7SWDz0IGmG06EWdT8x6ZpTTlzRueusNXU2iMXRT2Z/fm5lQ2LxwG74r7OXYbbVy/j35pbiO54UAi5dpbMtCdaYoMqVJM4CRXyh4p6V2YMQvi5XHBwd5NDWNLpMeJolfDKhACU9lZSoaXze3xJ1QNanPQlq6PNvYgxxj9+LZBoz3quCvUQ9MxvfW06fVR2gekl52K+3pzetKHQ/msYc3RJTEi2k0JaAjdUbEHl2pE49vQSxwYrAasYVIWf8/UtGdSi6RrZvCs71MfUaOziG0nv8tDGVXi8KgbAxi+hn45VOMH7pWhgeyj4l3puTIC6uKuMTSXP36WD0ESF85nAMPGwoQK+bic7aPdP2P3LhgeuEQ5xdaqtQIXfUb0lCgOs/isHAvgSogxBXTOa2AESJqOziz1x0DYGDxQ4xA30lt0w==

Any other thoughts gratefully received.

Regards,
Robert

-----Original Message-----
From: [hidden email] [[hidden email]] On Behalf Of Jari Ahonen
Sent: 20 January 2016 18:48
To: Users [hidden email]
Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO authenticator module



-----Original Message-----
From: [hidden email] [[hidden email]] On Behalf Of Bernhard Thalmayr
Sent: Wednesday, January 20, 2016 5:50 PM
To: [hidden email]
Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO authenticator module

You need to check on client why the Kerberos request against KDC failed.
Unfortunately I have found this to be one of the trickiest things to do in practice and in some cases there isn't any logical explanation to be found. :(

That said if you have a system with MIT Kerberos (RedHat/CentOS box would do nicely) it would be easy to check if you can get the appropriate ticket from KDC:
$ kinit userid@REALM (this logs you into KDC and gets a TGT) $ kvno HTTP/server.fully.qualified.domain.name (Gets a service ticket for your web server and also shows the kvno of that ticket) $ klist (shows your cached tickets)

Doing the above successfully proves that your KDC works and the problem is likely on the client side.

Whatever it's worth I'm pretty sure kvno 0 is not correct on the ktpass command line. The kvno is incremented every time the password of the active directory account associated with the service changes. When you run ktpass on a newly created account the resulting kvno is IIRC 3 and any updates increment this value.

HTH

- Jari

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam



_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Troubleshooting OpenAM Windows SSO authenticator module

Bernhard Thalmayr
In reply to this post by Robert Morschel
Have you configured FF to participate in SPNEGO at all? (about: config
'trusted ...')

-Bernhard


Am 21/01/16 um 17:30 schrieb Robert Morschel:

