PeopleSoft Desktop Single Sign-on via Kerberos – Part 3

Welcome to the third installment of PeopleSoft Desktop Single Sign-on via Kerberos.  I hope to wrap up everything in this final post. In Part 1 we configured our Linux servers to talk to our Active Directory server and setup a user/SPN for our Kerberos Authentication. In Part 2 of the PeopleSoft Desktop SSO write up we configured our Linux Weblogic instance to use the Oracle provided servlet filter.  We set filter mapping to /* to force every request through the KerberosSSO filter.  Now it is time to move on to our app server and online configurations to finish this up.

In order for the application server to validate the Kerberos token we need to copy the java class files to $PS_HOME/class/com/peoplesoft/pt/desktopsso/kerberos.  Oracle seems to be delivering these in $PS_HOME/class/com/peoplesoft/PT/desktopsso/kerberos but that doesn’t work! So either recopy these files from our webserver or the “PT” directory.  We need both KerberosSSOValidator$1.class and KerberosSSOValidator.class.

Next lets update our psappsrv.cfg file with the following
-Djava.security.auth.login.config=/home/psoft/krbLogin.conf
-Djava.security.krb5.conf=/etc/krb5.conf

Look familiar? Yep, we did this on the web server. Did you create these files on the app server yet? If not copy them from your web server, don’t forget to copy the keytab file which is referenced in krbLogin.conf.

So the JavaVM Options line will read something like (it’s around line 925 in my config file)
JavaVM Options=-Dxdo.ConfigFile=%PS_HOME%/appserv/xdo.cfg -Djava.security.auth.login.config=/home/psoft/krbLogin.conf -Djava.security.krb5.conf=/etc/krb5.conf

Next lets edit the Peoplecode for FUNCLIB_LDAP.LDAPAUTH. First we want to edit the getWWWAuthConfig function.  Update the username identified in &defaultUserID.

/* Updated for Kerberos Sign On */
&defaultUserId = "PUBUSER";

Next we want to add the following function at the end.

/*/////////////////////////////////////////////////////////////////////////////////////////////
KRB_AUTHENTICATION used for Kerberos Single Sign On
////////////////////////////////////////////////////////////////////////////////////////////*/
Function KRB_AUTHENTICATION()
   If %PSAuthResult = True And
         &authMethod <> "WWW" And
         &authMethod <> "OAMSSO" And
         &authMethod <> "OSSO" And
         &authMethod <> "SSO" And
         &authMethod <> "LDAP" Then
      getWWWAuthConfig();
      If %SignonUserId = &defaultUserId Then<br>
         Local string  princName = %Request.GetHeader("KRB_USER");
         Local string  krbToken = %Request.GetHeader("Authorization");
         Local string  userName = princName;
         Local number foundDelim = Find("@", userName);
         If ( foundDelim > 0) Then
            &userName = Substring( userName, 1, foundDelim - 1);
         End-If;
         If Len( userName) > 0 Then
            &krbToken = Substring(&krbToken, 11, Len(&krbToken) + 1);
            &validator = GetJavaClass("com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOValidator").getInstance();
            Local string &validUserName = &validator.validate(&krbToken);
            If &validUserName <> "NULL" And
                   &princName = &validUserName Then
               SetAuthenticationResult( True, Upper(&userName), "", False);
               &authMethod = "KRB";
            End-If;
         End-If;
      End-If;
   End-If;
End-Function;

Online create our public user PUBUSER and enable this user for guest login capabilities in the webprofile.  Reload the profile using reloadconfig command or restart the web server. Once reloaded try it out and see if it works.  Don’t load the signon.html page, it’s the signon page and of course will ask for a username/password.  Start by trying to go to http://websrv.testdomain.com/psp/ps/EMPLOYEE/ERP/h/?tab=DEFAULT for Finance for example.


Posted

in

, ,

by

Tags:

Comments

59 responses to “PeopleSoft Desktop Single Sign-on via Kerberos – Part 3”

  1. Vimal Avatar
    Vimal

    Hi Randy,

    I’m repeatedly getting ‘KerberosSSOFilter: Received invalid token.’ error in my webserver.

    Any Idea why this error occurs.

