PeopleSoft Desktop Single Sign-on via Kerberos – Part 3

Welcome to the third installment of PeopleSoft Desktop Single Sign-on via Kerberos.  I hope to wrap up everything in this final post. In Part 1 we configured our Linux servers to talk to our Active Directory server and setup a user/SPN for our Kerberos Authentication. In Part 2 of the PeopleSoft Desktop SSO write up we configured our Linux Weblogic instance to use the Oracle provided servlet filter.  We set filter mapping to /* to force every request through the KerberosSSO filter.  Now it is time to move on to our app server and online configurations to finish this up.

In order for the application server to validate the Kerberos token we need to copy the java class files to $PS_HOME/class/com/peoplesoft/pt/desktopsso/kerberos.  Oracle seems to be delivering these in $PS_HOME/class/com/peoplesoft/PT/desktopsso/kerberos but that doesn’t work! So either recopy these files from our webserver or the “PT” directory.  We need both KerberosSSOValidator$1.class and KerberosSSOValidator.class.

Next lets update our psappsrv.cfg file with the following
-Djava.security.auth.login.config=/home/psoft/krbLogin.conf
-Djava.security.krb5.conf=/etc/krb5.conf

Look familiar? Yep, we did this on the web server. Did you create these files on the app server yet? If not copy them from your web server, don’t forget to copy the keytab file which is referenced in krbLogin.conf.

So the JavaVM Options line will read something like (it’s around line 925 in my config file)
JavaVM Options=-Dxdo.ConfigFile=%PS_HOME%/appserv/xdo.cfg -Djava.security.auth.login.config=/home/psoft/krbLogin.conf -Djava.security.krb5.conf=/etc/krb5.conf

Next lets edit the Peoplecode for FUNCLIB_LDAP.LDAPAUTH. First we want to edit the getWWWAuthConfig function.  Update the username identified in &defaultUserID.

/* Updated for Kerberos Sign On */
&defaultUserId = "PUBUSER";

Next we want to add the following function at the end.

Online create our public user PUBUSER and enable this user for guest login capabilities in the webprofile.  Reload the profile using reloadconfig command or restart the web server. Once reloaded try it out and see if it works.  Don’t load the signon.html page, it’s the signon page and of course will ask for a username/password.  Start by trying to go to http://websrv.testdomain.com/psp/ps/EMPLOYEE/ERP/h/?tab=DEFAULT for Finance for example.

53 thoughts on “PeopleSoft Desktop Single Sign-on via Kerberos – Part 3
  1. Hi Randy,

    I’m repeatedly getting ‘KerberosSSOFilter: Received invalid token.’ error in my webserver.

    Any Idea why this error occurs.

    • Hi Vimal,

      Received invalid token is kicked out when a GSSException is caught. The source for the SSO filter is available on the app server in %PS_HOME%\sdk\desktopsso\src\com\peoplesoft\pt\desktopsso\kerberos if you care to look at it. You could edit the code to output the exception and redeploy the filter to gain additional debug info. If I’m not mistaken I got this error when I used a browser that was not setup to send a Kerberos token or I was browsing from a machine outside the Domain. However, there are probably several other reasons why that exception could be thrown as well. Have you done the section on Enabling Kerberos Authentication in the Browser from the PeopleBooks?

      Randy

      • Hi Randy,

        Yes I have done the section regarding ‘Enabling Kerberos Authentication in the browser’. I was not browsing from outside the domain.

        I also happened to check PIA_stderr.log file and I found ‘Checksum failed!’ error whenever the filter threw the exception.

        I tried to google for the same but was a little unlucky.

        DId you get the same issue while you were facing invalid token error.

        • I checked my logs and never had a Checksum failed error. If you want to send me an email with your environment details I’ll try to give you a hand.

          • Hi Randy,
            I have configured my peopelsoft as well as AD to talk to each other and am able to connect from peoplesoft to the AD which is on a differrent domain using the kinit command. However when I access the peoplesoft PIA link from outside the domain it gives invalid token error. Can’t we use kerberos to access sites from outside the network?