> Hi,
>
> We now have this working on Chrome (but not IE or FF), but only on one desktop, which is good news from an OpenAM perspective, but a mystery why it refuses to work on other browsers/desktops, particularly as we already do Windows SSO with ADFS.
>
> Regards,
> Robert
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Robert Morschel
> Sent: 21 January 2016 13:53
> To: Users <[hidden email]>
> Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO authenticator module
>
> Hi,
>
> Thanks for the help so far.   So more details.
>
>>From the OpenAM server I can happily run kinit and kvno with my credentials.  Incidentally, OpenAM runs as a server tomcat account not present in AD.
>
> When I try from Chrome to login via: http://vrdevdoc001.iggroup.local:8080/openam?realm=ad, Fiddler shows the request POST http://vrdevdoc1.iggroup.local/openam/json/authenticate?realm=%2Fad HTTP/1.1 is presenting a Kerberos Authorization Header, even though the OpenAM authentication debug log says: Authorization Header not set in request:
>
> Negotiate YIIhNgYGKwYBBQUCoIIhKjCCISagMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCIPAEgiDsYIIg6AYJKoZIhvcSAQICAQBugiDXMIIg06ADAgEFoQMCAQ6iBwMFACAAAACjgh9bYYIfVzCCH1OgAwIBBaEOGwxJR0kuSUcuTE9DQUyiLDAqoAMCAQKhIzAhGwRIVFRQGxl2cmRldmRvYzAwMS5pZ2dyb3VwLmxvY2Fso4IfDDCCHwigAwIBF6EDAgEEooIe+gSCHvarYHqPqDFqNctIuncG01QxndAQTgzDkxEjIW+a1uIVf9FYK3VuweyV5uTP2gCEWJtcukENip1eZyWmVDRx2si1Lm2g9AZ3+lV984H5I78qCPDRgbmUzqyz1ZU70rY6q0e70d+0c8cLj3sQLMKQRq8OwXCiCkjiLs+aZeQ9B7PKGgYIxGzof7B9S7Zm9P/oYzA/zoZq6C142TzCSsPlZDJw7iYNueCmaeLix7vFtceStpK9U+OiaOsRpm6xNqPx/dOzu61QU6afEyuWIoSoSD10c1eoV402nMUGdRb9Rmv6CEfazwtPBjlg5yeBR4A4zQgSEi+k3DUVk3pufMkyLyisCZmQsk0DGnEZs/q+u4ZjLuCzEg+6b/kBiX4P7Szo1lY/4IZv6KGrvl48RfU2DQwKlyT7zBKTCX4rCksCGG46uAjs5HshlF8Qs+8ibc6tVdIjuGgH4K3tHcmrGJjay64LEzmkzqtYMx2nzMeaJAtM5FdjTk5bP+l2XXBfGuhxHfhFBxnvupMvPUtu/S4VA13w5gtusCq11aOOvo2M/KTA7lumO0hwWA7UdFI3m4JZyZPlTofx5WYCs1YK/QvrISebUL8rH9jgRxMVVeSHGG4o/9W5k0Om3XeOuUls//Ixr7MXssnwKSFSg+xxDH7GasepRRb13Rmj3LxiBL
 aO
>  HeU81BKgre+zv9zdF0vxMzEOGdbJO7Gb+E06vICc5vY5NvUr9pofMsYhtSySvzhIXHZtiw+o0/zdLWTtFTga/KghysIRWVQha2Y8nYxh/7momDaGrWFPUWS35OWYqXdHBY5o9Q7njuAbGIdluUWG3nBBuZ4AqzrBOYN9dTHGQaptrQYllQjz53PmtVAH+DQGc73Q7ycM//sqExyqcdwQjFfnDYmI/CEurtccpgy8XH1Inqd/oib/AaqiJI5KkEU554yMzzDTfoDCZ9Lf1LtcSCSZTw0AVrAlDhtmTewog5xe1xzbP6tqOwDpW1cu0vW4drqH8HVKPHudJOpXYlT89ZvvtPr3o9hjfye2vm7KTcKyn37xm/yJTdJTsQU3/7IqlzuhOaVTF64wauCdx7SEq3zv0UlSxzmtAqN2meh7+1wMIhAHn6utwPVwqwFm+Yr/53UziYjjStmSG8Hw/kPXGaDPXmmKdJfiTcAxc14mOo1yvz9l8g2/FW4yrXj5VWxcXNWGnfwnoB54Jj3RVVHgV2dE2xygGROXuFEMufE1+MfvV6QsvLKHBKFYB4A/mPEYELWsBqABXN6w+eKmJZVJGYc37XTtj6cIWnD9yYFuBHgsIwt1f6CJIfxXOsTT8vlN0vczAHUnOwvhBZiCo2gdQYANtTLH5HrnBm+Df17tyDbnhZfDOjlc1mBnB597YM1Re5+JWrUK3BXCA54sOPU0+PntYOyajdfysvM1envp3mYkiM2YrTTM8WmpPGVyYxOx1tfyLNDBNdDhOwbnKickzKMiv8gsw29PjC4b5Ord3G+3kwk2s30bWP1lLNauhnbsznCdBaTXZw3m2odFGZ2ziE9Od+mXc3L/cmsjuZd7bw3iVmW8keo4cHWZd6WJ+PilFi9AVvbx6q0FAQAcfclsgxuFwX3LQowTrVmhUSZGHY8d7MQaOa+gFyZFb/12KWTHeyBMSD3v8L3eP8EeGVo9HXU5pts
 GS
>  5A0ghBKdi2VCyoNwAho4a3L1ZnoveBfcsGARJBo6sixfONq27hXCJJDd4WEzdXdqMGTcOeA1XxYcS6aYEr886NcR34hgP43EjTUseo0ZaK7P85LzGqPutOXCBi8QQekN5CaBPpgnf3MSeQPqU8tR8zfLRztSGi/lGZ0JqvLQCVCyiyVZq+Hm9eF6LXMExnlUfANqztzkLAdo+qBWHg8NM6lHnN8uLEh62DuPmUdCiqWK5ABkO/P3E57Li7wTL7+SEYTrscvBTTxnH0OOCVkyNtf4F+T+4J9tk6crsAo+pSeF7Nyx+GyDJ9uvLgjNhhpKtrpH5pzePLJGd1xw291elGo7hPJRHKWxwquZkTpl2m0Er0kBd3LwqgbxZz4iCjDwlaF+g7X5JXPHsblpMAYVqvYoWaGqHFc6rcsZuV4lCPxEwb81ZXcWFMADB0SHQh8z66aNnJjhfL6JY1EnpoXERHcE+AxPlX+9wmkEKxcL3pLlVkvVLOlUbR4e6QkQihrwos/nMvas5sdF9E8m14E1EaMN2cFFhpfBTyV6WNiOvVxL3RiE3c9EMuosRIKZunYNGhXvD1sjYQMx+Sp+1BMT/Ga/zF0aB3IL4ALerExFOFPpICzabwsVB7ll/8LfoPgJkKNE8+G4nwO2yPMGUAZEWfzdj8RDtCineX6CQgAgfteZJCQjLHGe3IKQm3ojQ+p3P+FXMTA/FcjF6+rAYF9NNmnqTgKIrki1JHBaMLaEvU0kQQlWRTorePUJik487B2cPRo8uMkuHdMdw7tLu4eFSas9ZcwR0E3iXRImMi0OCXPdE4V/F8tj3aPcGQsOHRMVQtC8E040VKzM0UO/5KVgy/Q1QhC/7nyeOch7uW5Uc8KZ29ox99yAM8pYu8a7cfUtbgrECk2LGWpwSvFFNh8njqp8NeFPGb2OMNqF6EEGExoPMb7vg/sW8/y/Sy+tNAmtWcUF18EtBp1zjmjNR0yw4OuJ1Oe
 j4
>  l5fQD930Wm1aPFHkaLbNn7SHm1DjbzToFXly2jh7yRn33Sw8U5KusPkRcLIWVyh71Sj0SIaQ8sxql0jBDQzrTTJ4YpjCYwSZlQdStVPu7hseLlKQyToU8SUns/J1KlXNs7C7POsg9TdooWbpF5kO8ARkpbD2r6PyZpRojTiK5A5QeB3uxnZsN36ILeq5jAQzVVU/Jsj8HuL8XTuy4e6NdMMCOCkScNXdEI0U2txQqfj4EqcbfDG3wEzmd4jGwrw3iTc1KybBs+9YV6P1juYoXPWxK0JlVSZrQ6rpfHBOqP/I9dif66mT583U9UQdX+tbdeDiymowuaFo9MRyvw68K+3/EJskgHE1bhaGYd12brjEeYzj4nBEUThBgE07WbGM6WVGbydbf5xyQc+d/HxWou/y1me4iCxpmJx7pvSCOL0NiUqLhyfsYMbHo0WEj3ivoFATk0jEk2viLZwcuSIPDc7CdUEzuGGyFDqZU1X7R4Uy5+xgIk46jt8J7KQiMt03zlxinaInidl6T2CSjW0v+J9+UaTQQ/AyH4dt+LWAEqAz1d8wi3EO3wfXpCudc3j45ftURuXWPrJLIxhac05aQAFpn6R2/uLaaOUGhGSNoBzHDw3tc73Y/B+ijol642EZNBeKQFLx9dSFNPDcR/LySiHPncbEkA3M7oSLJhJEjItAKy4ojJYm1uPnBxDD8iU3t8dVRC/4aeqCe4X1Evwtr/EuGwHmTugk4cqwiw4bVl9NNyTKk31ICVlKn6oqKYRjrgh+a38pCdDPyEMc8bKWIx9PRGlyDYH+zh1Dg2E8axYimOk+YHRqs7lJMODuKXFNmQQCSOxJ/5supB1MU4rsYOXXgr3OwYtqhs+p6U+mD1N83oGpBbNOkH3s6sqtAmIthAtwlpq2bDjaSTipgRiyznDQE5KrYmcxjB1QlwFPk2oalkf6MpSNAJrxTMv3X2aAezpyXer1Bgt6rQDIh5eAOGDO9h2
 dS
>  ImGMqnk2KzGYzcElxNuUc0BwSM+4kZFfrz536L10TLX32Wi9xukT6qq1GKSOg+fuqdlRINsh/ogRp1zA239Th/yLqkQMx6or2tz2s8ubV4dIiKd0rjYVBwkw8LMY3uKBnyrSiItQ8ArI2c7C6zzdEg+3bC5hBc+gNkQjTPcQD1ASiL9TdV3PMqHH3dOPe8GO1wnzP+6Up+m7qBr8TD1kLS/RLdzSzM5xhjHj6HV3lD6FFCV0C30vlQchBx5a0i2JWCUjKUY1o41vT/7vXcWplkXTddxXJbvbdc58sHfhEfPyx+qHlpMK7ztct2oz0M6T2e8vr6fe1UdY2PUsUMQDN0/R5ue7+r+ztThg122k8o08pnUm75xINL5DsG5Krhx1eWL62goZwYLkJEPu/yb7Lq3andXXSemBXeZlJyrebe2XCgSg2Lxo293y3DWW8ZhWTPuRuiLn3hwkVj5r+XoRQmY2zTjCp2HSYCq2huARhe7VxV0p4/uYtAXzVr53CN6rM4hXRyuYX3bl4QZne+nRwUvUoXNCJMCsd6bew7Whw/9GJHezWp5/GgF6eXELDhfSmYTpSHKPo3GCr4Mypi7t6PR7ixE6UnkwKplsjcdE6hVYaxcxPWpGShcZxXhaeWNgs9mrcUv8RkZgsUtLHrmV0tFE0Za3aLJIXC4PUW03G7vmANMAPHqkUmbZoCfoDAMNgZisAmDFlBHjoyc9UTylS6HHrZsdG3tsLCdpFFYqbV9hvu7QENC7m4U1vP6Q2cfudAs5b6NyPtGnmQf/SJ9jNwDDWvAqBNmGEKelxK63gaeRY1tGzLvojuXBfo5ZR+1cO8rdcR6Zk8rYzDNKwBDA3rIY8z/X+VI/TDjGZIyp5h125T2CKL8HorWglQjRsI8/fxM3iHPW7WgU7VhXEysty29uLVfZ/0RphIk3TYfK5KBFHb8ECaBr9EFF2G9Vnv/x/74EKOuLqwms8WNkc2UJJblN1Un
 3X
>  cv6OaNxdu42dxD2YMF/LFxb5zn8qy+NPLXC1U7Z1ThgiQK5vX1pGwtLPu+b7ebbGnJBwaBCD8AXooqonPF5PA2w+dID8gKcnjZOzbeWP+j+90iZ2hvCeQQd7cs4HMu0raWbenlUFzmkJp1tZ9FCHHBo+Hem3ZD+gp0AnRFEZwQF3mMqyLrk3YeuGubSmBPWE/Ffkdni2lmPWmT8TVogZWxXP8sem9RIIdimzWjDRnvtsnewWGiJsVxG2qxAtNF/zKz8l95kxJr5Laf0NaziPlGZr8t1fh7qaX1hQ170l+y4JSKHwWfLfqBKLQGFq3NjdhqQwJUVaR7rU1ij+o8zgoLyqgDdhhb5A36/tm2xw1n0cgC0FeSJtF7sQ2Q0dJnz6GLGzoVM5PxViqXurnnbKZNnCDhsNxdRVVcARJigRGWIjc2kwYFB9XzXlgrtrU4CoXDjQxQiEzsYhDvHJJg0si1RNu4t3CxQQROhyCrsTiMdV+KAom76lKFvXYIkPFg5kcEFy8MmShz4ACO4jkUQ74Y+IEMMDfr2UhXdXIl75cH4SqdAEeLsyebb3sAz7VjrynF4hlj1Sng9grbmrb1hsZ6nhrbSlKuc7sSYoo/g5wbNYp1Xf/mvLg8NiTT/BnAY+fu1woFr6yriHEoxrfI6+SuCk5bIw9eiZsyDdSpGfU6xyALm24TPVM+U2Nv0nyJyIY63WoeofhX97jz8PxecI1eFl+BeokiNJ5TP/q0KacaBx4+LBRskM34h8/TJNAAo7A7X+rLAi328cQspf5ANHJGrzPQaASQ5OaJf5P2D8FIU+eP5KhB5/8hDLw8UCG7IadUzxEWVsKAKaqA+5bsM7BIjxo1EIAJgzj3moIz1IVle6/YoZK37Y/0QLG499LZrHX6SHKNPGy/IptDS/0seChNN6BCSory+1Pw1BljrQUQi8cKLhaE9lieGVBI0maJnmMVa+1XH7Z1vyHXbeupTy+D+Osz2
 e2
>  5fqeAmcMN4STdOQvyHB/cR9SB8CNQjYjcT05DuKPhIDYbo1uJLlKdApTQHv1SQElOew3IqtiXU9/qnQC0bWkamB17QQWqS4VBUN8GFZlHRfAnLMnuOCYi7pscgkLYjEOth3NzP69ZCuKGm8wJ++LP/EOo4/vzV4iZfO6xJqKi80JgqMh2ZXKAHfyjQyfc/32lbyoesnaOGqVZ3W7JbEzEjkQ4UeQjjC0VQC9791f5DskYMUNaVWvWlQHnet4C3+EF56jjdIlNOPxseIQ/CONi6SdUeRxpnhvCwmLXQQwpgnme+WyLZq7NWv/JKPPjdZBW/UDt0/FxPy9hsiLv9LhH0D5eaGuGslim3iUXDuNuPFxQWDBbb/G1QbVpYUmXsWQ2nnQaJEeYed1PTHi51stZhmxa0AMlBfHEDHu26KbWArZjkk05Itmzd/bdtoO7RQT8vRDWmFDU1+qx4HZckNPtZLRCFA3RPxDrpVoLTDoc67EnRvsmSzFcTuUdm+mGsSshFzDMUyisZpk8/Qa8sux6B+7gyYvJCqamwpg+61NcLBYkcFKP1svxSQw/CIDsSzlAGavDIcVlgZuDRxfhrpRPfbLhkQn3tC68NB2F1KUjkMl4WXkMkJc8vGuioEH2tIR5f5DxC6xfBJ2P2C2pGGuyff9KlZ/kGQ67JJzvQ1z7O7X80PSvXUW5NpAKbY6uDJoGW7u4+7GkqpCrf+4+/5UJYZni4OmdsDwd0+MV3WjSTCGADZn9pfZH/NacWuncYhOhbTps+piD/vVEmuSFbAIMoqu76ZUVlrZqIPowzE8iWZjj4YO3LKXnxuB2OQv1mwIuF+yqIEM9atcDiy2HSRT5pAmEQqSHjWKquwCd0JiQItgnwMpFIe84JtDdwEawPMwM2kToJxPnI95BoBfREG5te0nv3duSxUS7mOTTtkgpgD1FqMM6hoCtZY2hMQVZaj825C7rXLPnYpB5s5h0xb9kDHyJls
 NY
>  bK8lcocbr+Sm48Li8KOquHCL3hKgBrgcxhnbRGKOwqBi+ymRVBXInRbguOxPTbyaORekjHOC2xQ70usue/ebs/aNNzWQEYffZg030Wn3uIqjO6t+PuRyyv62V+LKjjbyKBlaFEd/KwncKJAvXWd7DNM4vSx4d851OYlpj/ZDepBS/yBbe0NnrdNL19YW1rTUWIxhPkx+fLm6ksfGkzwZXoA9B/WPCHv+DUMcxNmRUyUfbmR1hX4i0mdz6XyMnpBab/sq7Q7PEN4AZv2Hyu3u7Y7w6atgmGXn2Fm+dAKC9eVLtSgNTX3Bsy+SJttK7mBNG8rNwbWe+/2+s1SqDlxDjNyWKbsNsvN6PaYeaEygpqd8BEkvdefQRmLdPdU+44l/A0mLFhjuyxSM5w9fw7rPqwWkvQ8cItpHOooUhRri3Yrljt7Ao8EagYDgHfM5MiVqrxgW4VCYlz/Bb6yzPMB1n6gbmfFQY8/CqZo/CGNoBrRN4zEHwhd9qJBFNSSrnNTMJ4sSQfv22WeWzza2yJX5v0V6o5MF4RDzFFOpktvCSF/Q4DGydmRiHl0r+7I/zUvdcPyUOpxCXJcrF6Rf0HLGDojImMhGq7JVcL0NUpglq2zEtvsj8XNxhB+zDcnwkc/HuOz+t3xx1e/85qJEFXjxfTNy6AX979Yyuv+w13GSHpDU6AhWgAjNmCivH1+h63i7o4qrBjN2wd1MAEe0sr8OrLE5URZdBusVOYoSZMWbrUpBcGT2/X/iYdnoIxy7BaumDsRdppd1q6nJsadPgNHYGYnHOzfHixTHhr2CIypn994S8oNp5P2wxW5vD7Q0O5BOZczAr8nEZpJKfvxRwmGSg4NOtMXpKWkiL6qwgTuMFHRaSOcay1GMOrRAHTebm0nX0Ue77Qnut1P5Uz3xu5+bYaTjyXgy/+HzhgTJFGFK4kpxtBO/9LJIS5b7TtS5aKLn0KyE9oADJkh1jMqe2xuhOpaeBbz
 H+
>  PmTq4v0oR/Q9JyNxyWdNAUvqJ5ty1ViiH6Z3KT3+hCtDstvq5/QFCPkTr6T87VmF+f4fQ5K0sWC6shxE4HjurWYdLpniC5ODjsfT+cK/saIpPAR7ghGZckXV7W3N6nP+F/S7uPLA6dRcpR64IN3FQQMD9625okbVUuM8ghOpaMEQ7wd8B+JInthEsjVJWkgXrNKpGOzKLjp/VHzH1qFs5ww3gHkxmisWLe0Q2VLN7RV+OsPDNHy1aVYQfyqbdVrMrOsAMk/ZAw8wqYso8QaXtBNzG+gvt+PIG0HKJ5UD7UID3p9BxwpPSGDxoBpUWksTfg4hJAP2Na+ddu4rIRqRqejG4bhmd4k4j7pGaJihazJoIhd2VkHGlssQjR6HnwV18cjnhjR1v+QAWxPtS7KSus8UbTlqYSlFpjrHQJ3rI5YXEVSIaHgs7CEHrbzf5rhrwDOKF3lhihCc+Ivsmjru2b4xenYY2XCCwEVSsZy4sJEHPZi2/01DNDMG9Iru0dmYREX3FH+BSgJ9oYrLgAUbBT+uKVicxsUINuvSCOGixwi9Gqlgv6wmgoxE5BNwGah7Z7zcaYgsevNs145lzruALdZ0WVoZRxz5J1Jyp9bto2bTD2G0ZrSpVxsh/VJQcbKTyVYZUS5FYSHD7E/PgaGBUIGWHe+GtNKZpIusIMujP3brdCKQi8e1StjOkcgbVm2a5zQXqFv59PLMEDH3yy0jDRgZ869jRsPhd91X2+loLlaMB4zd1QMmEPzA1mc/lh/F3iyIM0UpfUQJ8dMEtX8mLGhpOTYTTRmG2+2H43d8KxwFselZmVzKkbgmKpTdG9lFGNe+gig+YLRI64u7fnf2hxuBi7a2XEdwwWtsdHk4dlqLeri0n5urGkWwwHMRHYOGGNkhYynZFB7rG1brEQ4XpWcQuBx8jNiNc7heS0rVGfHEO1Kbcae8Pjzz9mE86r+pQojKtCkvE4T7OSb1xNGa5kUrhET
 4x
>  oh35v2eayZcQfbcoZnB3n3gDOaOL8dRGwO6JNwX3XoZmyyBOvoAYzHo9LSfcWt7Jnj1i6JAvSp9CZ0gVjq9sNlQIb8NBA8P5dKrQjF8pBSS/J5jYY180ExNXKrcE1m+cPCVLgtt1V4nNToYm8jciGMbFR+GrEmL54jQndZmCgNrxLB5tJRy0oGr+dMk49UxFVF+RZ3ihnw4y2bXIExr0Umnbm/pvvxLsW8qxd0xtL67FMsOMH+mJiL7KITqQgDZw4Gvf/p4lW6JzXiMPn08BxUX8lVxzxFQiQtbdHLuzwWHCy6u8mZEChqVygQlU+40O0LkdjNNjrpvyOWOKw9jOEAuPIKrPXdNUj9IYyOb7NQH7Gr9cF9PQIyvuH1+aibCK2aB25Iq5DgQ8kE/xWZWK7KVhNj3aa30ZFTCNQR1907MwQzYvpqjdXND0ImefNOXLbJTaV0E7iJLpOvHRF33teKb/rF5L6ROGPL0vpR8DZtXavhaolhq6By3PS6+81iEqEduh9lp4z1bDc3bU1v5PYGR5jWWtaAb1vTI6bQxP10yeYQ6LgeFTzugh1CS4fqYbk/u+NRAYAk93d/H4RrdA+ZI6PV6H4z9tOutRINJVyo6vkeVjnfX7WYN+FQUAGkUCawbvkMKKbRDJ6HBPc5ed9nlBPN3p9oLwJWr/nwYxPqAvM7oyJKbAOFO/fiIBuc5XE0CIqoM3lJ+tpN3B8qV3jzfSS1OclmVHnplERMcPceiJUkUoAzDQGTUYLXSb9bNEnCaRD42Iu9V7uWVNMeAq7sHYH67eQZ7o5u+rRyZVk/JeFtbS8CBRLqxu3q/Gv2rYpKWhMsHt7Rpy9rLGXhni2QErEB0pHcC9vQ5RuZ6IpfwjCnxojLTcp4cyFyJOpHJEsl9/b+dI2Wxy71L1tvBgYzjHXpggwUXKzFXKrJfZIKKi5bfMjvBQ350jYMZffIw4pWjF+piv9l8l5kiYFvDDCN/+5dS
 4O
>  vvISLehNkZLsc1qpeobAQkHoin2t8plXzHv5jO+c6PR1JWNkrAMIoRj7y2Pnmc3IFlglBMV4ZpMmpLVhfIfgPT1+RgemxKeaXmCWLXz8VY36l8vxs85S8+3GJNFne3/JkfXoRJtwQ4l43RMshIf4bEhS3jq387xw/npG4E5Z/ky/Qwknio5qSZgkGXQklOajcekGv5qyqSidPIxE5hEgXTFPwhNka6Ym+ggiCpkvOvjLUDkEPy/Dx4pKib81taxQz8QnHPQo5pqj8CW1MxrJuKDJ/ZBKLTJqfxqy+bK08GJfrRKoN5ibSJNTOueaLFb98AL/bOu79tAZlO5ILGLsYVQwwdR+8vB+kCLBjLMoGWabbOdf0zjJI/h3+A6N3Jo5F+/VnkryL/Z2/WvVkXuIvOLLDHP9K+Zeh/Xb2fYpFjgVoW33WAEpHChi4P4gbEvvAJtuaMchvQ7TTYTdl7qmdRa2Pn/W8gBU9LyfAVeFCdc6BIeVpDqgqIC9JcNkRNoDLhs2vSZVnp4hxYJQHwxh8iL6n9/g4sYMAFzzqI65NA2JHJxEsQmATge7jEOuI/0wBX60jlsxL+O39RaFGeEbqXappBnzQqjKleU/cqG84+hxj0lP3DXjHdy9P/c1CteI/ErFZmnvDSphnPiez2r5lXINWJYC7mK+EFzjIwpfWP5eS1fk2k4e4i/VYq0FHnCtPSTPuq37OMm7ZGZOcNJRSFQEBJjc+cdZm060ydD2XVwPUr7i9gfgUfvaUgD0GLx2m2CJgNSzlhdA7gWmudyL/2SZxifa0AcuEbewhSnWbLz7U0C7AylAo7rPKYr9HtBy8PYSF3dgA0PDNYqHfGbG93mBF/qv5abbtiKkN181MgwqEUsZKx2DRBtx/I0hzYUltUggNa77HXZeu6wmnRRE1G4NFjfZZ/UMqF9DAg67WBY1tNSX/qCoXNAnDAAOUiZY35WiHiNRjvw6/WPigBHv3f5BWK6
 P3