    1. Randy Avatar

      Hi Vimal,

      Received invalid token is kicked out when a GSSException is caught. The source for the SSO filter is available on the app server in %PS_HOME%\sdk\desktopsso\src\com\peoplesoft\pt\desktopsso\kerberos if you care to look at it. You could edit the code to output the exception and redeploy the filter to gain additional debug info. If I’m not mistaken I got this error when I used a browser that was not setup to send a Kerberos token or I was browsing from a machine outside the Domain. However, there are probably several other reasons why that exception could be thrown as well. Have you done the section on Enabling Kerberos Authentication in the Browser from the PeopleBooks?

      Randy

      1. Vimal Avatar
        Vimal

        Hi Randy,

        Yes I have done the section regarding ‘Enabling Kerberos Authentication in the browser’. I was not browsing from outside the domain.

        I also happened to check PIA_stderr.log file and I found ‘Checksum failed!’ error whenever the filter threw the exception.

        I tried to google for the same but was a little unlucky.

        DId you get the same issue while you were facing invalid token error.

        1. Randy Avatar

          I checked my logs and never had a Checksum failed error. If you want to send me an email with your environment details I’ll try to give you a hand.

          1. Vijay Avatar
            Vijay

            Hi Randy,
            I have configured my peopelsoft as well as AD to talk to each other and am able to connect from peoplesoft to the AD which is on a differrent domain using the kinit command. However when I access the peoplesoft PIA link from outside the domain it gives invalid token error. Can’t we use kerberos to access sites from outside the network?

          2. Randy Avatar

            I’m not clear on what you are trying to do. Is this in regards to the multi realm configuration you asked about previously or is this simply access for users that are not already authenticated with Kerberos.

          3. Vijay Avatar
            Vijay

            This is a different issue as opposed to the one I was talking about for Mutiple realms. I have a set of users who are on abc.peoplesoft.com domain and they are access the peoplesoft webserver on peoplesoft.com domain. We have kerberose desktop single signon enabled. When users from peoplesoft.com login they get login correctly with their userid’s. While if a user from abc.peoplesoft.com logs in, it logs as a PUBUSER i.e. it doesnot switch the userid to the users userid. When I look at logs, I see that the toekn probably is sent as a NULL instaed of user@abc.peoplesoft.com. I saw somewhere that kerberose doesnot work if you login from a different domains. Is this why the user from abc.peoplesoft.com is not able to login properly?

  2. Vimal Avatar
    Vimal

    Hi Randy,

    I read from another article that the JAVA version should be higher than 1.5 to create a proper keytab file. We do use JDK 1.7, but the JAVA_HOME path was not set properly.

    Could this affect the keytab file in any way?
    What is the role of JAVA in creating a keytab file.

    1. Randy Avatar

      I don’t believe so because I created the keytab file on the Windows server and then copied it to the Linux server.

  3. Elias Avatar
    Elias

    Hi Randy,
    Great article! question – we are getting a java exception “cannot locate default realm” when the webserver starts. The default realm which is our domain, can be pinged from the webserver machine. Any other reason this exception can come? Long user name maybe?

    1. Randy Avatar

      Elias,

      Thanks for the compliment, glad you enjoyed it. First thing that comes to mind is not setting the default realm in ALL CAPS in krb5.conf (I don’t remember the error from this but if I remember correctly it produces one). Were you able to test successfully using the steps in part 1 of the series? If so, then perhaps there is a typo in your krb5.conf location you are specifying to Weblogic (-Djava.security.krb5.conf=/etc/krb5.conf). If you provide more detail I may be able to help further.

      Randy

  4. Vishu Avatar
    Vishu

    Hi Randy,

    Caught another issue. I am getting “KerberosSSOFilter: Received invalid token” error in PIA_stdout.log file. I am using the right domain and browser setting are looks good (I have done it according to the PeopleBooks).

    Any ideas?

  5. randy Avatar
    randy

    Have everything setup, have pubuser set up with peoplesoft guest role, bounced server, cleared cache everything. launch a link to take me right into QA and still receive login screen saying — “You have requested a secure resource. Please signon with your User ID and Password”
    if i add peoplesoft admin role to pubuser it lets me in, however i’m logged in as pubuser not as my login id, you do a ctrl+j and it shows pubuser not jsmith.

    any ideas???

    1. Randy Avatar

      It sounds like you are failing to switch users, otherwise I’d expect some other kind of error. First thing I would look at is FUNCLIB_LDAP.LDAPAUTH and in the getWWWAuthConfig function is the username that is set as &defaultUserID the one you are using? Also, what do you see in the appsrv logs? Any indication that the user is switching or failing to switch?