          • I’m not clear on what you are trying to do. Is this in regards to the multi realm configuration you asked about previously or is this simply access for users that are not already authenticated with Kerberos.

          • This is a different issue as opposed to the one I was talking about for Mutiple realms. I have a set of users who are on abc.peoplesoft.com domain and they are access the peoplesoft webserver on peoplesoft.com domain. We have kerberose desktop single signon enabled. When users from peoplesoft.com login they get login correctly with their userid’s. While if a user from abc.peoplesoft.com logs in, it logs as a PUBUSER i.e. it doesnot switch the userid to the users userid. When I look at logs, I see that the toekn probably is sent as a NULL instaed of user@abc.peoplesoft.com. I saw somewhere that kerberose doesnot work if you login from a different domains. Is this why the user from abc.peoplesoft.com is not able to login properly?

  2. Hi Randy,

    I read from another article that the JAVA version should be higher than 1.5 to create a proper keytab file. We do use JDK 1.7, but the JAVA_HOME path was not set properly.

    Could this affect the keytab file in any way?
    What is the role of JAVA in creating a keytab file.

  3. Hi Randy,
    Great article! question – we are getting a java exception “cannot locate default realm” when the webserver starts. The default realm which is our domain, can be pinged from the webserver machine. Any other reason this exception can come? Long user name maybe?

    • Elias,

      Thanks for the compliment, glad you enjoyed it. First thing that comes to mind is not setting the default realm in ALL CAPS in krb5.conf (I don’t remember the error from this but if I remember correctly it produces one). Were you able to test successfully using the steps in part 1 of the series? If so, then perhaps there is a typo in your krb5.conf location you are specifying to Weblogic (-Djava.security.krb5.conf=/etc/krb5.conf). If you provide more detail I may be able to help further.

      Randy

  4. Hi Randy,

    Caught another issue. I am getting “KerberosSSOFilter: Received invalid token” error in PIA_stdout.log file. I am using the right domain and browser setting are looks good (I have done it according to the PeopleBooks).

    Any ideas?

  5. Have everything setup, have pubuser set up with peoplesoft guest role, bounced server, cleared cache everything. launch a link to take me right into QA and still receive login screen saying — “You have requested a secure resource. Please signon with your User ID and Password”
    if i add peoplesoft admin role to pubuser it lets me in, however i’m logged in as pubuser not as my login id, you do a ctrl+j and it shows pubuser not jsmith.

    any ideas???

    • It sounds like you are failing to switch users, otherwise I’d expect some other kind of error. First thing I would look at is FUNCLIB_LDAP.LDAPAUTH and in the getWWWAuthConfig function is the username that is set as &defaultUserID the one you are using? Also, what do you see in the appsrv logs? Any indication that the user is switching or failing to switch?

      • Hi Randy, We are having the same issue when we try to access SSO link from VPN login “You have requested a secure resource. Please signon with your User ID and Password” .

        But when we try to access the same SSO link without VPN, its working fine. Could you able to advice on this. Thanks in advance

        • This sounds like it would probably need some deeper troubleshooting from a network/security level. If it works on the local network, you’ve proven it’s not a PeopleSoft configuration issue. It sounds like over VPN the client machine is unable to get the proper Kerberos ticket therefore you are being prompted for credentials.

    • Hi,

      Thanks for the compliment. If what is happening is (assuming you are using IE as a browser) the window popping up is from IE and asking for your credentials and then works after they are entered; it sounds like a browser configuration problem. Your configuration is most likely not allowing integrated security for the zone the web domain you are using is found in. Ensure that the URL is listed in the Local intranet zone for IE. Ensure the URL is listed added to the list at Internet Options -> Security -> Local intranet -> Sites -> Advanced. There is a setting in IE, Internet Options -> Security -> Local intranet -> Custom level -> scroll to the bottom. The User Authentication: Logon option should be to set to Automatic logon only in Intranet zone

      There are some sections in the PeopleBooks that cover this browser configuration.
      Enable Kerberos Auth in IE
      Enable Kerberos Auth in Firefox

      Hope that helps.