>  SkggFdMIIBWaADAgEXooIBUASCAUxkr8t7cf2R4KHh35HHZ7SWDz0IGmG06EWdT8x6ZpTTlzRueusNXU2iMXRT2Z/fm5lQ2LxwG74r7OXYbbVy/j35pbiO54UAi5dpbMtCdaYoMqVJM4CRXyh4p6V2YMQvi5XHBwd5NDWNLpMeJolfDKhACU9lZSoaXze3xJ1QNanPQlq6PNvYgxxj9+LZBoz3quCvUQ9MxvfW06fVR2gekl52K+3pzetKHQ/msYc3RJTEi2k0JaAjdUbEHl2pE49vQSxwYrAasYVIWf8/UtGdSi6RrZvCs71MfUaOziG0nv8tDGVXi8KgbAxi+hn45VOMH7pWhgeyj4l3puTIC6uKuMTSXP36WD0ESF85nAMPGwoQK+bic7aPdP2P3LhgeuEQ5xdaqtQIXfUb0lCgOs/isHAvgSogxBXTOa2AESJqOziz1x0DYGDxQ4xA30lt0w==
>
> Any other thoughts gratefully received.
>
> Regards,
> Robert
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Jari Ahonen
> Sent: 20 January 2016 18:48
> To: Users <[hidden email]>
> Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO authenticator module
>
>
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
> Sent: Wednesday, January 20, 2016 5:50 PM
> To: [hidden email]
> Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO authenticator module
>
>> You need to check on client why the Kerberos request against KDC failed.
>
> Unfortunately I have found this to be one of the trickiest things to do in practice and in some cases there isn't any logical explanation to be found. :(
>
> That said if you have a system with MIT Kerberos (RedHat/CentOS box would do nicely) it would be easy to check if you can get the appropriate ticket from KDC:
> $ kinit userid@REALM (this logs you into KDC and gets a TGT) $ kvno HTTP/server.fully.qualified.domain.name (Gets a service ticket for your web server and also shows the kvno of that ticket) $ klist (shows your cached tickets)
>
> Doing the above successfully proves that your KDC works and the problem is likely on the client side.
>
> Whatever it's worth I'm pretty sure kvno 0 is not correct on the ktpass command line. The kvno is incremented every time the password of the active directory account associated with the service changes. When you run ktpass on a newly created account the resulting kvno is IIRC 3 and any updates increment this value.
>
> HTH
>
> - Jari
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
> The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority.
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Troubleshooting OpenAM Windows SSO authenticator module

Robert Morschel
I tried the suggested FF settings, but no change.  

Regards,
Robert

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
Sent: 21 January 2016 17:18
To: [hidden email]
Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO authenticator module

Have you configured FF to participate in SPNEGO at all? (about: config 'trusted ...')

-Bernhard


Am 21/01/16 um 17:30 schrieb Robert Morschel:

> Hi,
>
> We now have this working on Chrome (but not IE or FF), but only on one desktop, which is good news from an OpenAM perspective, but a mystery why it refuses to work on other browsers/desktops, particularly as we already do Windows SSO with ADFS.
>
> Regards,
> Robert
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Robert Morschel
> Sent: 21 January 2016 13:53
> To: Users <[hidden email]>
> Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO authenticator
> module
>
> Hi,
>
> Thanks for the help so far.   So more details.
>
>>From the OpenAM server I can happily run kinit and kvno with my credentials.  Incidentally, OpenAM runs as a server tomcat account not present in AD.
>
> When I try from Chrome to login via: http://vrdevdoc001.iggroup.local:8080/openam?realm=ad, Fiddler shows the request POST http://vrdevdoc1.iggroup.local/openam/json/authenticate?realm=%2Fad HTTP/1.1 is presenting a Kerberos Authorization Header, even though the OpenAM authentication debug log says: Authorization Header not set in request:
>
> Negotiate
> YIIhNgYGKwYBBQUCoIIhKjCCISagMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBA
> GCNwICHgYKKwYBBAGCNwICCqKCIPAEgiDsYIIg6AYJKoZIhvcSAQICAQBugiDXMIIg06AD
> AgEFoQMCAQ6iBwMFACAAAACjgh9bYYIfVzCCH1OgAwIBBaEOGwxJR0kuSUcuTE9DQUyiLD
> AqoAMCAQKhIzAhGwRIVFRQGxl2cmRldmRvYzAwMS5pZ2dyb3VwLmxvY2Fso4IfDDCCHwig
> AwIBF6EDAgEEooIe+gSCHvarYHqPqDFqNctIuncG01QxndAQTgzDkxEjIW+a1uIVf9FYK3
> VuweyV5uTP2gCEWJtcukENip1eZyWmVDRx2si1Lm2g9AZ3+lV984H5I78qCPDRgbmUzqyz
> 1ZU70rY6q0e70d+0c8cLj3sQLMKQRq8OwXCiCkjiLs+aZeQ9B7PKGgYIxGzof7B9S7Zm9P
> /oYzA/zoZq6C142TzCSsPlZDJw7iYNueCmaeLix7vFtceStpK9U+OiaOsRpm6xNqPx/dOz
> u61QU6afEyuWIoSoSD10c1eoV402nMUGdRb9Rmv6CEfazwtPBjlg5yeBR4A4zQgSEi+k3D
> UVk3pufMkyLyisCZmQsk0DGnEZs/q+u4ZjLuCzEg+6b/kBiX4P7Szo1lY/4IZv6KGrvl48
> RfU2DQwKlyT7zBKTCX4rCksCGG46uAjs5HshlF8Qs+8ibc6tVdIjuGgH4K3tHcmrGJjay6
> 4LEzmkzqtYMx2nzMeaJAtM5FdjTk5bP+l2XXBfGuhxHfhFBxnvupMvPUtu/S4VA13w5gtu
> sCq11aOOvo2M/KTA7lumO0hwWA7UdFI3m4JZyZPlTofx5WYCs1YK/QvrISebUL8rH9jgRx
> MVVeSHGG4o/9W5k0Om3XeOuUls//Ixr7MXssnwKSFSg+xxDH7GasepRRb13Rmj3LxiBL
 aO

>  
> HeU81BKgre+zv9zdF0vxMzEOGdbJO7Gb+E06vICc5vY5NvUr9pofMsYhtSySvzhIXHZtiw
> +o0/zdLWTtFTga/KghysIRWVQha2Y8nYxh/7momDaGrWFPUWS35OWYqXdHBY5o9Q7njuAb
> GIdluUWG3nBBuZ4AqzrBOYN9dTHGQaptrQYllQjz53PmtVAH+DQGc73Q7ycM//sqExyqcd
> wQjFfnDYmI/CEurtccpgy8XH1Inqd/oib/AaqiJI5KkEU554yMzzDTfoDCZ9Lf1LtcSCSZ
> Tw0AVrAlDhtmTewog5xe1xzbP6tqOwDpW1cu0vW4drqH8HVKPHudJOpXYlT89ZvvtPr3o9
> hjfye2vm7KTcKyn37xm/yJTdJTsQU3/7IqlzuhOaVTF64wauCdx7SEq3zv0UlSxzmtAqN2
> meh7+1wMIhAHn6utwPVwqwFm+Yr/53UziYjjStmSG8Hw/kPXGaDPXmmKdJfiTcAxc14mOo
> 1yvz9l8g2/FW4yrXj5VWxcXNWGnfwnoB54Jj3RVVHgV2dE2xygGROXuFEMufE1+MfvV6Qs
> vLKHBKFYB4A/mPEYELWsBqABXN6w+eKmJZVJGYc37XTtj6cIWnD9yYFuBHgsIwt1f6CJIf
> xXOsTT8vlN0vczAHUnOwvhBZiCo2gdQYANtTLH5HrnBm+Df17tyDbnhZfDOjlc1mBnB597
> YM1Re5+JWrUK3BXCA54sOPU0+PntYOyajdfysvM1envp3mYkiM2YrTTM8WmpPGVyYxOx1t
> fyLNDBNdDhOwbnKickzKMiv8gsw29PjC4b5Ord3G+3kwk2s30bWP1lLNauhnbsznCdBaTX
> Zw3m2odFGZ2ziE9Od+mXc3L/cmsjuZd7bw3iVmW8keo4cHWZd6WJ+PilFi9AVvbx6q0FAQ
> AcfclsgxuFwX3LQowTrVmhUSZGHY8d7MQaOa+gFyZFb/12KWTHeyBMSD3v8L3eP8EeGVo9
> HXU5pts
 GS

>  
> 5A0ghBKdi2VCyoNwAho4a3L1ZnoveBfcsGARJBo6sixfONq27hXCJJDd4WEzdXdqMGTcOe
> A1XxYcS6aYEr886NcR34hgP43EjTUseo0ZaK7P85LzGqPutOXCBi8QQekN5CaBPpgnf3MS
> eQPqU8tR8zfLRztSGi/lGZ0JqvLQCVCyiyVZq+Hm9eF6LXMExnlUfANqztzkLAdo+qBWHg
> 8NM6lHnN8uLEh62DuPmUdCiqWK5ABkO/P3E57Li7wTL7+SEYTrscvBTTxnH0OOCVkyNtf4
> F+T+4J9tk6crsAo+pSeF7Nyx+GyDJ9uvLgjNhhpKtrpH5pzePLJGd1xw291elGo7hPJRHK
> WxwquZkTpl2m0Er0kBd3LwqgbxZz4iCjDwlaF+g7X5JXPHsblpMAYVqvYoWaGqHFc6rcsZ
> uV4lCPxEwb81ZXcWFMADB0SHQh8z66aNnJjhfL6JY1EnpoXERHcE+AxPlX+9wmkEKxcL3p
> LlVkvVLOlUbR4e6QkQihrwos/nMvas5sdF9E8m14E1EaMN2cFFhpfBTyV6WNiOvVxL3RiE
> 3c9EMuosRIKZunYNGhXvD1sjYQMx+Sp+1BMT/Ga/zF0aB3IL4ALerExFOFPpICzabwsVB7
> ll/8LfoPgJkKNE8+G4nwO2yPMGUAZEWfzdj8RDtCineX6CQgAgfteZJCQjLHGe3IKQm3oj
> Q+p3P+FXMTA/FcjF6+rAYF9NNmnqTgKIrki1JHBaMLaEvU0kQQlWRTorePUJik487B2cPR
> o8uMkuHdMdw7tLu4eFSas9ZcwR0E3iXRImMi0OCXPdE4V/F8tj3aPcGQsOHRMVQtC8E040
> VKzM0UO/5KVgy/Q1QhC/7nyeOch7uW5Uc8KZ29ox99yAM8pYu8a7cfUtbgrECk2LGWpwSv
> FFNh8njqp8NeFPGb2OMNqF6EEGExoPMb7vg/sW8/y/Sy+tNAmtWcUF18EtBp1zjmjNR0yw
> 4OuJ1Oe
 j4

>  
> l5fQD930Wm1aPFHkaLbNn7SHm1DjbzToFXly2jh7yRn33Sw8U5KusPkRcLIWVyh71Sj0SI
> aQ8sxql0jBDQzrTTJ4YpjCYwSZlQdStVPu7hseLlKQyToU8SUns/J1KlXNs7C7POsg9Tdo
> oWbpF5kO8ARkpbD2r6PyZpRojTiK5A5QeB3uxnZsN36ILeq5jAQzVVU/Jsj8HuL8XTuy4e
> 6NdMMCOCkScNXdEI0U2txQqfj4EqcbfDG3wEzmd4jGwrw3iTc1KybBs+9YV6P1juYoXPWx
> K0JlVSZrQ6rpfHBOqP/I9dif66mT583U9UQdX+tbdeDiymowuaFo9MRyvw68K+3/EJskgH
> E1bhaGYd12brjEeYzj4nBEUThBgE07WbGM6WVGbydbf5xyQc+d/HxWou/y1me4iCxpmJx7
> pvSCOL0NiUqLhyfsYMbHo0WEj3ivoFATk0jEk2viLZwcuSIPDc7CdUEzuGGyFDqZU1X7R4
> Uy5+xgIk46jt8J7KQiMt03zlxinaInidl6T2CSjW0v+J9+UaTQQ/AyH4dt+LWAEqAz1d8w
> i3EO3wfXpCudc3j45ftURuXWPrJLIxhac05aQAFpn6R2/uLaaOUGhGSNoBzHDw3tc73Y/B
> +ijol642EZNBeKQFLx9dSFNPDcR/LySiHPncbEkA3M7oSLJhJEjItAKy4ojJYm1uPnBxDD
> 8iU3t8dVRC/4aeqCe4X1Evwtr/EuGwHmTugk4cqwiw4bVl9NNyTKk31ICVlKn6oqKYRjrg
> h+a38pCdDPyEMc8bKWIx9PRGlyDYH+zh1Dg2E8axYimOk+YHRqs7lJMODuKXFNmQQCSOxJ
> /5supB1MU4rsYOXXgr3OwYtqhs+p6U+mD1N83oGpBbNOkH3s6sqtAmIthAtwlpq2bDjaST
> ipgRiyznDQE5KrYmcxjB1QlwFPk2oalkf6MpSNAJrxTMv3X2aAezpyXer1Bgt6rQDIh5eA
> OGDO9h2
 dS

>  
> ImGMqnk2KzGYzcElxNuUc0BwSM+4kZFfrz536L10TLX32Wi9xukT6qq1GKSOg+fuqdlRIN
> sh/ogRp1zA239Th/yLqkQMx6or2tz2s8ubV4dIiKd0rjYVBwkw8LMY3uKBnyrSiItQ8ArI
> 2c7C6zzdEg+3bC5hBc+gNkQjTPcQD1ASiL9TdV3PMqHH3dOPe8GO1wnzP+6Up+m7qBr8TD
> 1kLS/RLdzSzM5xhjHj6HV3lD6FFCV0C30vlQchBx5a0i2JWCUjKUY1o41vT/7vXcWplkXT
> ddxXJbvbdc58sHfhEfPyx+qHlpMK7ztct2oz0M6T2e8vr6fe1UdY2PUsUMQDN0/R5ue7+r
> +ztThg122k8o08pnUm75xINL5DsG5Krhx1eWL62goZwYLkJEPu/yb7Lq3andXXSemBXeZl
> Jyrebe2XCgSg2Lxo293y3DWW8ZhWTPuRuiLn3hwkVj5r+XoRQmY2zTjCp2HSYCq2huARhe
> 7VxV0p4/uYtAXzVr53CN6rM4hXRyuYX3bl4QZne+nRwUvUoXNCJMCsd6bew7Whw/9GJHez
> Wp5/GgF6eXELDhfSmYTpSHKPo3GCr4Mypi7t6PR7ixE6UnkwKplsjcdE6hVYaxcxPWpGSh
> cZxXhaeWNgs9mrcUv8RkZgsUtLHrmV0tFE0Za3aLJIXC4PUW03G7vmANMAPHqkUmbZoCfo
> DAMNgZisAmDFlBHjoyc9UTylS6HHrZsdG3tsLCdpFFYqbV9hvu7QENC7m4U1vP6Q2cfudA
> s5b6NyPtGnmQf/SJ9jNwDDWvAqBNmGEKelxK63gaeRY1tGzLvojuXBfo5ZR+1cO8rdcR6Z
> k8rYzDNKwBDA3rIY8z/X+VI/TDjGZIyp5h125T2CKL8HorWglQjRsI8/fxM3iHPW7WgU7V
> hXEysty29uLVfZ/0RphIk3TYfK5KBFHb8ECaBr9EFF2G9Vnv/x/74EKOuLqwms8WNkc2UJ
> JblN1Un
 3X

>  
> cv6OaNxdu42dxD2YMF/LFxb5zn8qy+NPLXC1U7Z1ThgiQK5vX1pGwtLPu+b7ebbGnJBwaB
> CD8AXooqonPF5PA2w+dID8gKcnjZOzbeWP+j+90iZ2hvCeQQd7cs4HMu0raWbenlUFzmkJ
> p1tZ9FCHHBo+Hem3ZD+gp0AnRFEZwQF3mMqyLrk3YeuGubSmBPWE/Ffkdni2lmPWmT8TVo
> gZWxXP8sem9RIIdimzWjDRnvtsnewWGiJsVxG2qxAtNF/zKz8l95kxJr5Laf0NaziPlGZr
> 8t1fh7qaX1hQ170l+y4JSKHwWfLfqBKLQGFq3NjdhqQwJUVaR7rU1ij+o8zgoLyqgDdhhb
> 5A36/tm2xw1n0cgC0FeSJtF7sQ2Q0dJnz6GLGzoVM5PxViqXurnnbKZNnCDhsNxdRVVcAR
> JigRGWIjc2kwYFB9XzXlgrtrU4CoXDjQxQiEzsYhDvHJJg0si1RNu4t3CxQQROhyCrsTiM
> dV+KAom76lKFvXYIkPFg5kcEFy8MmShz4ACO4jkUQ74Y+IEMMDfr2UhXdXIl75cH4SqdAE
> eLsyebb3sAz7VjrynF4hlj1Sng9grbmrb1hsZ6nhrbSlKuc7sSYoo/g5wbNYp1Xf/mvLg8
> NiTT/BnAY+fu1woFr6yriHEoxrfI6+SuCk5bIw9eiZsyDdSpGfU6xyALm24TPVM+U2Nv0n
> yJyIY63WoeofhX97jz8PxecI1eFl+BeokiNJ5TP/q0KacaBx4+LBRskM34h8/TJNAAo7A7
> X+rLAi328cQspf5ANHJGrzPQaASQ5OaJf5P2D8FIU+eP5KhB5/8hDLw8UCG7IadUzxEWVs
> KAKaqA+5bsM7BIjxo1EIAJgzj3moIz1IVle6/YoZK37Y/0QLG499LZrHX6SHKNPGy/IptD
> S/0seChNN6BCSory+1Pw1BljrQUQi8cKLhaE9lieGVBI0maJnmMVa+1XH7Z1vyHXbeupTy
> +D+Osz2
 e2

>  
> 5fqeAmcMN4STdOQvyHB/cR9SB8CNQjYjcT05DuKPhIDYbo1uJLlKdApTQHv1SQElOew3Iq
> tiXU9/qnQC0bWkamB17QQWqS4VBUN8GFZlHRfAnLMnuOCYi7pscgkLYjEOth3NzP69ZCuK
> Gm8wJ++LP/EOo4/vzV4iZfO6xJqKi80JgqMh2ZXKAHfyjQyfc/32lbyoesnaOGqVZ3W7Jb
> EzEjkQ4UeQjjC0VQC9791f5DskYMUNaVWvWlQHnet4C3+EF56jjdIlNOPxseIQ/CONi6Sd
> UeRxpnhvCwmLXQQwpgnme+WyLZq7NWv/JKPPjdZBW/UDt0/FxPy9hsiLv9LhH0D5eaGuGs
> lim3iUXDuNuPFxQWDBbb/G1QbVpYUmXsWQ2nnQaJEeYed1PTHi51stZhmxa0AMlBfHEDHu
> 26KbWArZjkk05Itmzd/bdtoO7RQT8vRDWmFDU1+qx4HZckNPtZLRCFA3RPxDrpVoLTDoc6
> 7EnRvsmSzFcTuUdm+mGsSshFzDMUyisZpk8/Qa8sux6B+7gyYvJCqamwpg+61NcLBYkcFK
> P1svxSQw/CIDsSzlAGavDIcVlgZuDRxfhrpRPfbLhkQn3tC68NB2F1KUjkMl4WXkMkJc8v
> GuioEH2tIR5f5DxC6xfBJ2P2C2pGGuyff9KlZ/kGQ67JJzvQ1z7O7X80PSvXUW5NpAKbY6
> uDJoGW7u4+7GkqpCrf+4+/5UJYZni4OmdsDwd0+MV3WjSTCGADZn9pfZH/NacWuncYhOhb
> Tps+piD/vVEmuSFbAIMoqu76ZUVlrZqIPowzE8iWZjj4YO3LKXnxuB2OQv1mwIuF+yqIEM
> 9atcDiy2HSRT5pAmEQqSHjWKquwCd0JiQItgnwMpFIe84JtDdwEawPMwM2kToJxPnI95Bo
> BfREG5te0nv3duSxUS7mOTTtkgpgD1FqMM6hoCtZY2hMQVZaj825C7rXLPnYpB5s5h0xb9
> kDHyJls
 NY

>  
> bK8lcocbr+Sm48Li8KOquHCL3hKgBrgcxhnbRGKOwqBi+ymRVBXInRbguOxPTbyaORekjH
> OC2xQ70usue/ebs/aNNzWQEYffZg030Wn3uIqjO6t+PuRyyv62V+LKjjbyKBlaFEd/Kwnc
> KJAvXWd7DNM4vSx4d851OYlpj/ZDepBS/yBbe0NnrdNL19YW1rTUWIxhPkx+fLm6ksfGkz
> wZXoA9B/WPCHv+DUMcxNmRUyUfbmR1hX4i0mdz6XyMnpBab/sq7Q7PEN4AZv2Hyu3u7Y7w
> 6atgmGXn2Fm+dAKC9eVLtSgNTX3Bsy+SJttK7mBNG8rNwbWe+/2+s1SqDlxDjNyWKbsNsv
> N6PaYeaEygpqd8BEkvdefQRmLdPdU+44l/A0mLFhjuyxSM5w9fw7rPqwWkvQ8cItpHOooU
> hRri3Yrljt7Ao8EagYDgHfM5MiVqrxgW4VCYlz/Bb6yzPMB1n6gbmfFQY8/CqZo/CGNoBr
> RN4zEHwhd9qJBFNSSrnNTMJ4sSQfv22WeWzza2yJX5v0V6o5MF4RDzFFOpktvCSF/Q4DGy
> dmRiHl0r+7I/zUvdcPyUOpxCXJcrF6Rf0HLGDojImMhGq7JVcL0NUpglq2zEtvsj8XNxhB
> +zDcnwkc/HuOz+t3xx1e/85qJEFXjxfTNy6AX979Yyuv+w13GSHpDU6AhWgAjNmCivH1+h
> 63i7o4qrBjN2wd1MAEe0sr8OrLE5URZdBusVOYoSZMWbrUpBcGT2/X/iYdnoIxy7BaumDs
> Rdppd1q6nJsadPgNHYGYnHOzfHixTHhr2CIypn994S8oNp5P2wxW5vD7Q0O5BOZczAr8nE
> ZpJKfvxRwmGSg4NOtMXpKWkiL6qwgTuMFHRaSOcay1GMOrRAHTebm0nX0Ue77Qnut1P5Uz
> 3xu5+bYaTjyXgy/+HzhgTJFGFK4kpxtBO/9LJIS5b7TtS5aKLn0KyE9oADJkh1jMqe2xuh
> OpaeBbz
 H+