  6. Hi Randy!

    I have implemented this solution without enabling the validation at the web server side. The authentication is always done through the public user.
    Tracing the sign-on peoplecode shows that there’s a problem is at this point:

    &validator = GetJavaClass("com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOValidator").getInstance();
    Local string &username = &validator.validate(&krbToken)

    First operand of . is NULL, so cannot access member validate

    GetJavaClass is returning NULL (printing &validator in a file shows NULL).

    Any idea why this might occur?

    Thanks

    • Can you check your APPSRV logs for additional details? My first guess would be that the app server can not find the class file so the validator object is null. Keep in mind case sensitivity for the “pt” portion of the path. On Linux the files were already located in $PS_HOME/class/com/peoplesoft/PT/desktopsso/kerberos but that is not correct because the PT is in caps and should be lower case.

    • We are getting same error (First operand of . is NULL, so cannot access member validate)and got stuck for 2 weeks.Please help me what was the solution for this issue?

      Thanks in advance!!!

  7. Hi Randy,

    Thank you for your reply.
    This was fixed by copying the class files from the webserver.

    Another point, and just for info, under Windows, the pt folder is delivered in lowercase.

    Thanks

  8. We are implementing same things, however we are stuck at the application server check in peoplecod, &validator = GetJavaClass(“com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOValidator”).getInstance();

    Its giving null value If we get the value in file. I have recopied those files from webserver to app server. Then i also its not working. Looking for the help.

    Regards
    Vikrant

    • What OS are you deploying on? Check the path for com/peoplesoft/pt/desktopsso/kerberos/KerberosSSOValidator for typos, case sensitivity issues (pt vs. PT), or permissions problems.

  9. We need help for implementing Peoplesoft SSO Kerberos solution.

    We have done lot of work but stuck once “com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOValidator” java class failed to authenticate server credentials – getting error “Failed to acqurie servers credential”

    • I’m not familiar with this error. What OS are you implementing on? Can you provide the stack trace? You can contact me via the About page. Did the kinit test work?

  10. I completed the Peoplesoft SSO Kerberos setup. During testing using DEFAULT url, it does sign in automatically but only with default userid ‘PUBUSER’. Any advise? Thanks

    OS: Windows server 2008 R2 64-bits

  11. Hi Randy,

    Hope you are doing fine. We are facing a situation while configuring the Kerberos for multiple AD domains.

    With single AD domain, everything works fine. But if we are trying to adjust kerberos config files for multiple domains, and trying to login, it is failing and just logging as public user.

    Area where we need help: How to merge the multiple domains in krb5.conf and krb5Login.conf.

    Attached are the examples how we are trying and its not working

    krb5.conf

    [libdefaults]
    default_realm = DOMAIN1
    ticket_lifetime = 2400
    dns_lookup_realm = false
    dns_lookup_kdc = true

    [realms]
    DOMAIN1 = {
    kdc = DOMAIN1
    admin_server = DOMAIN1
    default_domain = DOMAIN1
    }
    DOMAIN2 = {
    kdc = DOMAIN2
    admin_server = DOMAIN2
    default_domain = DOMAIN2
    }
    DOMAIN3 = {
    kdc = DOMAIN3
    admin_server = DOMAIN3
    default_domain = DOMAIN3
    }

    [domain_realm]
    .domain1 = DOMAIN1
    DOMAIN1 = DOMAIN1
    .domain2 = DOMAIN2
    DOMAIN2 = DOMAIN2
    .domain3 = DOMAIN3
    DOMAIN3 = DOMAIN3

    krb5Login.conf

    krbServer
    {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    useKeyTab=true
    keyTab=”/unixs913/apps/psf/v092000/krb5/1.keytab”
    isInitiator=false
    principal=”HTTP/unixs913.*****.****.com”};

    krbServer
    {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    useKeyTab=true
    keyTab=”/unixs913/apps/psf/v092000/krb5/2.keytab”
    isInitiator=false
    principal=”HTTP/unixs913.*****.****.com”};

    krbServer
    {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    useKeyTab=true
    keyTab=”/unixs913/apps/psf/v092000/krb5/3.keytab”
    isInitiator=false
    principal=”HTTP/unixs913.*****.****.com”};