>  
> PmTq4v0oR/Q9JyNxyWdNAUvqJ5ty1ViiH6Z3KT3+hCtDstvq5/QFCPkTr6T87VmF+f4fQ5
> K0sWC6shxE4HjurWYdLpniC5ODjsfT+cK/saIpPAR7ghGZckXV7W3N6nP+F/S7uPLA6dRc
> pR64IN3FQQMD9625okbVUuM8ghOpaMEQ7wd8B+JInthEsjVJWkgXrNKpGOzKLjp/VHzH1q
> Fs5ww3gHkxmisWLe0Q2VLN7RV+OsPDNHy1aVYQfyqbdVrMrOsAMk/ZAw8wqYso8QaXtBNz
> G+gvt+PIG0HKJ5UD7UID3p9BxwpPSGDxoBpUWksTfg4hJAP2Na+ddu4rIRqRqejG4bhmd4
> k4j7pGaJihazJoIhd2VkHGlssQjR6HnwV18cjnhjR1v+QAWxPtS7KSus8UbTlqYSlFpjrH
> QJ3rI5YXEVSIaHgs7CEHrbzf5rhrwDOKF3lhihCc+Ivsmjru2b4xenYY2XCCwEVSsZy4sJ
> EHPZi2/01DNDMG9Iru0dmYREX3FH+BSgJ9oYrLgAUbBT+uKVicxsUINuvSCOGixwi9Gqlg
> v6wmgoxE5BNwGah7Z7zcaYgsevNs145lzruALdZ0WVoZRxz5J1Jyp9bto2bTD2G0ZrSpVx
> sh/VJQcbKTyVYZUS5FYSHD7E/PgaGBUIGWHe+GtNKZpIusIMujP3brdCKQi8e1StjOkcgb
> Vm2a5zQXqFv59PLMEDH3yy0jDRgZ869jRsPhd91X2+loLlaMB4zd1QMmEPzA1mc/lh/F3i
> yIM0UpfUQJ8dMEtX8mLGhpOTYTTRmG2+2H43d8KxwFselZmVzKkbgmKpTdG9lFGNe+gig+
> YLRI64u7fnf2hxuBi7a2XEdwwWtsdHk4dlqLeri0n5urGkWwwHMRHYOGGNkhYynZFB7rG1
> brEQ4XpWcQuBx8jNiNc7heS0rVGfHEO1Kbcae8Pjzz9mE86r+pQojKtCkvE4T7OSb1xNGa
> 5kUrhET
 4x

>  
> oh35v2eayZcQfbcoZnB3n3gDOaOL8dRGwO6JNwX3XoZmyyBOvoAYzHo9LSfcWt7Jnj1i6J
> AvSp9CZ0gVjq9sNlQIb8NBA8P5dKrQjF8pBSS/J5jYY180ExNXKrcE1m+cPCVLgtt1V4nN
> ToYm8jciGMbFR+GrEmL54jQndZmCgNrxLB5tJRy0oGr+dMk49UxFVF+RZ3ihnw4y2bXIEx
> r0Umnbm/pvvxLsW8qxd0xtL67FMsOMH+mJiL7KITqQgDZw4Gvf/p4lW6JzXiMPn08BxUX8
> lVxzxFQiQtbdHLuzwWHCy6u8mZEChqVygQlU+40O0LkdjNNjrpvyOWOKw9jOEAuPIKrPXd
> NUj9IYyOb7NQH7Gr9cF9PQIyvuH1+aibCK2aB25Iq5DgQ8kE/xWZWK7KVhNj3aa30ZFTCN
> QR1907MwQzYvpqjdXND0ImefNOXLbJTaV0E7iJLpOvHRF33teKb/rF5L6ROGPL0vpR8DZt
> Xavhaolhq6By3PS6+81iEqEduh9lp4z1bDc3bU1v5PYGR5jWWtaAb1vTI6bQxP10yeYQ6L
> geFTzugh1CS4fqYbk/u+NRAYAk93d/H4RrdA+ZI6PV6H4z9tOutRINJVyo6vkeVjnfX7WY
> N+FQUAGkUCawbvkMKKbRDJ6HBPc5ed9nlBPN3p9oLwJWr/nwYxPqAvM7oyJKbAOFO/fiIB
> uc5XE0CIqoM3lJ+tpN3B8qV3jzfSS1OclmVHnplERMcPceiJUkUoAzDQGTUYLXSb9bNEnC
> aRD42Iu9V7uWVNMeAq7sHYH67eQZ7o5u+rRyZVk/JeFtbS8CBRLqxu3q/Gv2rYpKWhMsHt
> 7Rpy9rLGXhni2QErEB0pHcC9vQ5RuZ6IpfwjCnxojLTcp4cyFyJOpHJEsl9/b+dI2Wxy71
> L1tvBgYzjHXpggwUXKzFXKrJfZIKKi5bfMjvBQ350jYMZffIw4pWjF+piv9l8l5kiYFvDD
> CN/+5dS
 4O

>  
> vvISLehNkZLsc1qpeobAQkHoin2t8plXzHv5jO+c6PR1JWNkrAMIoRj7y2Pnmc3IFlglBM
> V4ZpMmpLVhfIfgPT1+RgemxKeaXmCWLXz8VY36l8vxs85S8+3GJNFne3/JkfXoRJtwQ4l4
> 3RMshIf4bEhS3jq387xw/npG4E5Z/ky/Qwknio5qSZgkGXQklOajcekGv5qyqSidPIxE5h
> EgXTFPwhNka6Ym+ggiCpkvOvjLUDkEPy/Dx4pKib81taxQz8QnHPQo5pqj8CW1MxrJuKDJ
> /ZBKLTJqfxqy+bK08GJfrRKoN5ibSJNTOueaLFb98AL/bOu79tAZlO5ILGLsYVQwwdR+8v
> B+kCLBjLMoGWabbOdf0zjJI/h3+A6N3Jo5F+/VnkryL/Z2/WvVkXuIvOLLDHP9K+Zeh/Xb
> 2fYpFjgVoW33WAEpHChi4P4gbEvvAJtuaMchvQ7TTYTdl7qmdRa2Pn/W8gBU9LyfAVeFCd
> c6BIeVpDqgqIC9JcNkRNoDLhs2vSZVnp4hxYJQHwxh8iL6n9/g4sYMAFzzqI65NA2JHJxE
> sQmATge7jEOuI/0wBX60jlsxL+O39RaFGeEbqXappBnzQqjKleU/cqG84+hxj0lP3DXjHd
> y9P/c1CteI/ErFZmnvDSphnPiez2r5lXINWJYC7mK+EFzjIwpfWP5eS1fk2k4e4i/VYq0F
> HnCtPSTPuq37OMm7ZGZOcNJRSFQEBJjc+cdZm060ydD2XVwPUr7i9gfgUfvaUgD0GLx2m2
> CJgNSzlhdA7gWmudyL/2SZxifa0AcuEbewhSnWbLz7U0C7AylAo7rPKYr9HtBy8PYSF3dg
> A0PDNYqHfGbG93mBF/qv5abbtiKkN181MgwqEUsZKx2DRBtx/I0hzYUltUggNa77HXZeu6
> wmnRRE1G4NFjfZZ/UMqF9DAg67WBY1tNSX/qCoXNAnDAAOUiZY35WiHiNRjvw6/WPigBHv
> 3f5BWK6
 P3

>  
> SkggFdMIIBWaADAgEXooIBUASCAUxkr8t7cf2R4KHh35HHZ7SWDz0IGmG06EWdT8x6ZpTT
> lzRueusNXU2iMXRT2Z/fm5lQ2LxwG74r7OXYbbVy/j35pbiO54UAi5dpbMtCdaYoMqVJM4
> CRXyh4p6V2YMQvi5XHBwd5NDWNLpMeJolfDKhACU9lZSoaXze3xJ1QNanPQlq6PNvYgxxj
> 9+LZBoz3quCvUQ9MxvfW06fVR2gekl52K+3pzetKHQ/msYc3RJTEi2k0JaAjdUbEHl2pE4
> 9vQSxwYrAasYVIWf8/UtGdSi6RrZvCs71MfUaOziG0nv8tDGVXi8KgbAxi+hn45VOMH7pW
> hgeyj4l3puTIC6uKuMTSXP36WD0ESF85nAMPGwoQK+bic7aPdP2P3LhgeuEQ5xdaqtQIXf
> Ub0lCgOs/isHAvgSogxBXTOa2AESJqOziz1x0DYGDxQ4xA30lt0w==
>
> Any other thoughts gratefully received.
>
> Regards,
> Robert
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Jari Ahonen
> Sent: 20 January 2016 18:48
> To: Users <[hidden email]>
> Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO authenticator
> module
>
>
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
> Sent: Wednesday, January 20, 2016 5:50 PM
> To: [hidden email]
> Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO authenticator
> module
>
>> You need to check on client why the Kerberos request against KDC failed.
>
> Unfortunately I have found this to be one of the trickiest things to
> do in practice and in some cases there isn't any logical explanation
> to be found. :(
>
> That said if you have a system with MIT Kerberos (RedHat/CentOS box would do nicely) it would be easy to check if you can get the appropriate ticket from KDC:
> $ kinit userid@REALM (this logs you into KDC and gets a TGT) $ kvno
> HTTP/server.fully.qualified.domain.name (Gets a service ticket for
> your web server and also shows the kvno of that ticket) $ klist (shows
> your cached tickets)
>
> Doing the above successfully proves that your KDC works and the problem is likely on the client side.
>
> Whatever it's worth I'm pretty sure kvno 0 is not correct on the ktpass command line. The kvno is incremented every time the password of the active directory account associated with the service changes. When you run ktpass on a newly created account the resulting kvno is IIRC 3 and any updates increment this value.
>
> HTH
>
> - Jari
>
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
> The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority.
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Troubleshooting OpenAM Windows SSO authenticator module

Robert Morschel
Regarding Chrome, the only browser on which this works in some instances, we have a standard Chrome build, yet some colleagues are able to login, while others cannot.   I tried a different PC - still doesn't work for me. So might be a policy thing?  I believe the group policies are standard, but is there something specific I could check?

IE refuses to work.

FF refuses to work, even when I add .iggroup.local to the suggested settings.

Regards,
Robert

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Robert Morschel
Sent: 22 January 2016 08:10
To: 'Users' <[hidden email]>
Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO authenticator module

I tried the suggested FF settings, but no change.  

Regards,
Robert

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
Sent: 21 January 2016 17:18
To: [hidden email]
Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO authenticator module

Have you configured FF to participate in SPNEGO at all? (about: config 'trusted ...')

-Bernhard


Am 21/01/16 um 17:30 schrieb Robert Morschel:

> Hi,
>
> We now have this working on Chrome (but not IE or FF), but only on one desktop, which is good news from an OpenAM perspective, but a mystery why it refuses to work on other browsers/desktops, particularly as we already do Windows SSO with ADFS.
>
> Regards,
> Robert
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Robert Morschel
> Sent: 21 January 2016 13:53
> To: Users <[hidden email]>
> Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO authenticator
> module
>
> Hi,
>
> Thanks for the help so far.   So more details.
>
>>From the OpenAM server I can happily run kinit and kvno with my credentials.  Incidentally, OpenAM runs as a server tomcat account not present in AD.
>
> When I try from Chrome to login via: http://vrdevdoc001.iggroup.local:8080/openam?realm=ad, Fiddler shows the request POST http://vrdevdoc1.iggroup.local/openam/json/authenticate?realm=%2Fad HTTP/1.1 is presenting a Kerberos Authorization Header, even though the OpenAM authentication debug log says: Authorization Header not set in request:
>
> Negotiate
> YIIhNgYGKwYBBQUCoIIhKjCCISagMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBA
> GCNwICHgYKKwYBBAGCNwICCqKCIPAEgiDsYIIg6AYJKoZIhvcSAQICAQBugiDXMIIg06AD
> AgEFoQMCAQ6iBwMFACAAAACjgh9bYYIfVzCCH1OgAwIBBaEOGwxJR0kuSUcuTE9DQUyiLD
> AqoAMCAQKhIzAhGwRIVFRQGxl2cmRldmRvYzAwMS5pZ2dyb3VwLmxvY2Fso4IfDDCCHwig
> AwIBF6EDAgEEooIe+gSCHvarYHqPqDFqNctIuncG01QxndAQTgzDkxEjIW+a1uIVf9FYK3
> VuweyV5uTP2gCEWJtcukENip1eZyWmVDRx2si1Lm2g9AZ3+lV984H5I78qCPDRgbmUzqyz
> 1ZU70rY6q0e70d+0c8cLj3sQLMKQRq8OwXCiCkjiLs+aZeQ9B7PKGgYIxGzof7B9S7Zm9P
> /oYzA/zoZq6C142TzCSsPlZDJw7iYNueCmaeLix7vFtceStpK9U+OiaOsRpm6xNqPx/dOz
> u61QU6afEyuWIoSoSD10c1eoV402nMUGdRb9Rmv6CEfazwtPBjlg5yeBR4A4zQgSEi+k3D
> UVk3pufMkyLyisCZmQsk0DGnEZs/q+u4ZjLuCzEg+6b/kBiX4P7Szo1lY/4IZv6KGrvl48
> RfU2DQwKlyT7zBKTCX4rCksCGG46uAjs5HshlF8Qs+8ibc6tVdIjuGgH4K3tHcmrGJjay6
> 4LEzmkzqtYMx2nzMeaJAtM5FdjTk5bP+l2XXBfGuhxHfhFBxnvupMvPUtu/S4VA13w5gtu
> sCq11aOOvo2M/KTA7lumO0hwWA7UdFI3m4JZyZPlTofx5WYCs1YK/QvrISebUL8rH9jgRx
> MVVeSHGG4o/9W5k0Om3XeOuUls//Ixr7MXssnwKSFSg+xxDH7GasepRRb13Rmj3LxiBL
 aO

>  
> HeU81BKgre+zv9zdF0vxMzEOGdbJO7Gb+E06vICc5vY5NvUr9pofMsYhtSySvzhIXHZtiw
> +o0/zdLWTtFTga/KghysIRWVQha2Y8nYxh/7momDaGrWFPUWS35OWYqXdHBY5o9Q7njuAb
> GIdluUWG3nBBuZ4AqzrBOYN9dTHGQaptrQYllQjz53PmtVAH+DQGc73Q7ycM//sqExyqcd
> wQjFfnDYmI/CEurtccpgy8XH1Inqd/oib/AaqiJI5KkEU554yMzzDTfoDCZ9Lf1LtcSCSZ
> Tw0AVrAlDhtmTewog5xe1xzbP6tqOwDpW1cu0vW4drqH8HVKPHudJOpXYlT89ZvvtPr3o9
> hjfye2vm7KTcKyn37xm/yJTdJTsQU3/7IqlzuhOaVTF64wauCdx7SEq3zv0UlSxzmtAqN2
> meh7+1wMIhAHn6utwPVwqwFm+Yr/53UziYjjStmSG8Hw/kPXGaDPXmmKdJfiTcAxc14mOo
> 1yvz9l8g2/FW4yrXj5VWxcXNWGnfwnoB54Jj3RVVHgV2dE2xygGROXuFEMufE1+MfvV6Qs
> vLKHBKFYB4A/mPEYELWsBqABXN6w+eKmJZVJGYc37XTtj6cIWnD9yYFuBHgsIwt1f6CJIf
> xXOsTT8vlN0vczAHUnOwvhBZiCo2gdQYANtTLH5HrnBm+Df17tyDbnhZfDOjlc1mBnB597
> YM1Re5+JWrUK3BXCA54sOPU0+PntYOyajdfysvM1envp3mYkiM2YrTTM8WmpPGVyYxOx1t
> fyLNDBNdDhOwbnKickzKMiv8gsw29PjC4b5Ord3G+3kwk2s30bWP1lLNauhnbsznCdBaTX
> Zw3m2odFGZ2ziE9Od+mXc3L/cmsjuZd7bw3iVmW8keo4cHWZd6WJ+PilFi9AVvbx6q0FAQ
> AcfclsgxuFwX3LQowTrVmhUSZGHY8d7MQaOa+gFyZFb/12KWTHeyBMSD3v8L3eP8EeGVo9
> HXU5pts
 GS

>  
> 5A0ghBKdi2VCyoNwAho4a3L1ZnoveBfcsGARJBo6sixfONq27hXCJJDd4WEzdXdqMGTcOe
> A1XxYcS6aYEr886NcR34hgP43EjTUseo0ZaK7P85LzGqPutOXCBi8QQekN5CaBPpgnf3MS
> eQPqU8tR8zfLRztSGi/lGZ0JqvLQCVCyiyVZq+Hm9eF6LXMExnlUfANqztzkLAdo+qBWHg
> 8NM6lHnN8uLEh62DuPmUdCiqWK5ABkO/P3E57Li7wTL7+SEYTrscvBTTxnH0OOCVkyNtf4
> F+T+4J9tk6crsAo+pSeF7Nyx+GyDJ9uvLgjNhhpKtrpH5pzePLJGd1xw291elGo7hPJRHK
> WxwquZkTpl2m0Er0kBd3LwqgbxZz4iCjDwlaF+g7X5JXPHsblpMAYVqvYoWaGqHFc6rcsZ
> uV4lCPxEwb81ZXcWFMADB0SHQh8z66aNnJjhfL6JY1EnpoXERHcE+AxPlX+9wmkEKxcL3p
> LlVkvVLOlUbR4e6QkQihrwos/nMvas5sdF9E8m14E1EaMN2cFFhpfBTyV6WNiOvVxL3RiE
> 3c9EMuosRIKZunYNGhXvD1sjYQMx+Sp+1BMT/Ga/zF0aB3IL4ALerExFOFPpICzabwsVB7
> ll/8LfoPgJkKNE8+G4nwO2yPMGUAZEWfzdj8RDtCineX6CQgAgfteZJCQjLHGe3IKQm3oj
> Q+p3P+FXMTA/FcjF6+rAYF9NNmnqTgKIrki1JHBaMLaEvU0kQQlWRTorePUJik487B2cPR
> o8uMkuHdMdw7tLu4eFSas9ZcwR0E3iXRImMi0OCXPdE4V/F8tj3aPcGQsOHRMVQtC8E040
> VKzM0UO/5KVgy/Q1QhC/7nyeOch7uW5Uc8KZ29ox99yAM8pYu8a7cfUtbgrECk2LGWpwSv
> FFNh8njqp8NeFPGb2OMNqF6EEGExoPMb7vg/sW8/y/Sy+tNAmtWcUF18EtBp1zjmjNR0yw
> 4OuJ1Oe
 j4

>  
> l5fQD930Wm1aPFHkaLbNn7SHm1DjbzToFXly2jh7yRn33Sw8U5KusPkRcLIWVyh71Sj0SI
> aQ8sxql0jBDQzrTTJ4YpjCYwSZlQdStVPu7hseLlKQyToU8SUns/J1KlXNs7C7POsg9Tdo
> oWbpF5kO8ARkpbD2r6PyZpRojTiK5A5QeB3uxnZsN36ILeq5jAQzVVU/Jsj8HuL8XTuy4e
> 6NdMMCOCkScNXdEI0U2txQqfj4EqcbfDG3wEzmd4jGwrw3iTc1KybBs+9YV6P1juYoXPWx
> K0JlVSZrQ6rpfHBOqP/I9dif66mT583U9UQdX+tbdeDiymowuaFo9MRyvw68K+3/EJskgH
> E1bhaGYd12brjEeYzj4nBEUThBgE07WbGM6WVGbydbf5xyQc+d/HxWou/y1me4iCxpmJx7
> pvSCOL0NiUqLhyfsYMbHo0WEj3ivoFATk0jEk2viLZwcuSIPDc7CdUEzuGGyFDqZU1X7R4
> Uy5+xgIk46jt8J7KQiMt03zlxinaInidl6T2CSjW0v+J9+UaTQQ/AyH4dt+LWAEqAz1d8w
> i3EO3wfXpCudc3j45ftURuXWPrJLIxhac05aQAFpn6R2/uLaaOUGhGSNoBzHDw3tc73Y/B
> +ijol642EZNBeKQFLx9dSFNPDcR/LySiHPncbEkA3M7oSLJhJEjItAKy4ojJYm1uPnBxDD
> 8iU3t8dVRC/4aeqCe4X1Evwtr/EuGwHmTugk4cqwiw4bVl9NNyTKk31ICVlKn6oqKYRjrg
> h+a38pCdDPyEMc8bKWIx9PRGlyDYH+zh1Dg2E8axYimOk+YHRqs7lJMODuKXFNmQQCSOxJ
> /5supB1MU4rsYOXXgr3OwYtqhs+p6U+mD1N83oGpBbNOkH3s6sqtAmIthAtwlpq2bDjaST
> ipgRiyznDQE5KrYmcxjB1QlwFPk2oalkf6MpSNAJrxTMv3X2aAezpyXer1Bgt6rQDIh5eA
> OGDO9h2
 dS

>  
> ImGMqnk2KzGYzcElxNuUc0BwSM+4kZFfrz536L10TLX32Wi9xukT6qq1GKSOg+fuqdlRIN
> sh/ogRp1zA239Th/yLqkQMx6or2tz2s8ubV4dIiKd0rjYVBwkw8LMY3uKBnyrSiItQ8ArI
> 2c7C6zzdEg+3bC5hBc+gNkQjTPcQD1ASiL9TdV3PMqHH3dOPe8GO1wnzP+6Up+m7qBr8TD
> 1kLS/RLdzSzM5xhjHj6HV3lD6FFCV0C30vlQchBx5a0i2JWCUjKUY1o41vT/7vXcWplkXT
> ddxXJbvbdc58sHfhEfPyx+qHlpMK7ztct2oz0M6T2e8vr6fe1UdY2PUsUMQDN0/R5ue7+r
> +ztThg122k8o08pnUm75xINL5DsG5Krhx1eWL62goZwYLkJEPu/yb7Lq3andXXSemBXeZl
> Jyrebe2XCgSg2Lxo293y3DWW8ZhWTPuRuiLn3hwkVj5r+XoRQmY2zTjCp2HSYCq2huARhe
> 7VxV0p4/uYtAXzVr53CN6rM4hXRyuYX3bl4QZne+nRwUvUoXNCJMCsd6bew7Whw/9GJHez
> Wp5/GgF6eXELDhfSmYTpSHKPo3GCr4Mypi7t6PR7ixE6UnkwKplsjcdE6hVYaxcxPWpGSh
> cZxXhaeWNgs9mrcUv8RkZgsUtLHrmV0tFE0Za3aLJIXC4PUW03G7vmANMAPHqkUmbZoCfo
> DAMNgZisAmDFlBHjoyc9UTylS6HHrZsdG3tsLCdpFFYqbV9hvu7QENC7m4U1vP6Q2cfudA
> s5b6NyPtGnmQf/SJ9jNwDDWvAqBNmGEKelxK63gaeRY1tGzLvojuXBfo5ZR+1cO8rdcR6Z
> k8rYzDNKwBDA3rIY8z/X+VI/TDjGZIyp5h125T2CKL8HorWglQjRsI8/fxM3iHPW7WgU7V
> hXEysty29uLVfZ/0RphIk3TYfK5KBFHb8ECaBr9EFF2G9Vnv/x/74EKOuLqwms8WNkc2UJ
> JblN1Un
 3X

>  
> cv6OaNxdu42dxD2YMF/LFxb5zn8qy+NPLXC1U7Z1ThgiQK5vX1pGwtLPu+b7ebbGnJBwaB
> CD8AXooqonPF5PA2w+dID8gKcnjZOzbeWP+j+90iZ2hvCeQQd7cs4HMu0raWbenlUFzmkJ
> p1tZ9FCHHBo+Hem3ZD+gp0AnRFEZwQF3mMqyLrk3YeuGubSmBPWE/Ffkdni2lmPWmT8TVo
> gZWxXP8sem9RIIdimzWjDRnvtsnewWGiJsVxG2qxAtNF/zKz8l95kxJr5Laf0NaziPlGZr
> 8t1fh7qaX1hQ170l+y4JSKHwWfLfqBKLQGFq3NjdhqQwJUVaR7rU1ij+o8zgoLyqgDdhhb
> 5A36/tm2xw1n0cgC0FeSJtF7sQ2Q0dJnz6GLGzoVM5PxViqXurnnbKZNnCDhsNxdRVVcAR
> JigRGWIjc2kwYFB9XzXlgrtrU4CoXDjQxQiEzsYhDvHJJg0si1RNu4t3CxQQROhyCrsTiM
> dV+KAom76lKFvXYIkPFg5kcEFy8MmShz4ACO4jkUQ74Y+IEMMDfr2UhXdXIl75cH4SqdAE
> eLsyebb3sAz7VjrynF4hlj1Sng9grbmrb1hsZ6nhrbSlKuc7sSYoo/g5wbNYp1Xf/mvLg8
> NiTT/BnAY+fu1woFr6yriHEoxrfI6+SuCk5bIw9eiZsyDdSpGfU6xyALm24TPVM+U2Nv0n
> yJyIY63WoeofhX97jz8PxecI1eFl+BeokiNJ5TP/q0KacaBx4+LBRskM34h8/TJNAAo7A7
> X+rLAi328cQspf5ANHJGrzPQaASQ5OaJf5P2D8FIU+eP5KhB5/8hDLw8UCG7IadUzxEWVs
> KAKaqA+5bsM7BIjxo1EIAJgzj3moIz1IVle6/YoZK37Y/0QLG499LZrHX6SHKNPGy/IptD
> S/0seChNN6BCSory+1Pw1BljrQUQi8cKLhaE9lieGVBI0maJnmMVa+1XH7Z1vyHXbeupTy
> +D+Osz2
 e2