      • Yes, it is possible to authenticate against multiple Kerberos Realms. However it will not work with the delivered solution I documented here. It is not as simple as just adding additional realms to the configuration. It requires a custom solution and has additional security considerations. If this is something you are still interested in you can contact me via the About Page

  12. Dear Randy,
    We are doing Kerberos SSO setup in Linux, for PT 8.53.11. On one environment got it working, but we had to make some changes, and we generated the KeyTab file again, after that its not working. We followed each step which you have documented here.
    Let me mention what we have done so far.

    my kinit user@testdomail.local is generating ticket.
    [1] Service Principal: krbtgt/TESTDOMAIN.LOCAL@TESTDOMAIN.LOCAL Valid starting: Nov 20, 2014 06:48
    Expires: Nov 20, 2014 16:48

    [psadmin@hlxc0ps001 etc]$ kinit -k -t /home/psadmin/krb5.keytab HTTP/webserver@TESTDOMAIN.LOCAL New ticket is stored in cache file /tmp/krb5cc_6101
    [psadmin@hlxc0ps001 etc]$ klist

    Credentials cache: /tmp/krb5cc_6101

    Default principal: HTTP/webserver@TESTDOMAIN.LOCAL , 1 entry found.

    [1] Service Principal: krbtgt/TESTDOMAIN.LOCAL@TESTDOMAIN.LOCAL
    Valid starting: Nov 20, 2014 06:52
    Expires: Nov 20, 2014 16:52
    [psadmin@hlxc0ps001 etc]$ kdestroy

    krbServer {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    useKeyTab=true
    keyTab=”/home/psadmin/krb5.keytab”
    isInitiator=false
    principal=”Principle Name as registered”;
    };

    setEnv.sh
    -Djava.security.auth.login.config=/home/psadmin/krbLogin.conf -Djava.security.krb5.conf=/etc/krb5.conf

    Similarly psappsrv configuration file has been changed, along with the web.xml looks like.
    Portal

    KerberosSSO
    com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOFilter

    checkSecureConnection
    false

    validateToken
    true

    verbose
    true

    KerberosSSO
    /*

    After these changes I am continously getting..

    Please help me with this.

    Thanks a lot

    Vikrant

    • Interesting, not sure why it would break after recreating the keytab file. It looks like you were able to test the keytab file without a problem. The error or log message doesn’t appear to have come through, can you try posting it again. What were the changes you made? The principal in krbLogin.conf matches exactly what you are using in the new keytab file right (case sensitive)?

  13. Hi Randy,

    I have followed the steps given and aslo in the webserv logs I can see the following log:

    And no error is encountered in the webserv as well as the appserv logs, still while logging in to the PIA I am getting the authorization error and the peoplesoft signon page is dispalyed.

    It would be great if you could please help me out with this.

  14. I completed the Peoplesoft SSO Kerberos setup. During testing using DEFAULT url, it does sign in automatically but only with default userid ‘PUBUSER’.
    Please Advice.

  15. Hi Randy,

    I have to configure the Desktop SSO for Peoplesoft application. Below are my environment details.

    Windows Active Directory Server
    App and Process scheduler running on Linux Serevr
    Oracle Database.

    Could you please help or guide me how to setup the Desktop SSO for Peoplesoft Application in Linux Environment.

    • The three part series I wrote on Single Sign-on via Kerberos already documents everything you should need for your environment as it also was done on Linux. If you have specific questions about this process I will try to answer them as time permits. If you are interested in consulting services please contact me via the About page. Thanks and good luck on the implementation.