>  
> 5fqeAmcMN4STdOQvyHB/cR9SB8CNQjYjcT05DuKPhIDYbo1uJLlKdApTQHv1SQElOew3Iq
> tiXU9/qnQC0bWkamB17QQWqS4VBUN8GFZlHRfAnLMnuOCYi7pscgkLYjEOth3NzP69ZCuK
> Gm8wJ++LP/EOo4/vzV4iZfO6xJqKi80JgqMh2ZXKAHfyjQyfc/32lbyoesnaOGqVZ3W7Jb
> EzEjkQ4UeQjjC0VQC9791f5DskYMUNaVWvWlQHnet4C3+EF56jjdIlNOPxseIQ/CONi6Sd
> UeRxpnhvCwmLXQQwpgnme+WyLZq7NWv/JKPPjdZBW/UDt0/FxPy9hsiLv9LhH0D5eaGuGs
> lim3iUXDuNuPFxQWDBbb/G1QbVpYUmXsWQ2nnQaJEeYed1PTHi51stZhmxa0AMlBfHEDHu
> 26KbWArZjkk05Itmzd/bdtoO7RQT8vRDWmFDU1+qx4HZckNPtZLRCFA3RPxDrpVoLTDoc6
> 7EnRvsmSzFcTuUdm+mGsSshFzDMUyisZpk8/Qa8sux6B+7gyYvJCqamwpg+61NcLBYkcFK
> P1svxSQw/CIDsSzlAGavDIcVlgZuDRxfhrpRPfbLhkQn3tC68NB2F1KUjkMl4WXkMkJc8v
> GuioEH2tIR5f5DxC6xfBJ2P2C2pGGuyff9KlZ/kGQ67JJzvQ1z7O7X80PSvXUW5NpAKbY6
> uDJoGW7u4+7GkqpCrf+4+/5UJYZni4OmdsDwd0+MV3WjSTCGADZn9pfZH/NacWuncYhOhb
> Tps+piD/vVEmuSFbAIMoqu76ZUVlrZqIPowzE8iWZjj4YO3LKXnxuB2OQv1mwIuF+yqIEM
> 9atcDiy2HSRT5pAmEQqSHjWKquwCd0JiQItgnwMpFIe84JtDdwEawPMwM2kToJxPnI95Bo
> BfREG5te0nv3duSxUS7mOTTtkgpgD1FqMM6hoCtZY2hMQVZaj825C7rXLPnYpB5s5h0xb9
> kDHyJls
 NY

>  
> bK8lcocbr+Sm48Li8KOquHCL3hKgBrgcxhnbRGKOwqBi+ymRVBXInRbguOxPTbyaORekjH
> OC2xQ70usue/ebs/aNNzWQEYffZg030Wn3uIqjO6t+PuRyyv62V+LKjjbyKBlaFEd/Kwnc
> KJAvXWd7DNM4vSx4d851OYlpj/ZDepBS/yBbe0NnrdNL19YW1rTUWIxhPkx+fLm6ksfGkz
> wZXoA9B/WPCHv+DUMcxNmRUyUfbmR1hX4i0mdz6XyMnpBab/sq7Q7PEN4AZv2Hyu3u7Y7w
> 6atgmGXn2Fm+dAKC9eVLtSgNTX3Bsy+SJttK7mBNG8rNwbWe+/2+s1SqDlxDjNyWKbsNsv
> N6PaYeaEygpqd8BEkvdefQRmLdPdU+44l/A0mLFhjuyxSM5w9fw7rPqwWkvQ8cItpHOooU
> hRri3Yrljt7Ao8EagYDgHfM5MiVqrxgW4VCYlz/Bb6yzPMB1n6gbmfFQY8/CqZo/CGNoBr
> RN4zEHwhd9qJBFNSSrnNTMJ4sSQfv22WeWzza2yJX5v0V6o5MF4RDzFFOpktvCSF/Q4DGy
> dmRiHl0r+7I/zUvdcPyUOpxCXJcrF6Rf0HLGDojImMhGq7JVcL0NUpglq2zEtvsj8XNxhB
> +zDcnwkc/HuOz+t3xx1e/85qJEFXjxfTNy6AX979Yyuv+w13GSHpDU6AhWgAjNmCivH1+h
> 63i7o4qrBjN2wd1MAEe0sr8OrLE5URZdBusVOYoSZMWbrUpBcGT2/X/iYdnoIxy7BaumDs
> Rdppd1q6nJsadPgNHYGYnHOzfHixTHhr2CIypn994S8oNp5P2wxW5vD7Q0O5BOZczAr8nE
> ZpJKfvxRwmGSg4NOtMXpKWkiL6qwgTuMFHRaSOcay1GMOrRAHTebm0nX0Ue77Qnut1P5Uz
> 3xu5+bYaTjyXgy/+HzhgTJFGFK4kpxtBO/9LJIS5b7TtS5aKLn0KyE9oADJkh1jMqe2xuh
> OpaeBbz
 H+

>  
> PmTq4v0oR/Q9JyNxyWdNAUvqJ5ty1ViiH6Z3KT3+hCtDstvq5/QFCPkTr6T87VmF+f4fQ5
> K0sWC6shxE4HjurWYdLpniC5ODjsfT+cK/saIpPAR7ghGZckXV7W3N6nP+F/S7uPLA6dRc
> pR64IN3FQQMD9625okbVUuM8ghOpaMEQ7wd8B+JInthEsjVJWkgXrNKpGOzKLjp/VHzH1q
> Fs5ww3gHkxmisWLe0Q2VLN7RV+OsPDNHy1aVYQfyqbdVrMrOsAMk/ZAw8wqYso8QaXtBNz
> G+gvt+PIG0HKJ5UD7UID3p9BxwpPSGDxoBpUWksTfg4hJAP2Na+ddu4rIRqRqejG4bhmd4
> k4j7pGaJihazJoIhd2VkHGlssQjR6HnwV18cjnhjR1v+QAWxPtS7KSus8UbTlqYSlFpjrH
> QJ3rI5YXEVSIaHgs7CEHrbzf5rhrwDOKF3lhihCc+Ivsmjru2b4xenYY2XCCwEVSsZy4sJ
> EHPZi2/01DNDMG9Iru0dmYREX3FH+BSgJ9oYrLgAUbBT+uKVicxsUINuvSCOGixwi9Gqlg
> v6wmgoxE5BNwGah7Z7zcaYgsevNs145lzruALdZ0WVoZRxz5J1Jyp9bto2bTD2G0ZrSpVx
> sh/VJQcbKTyVYZUS5FYSHD7E/PgaGBUIGWHe+GtNKZpIusIMujP3brdCKQi8e1StjOkcgb
> Vm2a5zQXqFv59PLMEDH3yy0jDRgZ869jRsPhd91X2+loLlaMB4zd1QMmEPzA1mc/lh/F3i
> yIM0UpfUQJ8dMEtX8mLGhpOTYTTRmG2+2H43d8KxwFselZmVzKkbgmKpTdG9lFGNe+gig+
> YLRI64u7fnf2hxuBi7a2XEdwwWtsdHk4dlqLeri0n5urGkWwwHMRHYOGGNkhYynZFB7rG1
> brEQ4XpWcQuBx8jNiNc7heS0rVGfHEO1Kbcae8Pjzz9mE86r+pQojKtCkvE4T7OSb1xNGa
> 5kUrhET
 4x

>  
> oh35v2eayZcQfbcoZnB3n3gDOaOL8dRGwO6JNwX3XoZmyyBOvoAYzHo9LSfcWt7Jnj1i6J
> AvSp9CZ0gVjq9sNlQIb8NBA8P5dKrQjF8pBSS/J5jYY180ExNXKrcE1m+cPCVLgtt1V4nN
> ToYm8jciGMbFR+GrEmL54jQndZmCgNrxLB5tJRy0oGr+dMk49UxFVF+RZ3ihnw4y2bXIEx
> r0Umnbm/pvvxLsW8qxd0xtL67FMsOMH+mJiL7KITqQgDZw4Gvf/p4lW6JzXiMPn08BxUX8
> lVxzxFQiQtbdHLuzwWHCy6u8mZEChqVygQlU+40O0LkdjNNjrpvyOWOKw9jOEAuPIKrPXd
> NUj9IYyOb7NQH7Gr9cF9PQIyvuH1+aibCK2aB25Iq5DgQ8kE/xWZWK7KVhNj3aa30ZFTCN
> QR1907MwQzYvpqjdXND0ImefNOXLbJTaV0E7iJLpOvHRF33teKb/rF5L6ROGPL0vpR8DZt
> Xavhaolhq6By3PS6+81iEqEduh9lp4z1bDc3bU1v5PYGR5jWWtaAb1vTI6bQxP10yeYQ6L
> geFTzugh1CS4fqYbk/u+NRAYAk93d/H4RrdA+ZI6PV6H4z9tOutRINJVyo6vkeVjnfX7WY
> N+FQUAGkUCawbvkMKKbRDJ6HBPc5ed9nlBPN3p9oLwJWr/nwYxPqAvM7oyJKbAOFO/fiIB
> uc5XE0CIqoM3lJ+tpN3B8qV3jzfSS1OclmVHnplERMcPceiJUkUoAzDQGTUYLXSb9bNEnC
> aRD42Iu9V7uWVNMeAq7sHYH67eQZ7o5u+rRyZVk/JeFtbS8CBRLqxu3q/Gv2rYpKWhMsHt
> 7Rpy9rLGXhni2QErEB0pHcC9vQ5RuZ6IpfwjCnxojLTcp4cyFyJOpHJEsl9/b+dI2Wxy71
> L1tvBgYzjHXpggwUXKzFXKrJfZIKKi5bfMjvBQ350jYMZffIw4pWjF+piv9l8l5kiYFvDD
> CN/+5dS
 4O

>  
> vvISLehNkZLsc1qpeobAQkHoin2t8plXzHv5jO+c6PR1JWNkrAMIoRj7y2Pnmc3IFlglBM
> V4ZpMmpLVhfIfgPT1+RgemxKeaXmCWLXz8VY36l8vxs85S8+3GJNFne3/JkfXoRJtwQ4l4
> 3RMshIf4bEhS3jq387xw/npG4E5Z/ky/Qwknio5qSZgkGXQklOajcekGv5qyqSidPIxE5h
> EgXTFPwhNka6Ym+ggiCpkvOvjLUDkEPy/Dx4pKib81taxQz8QnHPQo5pqj8CW1MxrJuKDJ
> /ZBKLTJqfxqy+bK08GJfrRKoN5ibSJNTOueaLFb98AL/bOu79tAZlO5ILGLsYVQwwdR+8v
> B+kCLBjLMoGWabbOdf0zjJI/h3+A6N3Jo5F+/VnkryL/Z2/WvVkXuIvOLLDHP9K+Zeh/Xb
> 2fYpFjgVoW33WAEpHChi4P4gbEvvAJtuaMchvQ7TTYTdl7qmdRa2Pn/W8gBU9LyfAVeFCd
> c6BIeVpDqgqIC9JcNkRNoDLhs2vSZVnp4hxYJQHwxh8iL6n9/g4sYMAFzzqI65NA2JHJxE
> sQmATge7jEOuI/0wBX60jlsxL+O39RaFGeEbqXappBnzQqjKleU/cqG84+hxj0lP3DXjHd
> y9P/c1CteI/ErFZmnvDSphnPiez2r5lXINWJYC7mK+EFzjIwpfWP5eS1fk2k4e4i/VYq0F
> HnCtPSTPuq37OMm7ZGZOcNJRSFQEBJjc+cdZm060ydD2XVwPUr7i9gfgUfvaUgD0GLx2m2
> CJgNSzlhdA7gWmudyL/2SZxifa0AcuEbewhSnWbLz7U0C7AylAo7rPKYr9HtBy8PYSF3dg
> A0PDNYqHfGbG93mBF/qv5abbtiKkN181MgwqEUsZKx2DRBtx/I0hzYUltUggNa77HXZeu6
> wmnRRE1G4NFjfZZ/UMqF9DAg67WBY1tNSX/qCoXNAnDAAOUiZY35WiHiNRjvw6/WPigBHv
> 3f5BWK6
 P3