  16. Randy

    Thanks for you efforts, great information. we are trying to implement desktop SSO, and configured based on your document. we are on tools 8.54.07 and we also use web profile to switch to virtual address. original is https://manchine.xxx.com/POOND/signon,html will be translated to https://my.xxx.com/POOND/signon.html. when i’m using this webprofile, try to bring up signon page, it gives invalid site name.. i’m not sure what needs to be configured.. below is my
    krb5.conf
    [libdefaults]
    default_realm = XXXXX.XXX
    ticket_lifetime = 2400
    dns_lookup_realm = false
    dns_lookup_kdc = true
    #default_tkt_enctypes = des-cbc-crc
    #default_tgs_enctypes = des-cbc-crc
    #allow_weak_crypto=true
    [realms]
    XXXXX.usnc = {
    kdc = XXX.XX.XX.X
    admin_server = xxx-dc02.XXXXX.COM
    default_domain = XXXXX.USNC
    }

    and krblogin.conf is
    krbServer {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    useKeyTab=true
    keyTab=”C:/krb/krbsrv.keytab”
    isInitiator=false
    principal=”krbsrv@XXXXX.XXX”;
    };
    do we have anything else configured if we are using virtual addressing on webprofiles..

    Thanks and appreciate your help..
    Ravi

  17. Hi Randy,

    Very informative blog. Helped us to implement SSO on Linux. However, we are facing one issue. System is logging on with the same default user for all. It is not able to authenticate with the logged on user’s credentials.

    Would appreciate any help in resolving this error.

    • Hi, I have heard of this happening a few times, usually due to invalid Kerberos tokens being detected by the filter. It’s hard to say what might be the problem there though. Check the Weblogic and app server logs to see what errors if any you are getting, I also use Wireshark to dive deeper when troubleshooting token issues.

      • We are receiving “<KerberosSSOFilter: Received invalid token" in the PIA log.
        On further analysis of our configuration files (krb5.conf and krbLogin.conf), we have observed that "kinit" is working fine when checked explicitly with username and password. However, when we run kinit with the keytab file, we get the error "kinit(v5): Key table entry not found while getting initial credentials".
        Any suggestions for resolution?

  18. Hi Randy,

    I see that Kerberos implementation is removed from PeopleTools 8.54 peoplebooks. Can you please suggest that, If it is still possible to implement Kerberos SSO with PeopleTools 8.54, Deos PeopleSoft provide all the required Java files?

    Thanks
    Vikrant Kumar

    • Yes, the files are still delivered with 8.54 and I’ve had it working on 8.54. I have not looked at 8.55 yet to see if they are still with that version.

  19. Randy, thanks for the informative blog. I was able to follow the steps and configure the Peoplesoft SSO Kerberos but during testing using DEFAULT url, it does sign in automatically but only with default userid ‘PUBUSER’. Any thoughts on why this is happening?

    • Varma,
      Kerberos authentication is still failing for your test user either at the web or the app.
      You are getting signed in as PUBUSER because you have roles assigned to PUBUSER that allow PUBUSER to actually login. PUBUSER needs no roles at all for this to work properly and in fact, having no roles is preferred so that users that may fail kerb auth for legitimate reasons can still be presented a sign on page. Your logs probably indicate an invalid token was received. But that is a generic error and difficult to troubleshoot without detailed analysis.

      • Randy,

        Webserver is looking fine and I guess authentication is failing at app server level. Here is the log from webserver,

        Could you please help me troubleshoot the kerberos authentication on application server level? I tried the Peoplecode trace but its not showing anything since authentication is failed. “Authorization Error — Contact your Security Administrator”

  20. Thanks to Randy for the excellent posts.
    I use the documentation to get my own implementation of Kerberos SSO to work. However, since I’m on a pure Windows based system there were some tweaks that were required.
    I have documented my configuration on my website, and I invite people to review my configuration here: http://smartpeoplesoftadmin.com/

Leave a Reply

Your email address will not be published. Required fields are marked *