>  
> SkggFdMIIBWaADAgEXooIBUASCAUxkr8t7cf2R4KHh35HHZ7SWDz0IGmG06EWdT8x6ZpTT
> lzRueusNXU2iMXRT2Z/fm5lQ2LxwG74r7OXYbbVy/j35pbiO54UAi5dpbMtCdaYoMqVJM4
> CRXyh4p6V2YMQvi5XHBwd5NDWNLpMeJolfDKhACU9lZSoaXze3xJ1QNanPQlq6PNvYgxxj
> 9+LZBoz3quCvUQ9MxvfW06fVR2gekl52K+3pzetKHQ/msYc3RJTEi2k0JaAjdUbEHl2pE4
> 9vQSxwYrAasYVIWf8/UtGdSi6RrZvCs71MfUaOziG0nv8tDGVXi8KgbAxi+hn45VOMH7pW
> hgeyj4l3puTIC6uKuMTSXP36WD0ESF85nAMPGwoQK+bic7aPdP2P3LhgeuEQ5xdaqtQIXf
> Ub0lCgOs/isHAvgSogxBXTOa2AESJqOziz1x0DYGDxQ4xA30lt0w==
>
> Any other thoughts gratefully received.
>
> Regards,
> Robert
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Jari Ahonen
> Sent: 20 January 2016 18:48
> To: Users <[hidden email]>
> Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO authenticator
> module
>
>
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Bernhard Thalmayr
> Sent: Wednesday, January 20, 2016 5:50 PM
> To: [hidden email]
> Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO authenticator
> module
>
>> You need to check on client why the Kerberos request against KDC failed.
>
> Unfortunately I have found this to be one of the trickiest things to
> do in practice and in some cases there isn't any logical explanation
> to be found. :(
>
> That said if you have a system with MIT Kerberos (RedHat/CentOS box would do nicely) it would be easy to check if you can get the appropriate ticket from KDC:
> $ kinit userid@REALM (this logs you into KDC and gets a TGT) $ kvno
> HTTP/server.fully.qualified.domain.name (Gets a service ticket for
> your web server and also shows the kvno of that ticket) $ klist (shows
> your cached tickets)
>
> Doing the above successfully proves that your KDC works and the problem is likely on the client side.
>
> Whatever it's worth I'm pretty sure kvno 0 is not correct on the ktpass command line. The kvno is incremented every time the password of the active directory account associated with the service changes. When you run ktpass on a newly created account the resulting kvno is IIRC 3 and any updates increment this value.
>
> HTH
>
> - Jari
>
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
> The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority.
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
> _______________________________________________
> Visit the OpenAM forum at
> https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Troubleshooting OpenAM Windows SSO authenticator module

Jari Ahonen
Hi,

In my experience with Negotiate/Kerberos auth Firefox has always been the easiest to get working and IE the most difficult. Generally speaking all it takes for FF to work is to set
"network.negotiate-auth.trusted-uris = domain.name" and that's it (provided the service is set up correctly in AD).

I don't have the dot prepended to the domain name in firefox settings, maybe worth trying it without? Not sure it makes any difference though.

- Jari

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Robert Morschel
Sent: Friday, January 22, 2016 10:36 AM
To: 'Users' <[hidden email]>
Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO authenticator module

Regarding Chrome, the only browser on which this works in some instances, we have a standard Chrome build, yet some colleagues are able to login, while others cannot.   I tried a different PC - still doesn't work for me. So might be a policy thing?  I believe the group policies are standard, but is there something specific I could check?

IE refuses to work.

FF refuses to work, even when I add .iggroup.local to the suggested settings.

Regards,
Robert

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Troubleshooting OpenAM Windows SSO authenticator module

Robert Morschel
FIXED IT!!!!

Tomcat maxHeaderSize was 8192, too small for the large number of groups certain accounts are members of.

It now works on all browsers!

Thank you so much for your help!  OpenAM rocks!  I'm going to the pub.

Regards,
Robert

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Jari Ahonen
Sent: 22 January 2016 09:57
To: Users <[hidden email]>
Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO authenticator module

Hi,

In my experience with Negotiate/Kerberos auth Firefox has always been the easiest to get working and IE the most difficult. Generally speaking all it takes for FF to work is to set "network.negotiate-auth.trusted-uris = domain.name" and that's it (provided the service is set up correctly in AD).

I don't have the dot prepended to the domain name in firefox settings, maybe worth trying it without? Not sure it makes any difference though.

- Jari

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Robert Morschel
Sent: Friday, January 22, 2016 10:36 AM
To: 'Users' <[hidden email]>
Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO authenticator module

Regarding Chrome, the only browser on which this works in some instances, we have a standard Chrome build, yet some colleagues are able to login, while others cannot.   I tried a different PC - still doesn't work for me. So might be a policy thing?  I believe the group policies are standard, but is there something specific I could check?

IE refuses to work.

FF refuses to work, even when I add .iggroup.local to the suggested settings.

Regards,
Robert

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Troubleshooting OpenAM Windows SSO authenticator module

Nicolas Seigneur
We should have thought about this one earlier! Glad you got to the bottom of it.

One thing I would add, is that you can use User Account Control flag in your Kerberos AD Service Account to prevent AD to add the PAC to the kerberos token as these could grow even beyond the 8k limit if you have many groups membership.

Tokens generated for SPNs tied to that service account will not include PAC data. Adding the following bit flag to the existing UAC value will prevent that:
0x2000000:          When KDC emits ticket for this service accounts, do NOT include the Privilege Attribute Certificate (PAC)

Nicolas Seigneur
Indigo Consulting Canada


On Fri, Jan 22, 2016 at 5:06 AM, Robert Morschel <[hidden email]> wrote:
FIXED IT!!!!

Tomcat maxHeaderSize was 8192, too small for the large number of groups certain accounts are members of.

It now works on all browsers!

Thank you so much for your help!  OpenAM rocks!  I'm going to the pub.

Regards,
Robert

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Jari Ahonen
Sent: 22 January 2016 09:57
To: Users <[hidden email]>
Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO authenticator module

Hi,

In my experience with Negotiate/Kerberos auth Firefox has always been the easiest to get working and IE the most difficult. Generally speaking all it takes for FF to work is to set "network.negotiate-auth.trusted-uris = domain.name" and that's it (provided the service is set up correctly in AD).

I don't have the dot prepended to the domain name in firefox settings, maybe worth trying it without? Not sure it makes any difference though.

- Jari

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Robert Morschel
Sent: Friday, January 22, 2016 10:36 AM
To: 'Users' <[hidden email]>
Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO authenticator module

Regarding Chrome, the only browser on which this works in some instances, we have a standard Chrome build, yet some colleagues are able to login, while others cannot.   I tried a different PC - still doesn't work for me. So might be a policy thing?  I believe the group policies are standard, but is there something specific I could check?

IE refuses to work.

FF refuses to work, even when I add .iggroup.local to the suggested settings.

Regards,
Robert

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam



--
-------------------------------------------------
Nicolas Seigneur
Indigo Technologies Canada, Inc.
mobile: +1.514.965.4890

_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Troubleshooting OpenAM Windows SSO authenticator module

Bernhard Thalmayr
Am 22/01/16 um 15:02 schrieb Nicolas Seigneur:
> We should have thought about this one earlier! Glad you got to the
> bottom of it.

Indeed ... however initially no token or the wrong one was sent.

Something was correct in AD as well...

-Bernhard

>
> One thing I would add, is that you can use User Account Control flag in
> your Kerberos AD Service Account to prevent AD to add the PAC to the
> kerberos token as these could grow even beyond the 8k limit if you have
> many groups membership.
>
> Tokens generated for SPNs tied to that service account will not include
> PAC data. Adding the following bit flag to the existing UAC value will
> prevent that:
>
>     0x2000000:          When KDC emits ticket for this service accounts,
>     do NOT include the Privilege Attribute Certificate (PAC)
>
> Nicolas Seigneur
> Indigo Consulting Canada
>
>
> On Fri, Jan 22, 2016 at 5:06 AM, Robert Morschel <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     FIXED IT!!!!
>
>     Tomcat maxHeaderSize was 8192, too small for the large number of
>     groups certain accounts are members of.
>
>     It now works on all browsers!
>
>     Thank you so much for your help!  OpenAM rocks!  I'm going to the pub.
>
>     Regards,
>     Robert
>
>     -----Original Message-----
>     From: [hidden email]
>     <mailto:[hidden email]>
>     [mailto:[hidden email]
>     <mailto:[hidden email]>] On Behalf Of Jari Ahonen
>     Sent: 22 January 2016 09:57
>     To: Users <[hidden email] <mailto:[hidden email]>>
>     Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO
>     authenticator module
>
>     Hi,
>
>     In my experience with Negotiate/Kerberos auth Firefox has always
>     been the easiest to get working and IE the most difficult. Generally
>     speaking all it takes for FF to work is to set
>     "network.negotiate-auth.trusted-uris = domain.name
>     <http://domain.name>" and that's it (provided the service is set up
>     correctly in AD).
>
>     I don't have the dot prepended to the domain name in firefox
>     settings, maybe worth trying it without? Not sure it makes any
>     difference though.
>
>     - Jari
>
>     -----Original Message-----
>     From: [hidden email]
>     <mailto:[hidden email]>
>     [mailto:[hidden email]
>     <mailto:[hidden email]>] On Behalf Of Robert Morschel
>     Sent: Friday, January 22, 2016 10:36 AM
>     To: 'Users' <[hidden email] <mailto:[hidden email]>>
>     Subject: Re: [OpenAM] Troubleshooting OpenAM Windows SSO
>     authenticator module
>
>     Regarding Chrome, the only browser on which this works in some
>     instances, we have a standard Chrome build, yet some colleagues are
>     able to login, while others cannot.   I tried a different PC - still
>     doesn't work for me. So might be a policy thing?  I believe the
>     group policies are standard, but is there something specific I could
>     check?
>
>     IE refuses to work.
>
>     FF refuses to work, even when I add .iggroup.local to the suggested
>     settings.
>
>     Regards,
>     Robert
>
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>     The information contained in this email is strictly confidential and
>     for the use of the addressee only, unless otherwise indicated. If
>     you are not the intended recipient, please do not read, copy, use or
>     disclose to others this message or any attachment. Please also
>     notify the sender by replying to this email or by telephone (+44(020
>     7896 0011) and then delete the email and any copies of it. Opinions,
>     conclusion (etc) that do not relate to the official business of this
>     company shall be understood as neither given nor endorsed by it. IG
>     is a trading name of IG Markets Limited (a company registered in
>     England and Wales, company number 04008957) and IG Index Limited (a
>     company registered in England and Wales, company number 01190902).
>     Registered address at Cannon Bridge House, 25 Dowgate Hill, London
>     EC4R 2YA. Both IG Markets Limited (register number 195355) and IG
>     Index Limited (register number 114059) are authorised and regulated
>     by the Financial Conduct Authority.
>     _______________________________________________
>     Visit the OpenAM forum at
>     https://forgerock.org/forum/fr-projects/openam/
>     OpenAM mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.forgerock.org/mailman/listinfo/openam
>
>
>
>
> --
> -------------------------------------------------
> Nicolas Seigneur
> Indigo Technologies Canada, Inc.
> mobile: +1.514.965.4890
> [hidden email] <mailto:[hidden email]>
> www.indigoconsulting.ca <http://www.indigoconsulting.ca/>
>
>
> _______________________________________________
> Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
> OpenAM mailing list
> [hidden email]
> https://lists.forgerock.org/mailman/listinfo/openam
>


--
Painstaking Minds
IT-Consulting Bernhard Thalmayr
Herxheimer Str. 5, 83620 Vagen (Munich area), Germany
Tel: +49 (0)8062 7769174
Mobile: +49 (0)176 55060699

[hidden email] - Solution Architect
http://www.xing.com/profile/Bernhard_Thalmayr
http://de.linkedin.com/in/bernhardthalmayr

This e-mail may contain confidential and/or privileged information.If
you are not the intended recipient (or have received this email in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Troubleshooting OpenAM Windows SSO authenticator module

Robert Morschel
In reply to this post by Paul Figura

Hi,

 

Yes, I’m back with this.

 

To recap: OpenAM 12.0.0 – trying to get Windows desktop SSO working – failed with missing auth header error.

 

So, increasing maxHttpHeaderSize worked fine for direct Tomcat access, but when doing this via Apache/AJP, it failed to work most of the time – it seemed the Authorization header was being stripped off.  We tried increasing various Apache limits, and even contemplated recompiling Apache to get even larger limits (as one or two posts suggested), but then stumbled upon a solution: we added a second, LDAP authenticator to the authentication chain, behind the Windows SSO authenticator, and it works consistently (without the user being prompted for a username/password).

 

Any ideas what the heck is going on?

 

Regards,

Robert

The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone (+44(020 7896 0011) and then delete the email and any copies of it. Opinions, conclusion (etc) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG is a trading name of IG Markets Limited (a company registered in England and Wales, company number 04008957) and IG Index Limited (a company registered in England and Wales, company number 01190902). Registered address at Cannon Bridge House, 25 Dowgate Hill, London EC4R 2YA. Both IG Markets Limited (register number 195355) and IG Index Limited (register number 114059) are authorised and regulated by the Financial Conduct Authority.
_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
12