      1. RamaRao Avatar
        RamaRao

        Hi Randy, We are having the same issue when we try to access SSO link from VPN login “You have requested a secure resource. Please signon with your User ID and Password” .

        But when we try to access the same SSO link without VPN, its working fine. Could you able to advice on this. Thanks in advance

        1. Randy Avatar

          This sounds like it would probably need some deeper troubleshooting from a network/security level. If it works on the local network, you’ve proven it’s not a PeopleSoft configuration issue. It sounds like over VPN the client machine is unable to get the proper Kerberos ticket therefore you are being prompted for credentials.

  6. Velu Avatar
    Velu

    Hi Randy-
    Thanks for this article!!!! we followed all the steps you mentioned and it is working fine. but we have issue if i put the url like http://websrv.testdomain.com/psp/ps/EMPLOYEE/ERP/h/?tab=DEFAULT window is popping up and asking for Username and password. i have tried many things as mentioned in peoplebooks but no luck . Can you please guide me in this.

    1. Randy Avatar

      Hi,

      Thanks for the compliment. If what is happening is (assuming you are using IE as a browser) the window popping up is from IE and asking for your credentials and then works after they are entered; it sounds like a browser configuration problem. Your configuration is most likely not allowing integrated security for the zone the web domain you are using is found in. Ensure that the URL is listed in the Local intranet zone for IE. Ensure the URL is listed added to the list at Internet Options -> Security -> Local intranet -> Sites -> Advanced. There is a setting in IE, Internet Options -> Security -> Local intranet -> Custom level -> scroll to the bottom. The User Authentication: Logon option should be to set to Automatic logon only in Intranet zone

      There are some sections in the PeopleBooks that cover this browser configuration.
      Enable Kerberos Auth in IE
      Enable Kerberos Auth in Firefox

      Hope that helps.

  7. Rajy Avatar
    Rajy

    Hi Randy!

    I have implemented this solution without enabling the validation at the web server side. The authentication is always done through the public user.
    Tracing the sign-on peoplecode shows that there’s a problem is at this point:

    &validator = GetJavaClass("com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOValidator").getInstance();
    Local string &username = &validator.validate(&krbToken)

    First operand of . is NULL, so cannot access member validate

    GetJavaClass is returning NULL (printing &validator in a file shows NULL).

    Any idea why this might occur?

    Thanks

    1. Randy Avatar

      Can you check your APPSRV logs for additional details? My first guess would be that the app server can not find the class file so the validator object is null. Keep in mind case sensitivity for the “pt” portion of the path. On Linux the files were already located in $PS_HOME/class/com/peoplesoft/PT/desktopsso/kerberos but that is not correct because the PT is in caps and should be lower case.

    2. jaya Avatar
      jaya

      We are getting same error (First operand of . is NULL, so cannot access member validate)and got stuck for 2 weeks.Please help me what was the solution for this issue?

      Thanks in advance!!!

  8. Rajy Avatar
    Rajy

    Hi Randy,

    Thank you for your reply.
    This was fixed by copying the class files from the webserver.

    Another point, and just for info, under Windows, the pt folder is delivered in lowercase.

    Thanks

    1. Randy Avatar

      Glad to hear you got it working. Out of curiosity, what tools release are you implementing the solution on?

  9. Rajy Avatar
    Rajy

    Hi Randy,
    Sorry for this late reply.
    It’s on 8.52.14
    Regards,
    Rajy

  10. Vikrant Avatar
    Vikrant

    We are implementing same things, however we are stuck at the application server check in peoplecod, &validator = GetJavaClass(“com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOValidator”).getInstance();

    Its giving null value If we get the value in file. I have recopied those files from webserver to app server. Then i also its not working. Looking for the help.

    Regards
    Vikrant

    1. Randy Avatar

      What OS are you deploying on? Check the path for com/peoplesoft/pt/desktopsso/kerberos/KerberosSSOValidator for typos, case sensitivity issues (pt vs. PT), or permissions problems.

  11. Zahid Mahmood Avatar
    Zahid Mahmood

    We need help for implementing Peoplesoft SSO Kerberos solution.

    We have done lot of work but stuck once “com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOValidator” java class failed to authenticate server credentials – getting error “Failed to acqurie servers credential”

    1. Randy Avatar

      I’m not familiar with this error. What OS are you implementing on? Can you provide the stack trace? You can contact me via the About page. Did the kinit test work?

  12. TrederJoe Avatar
    TrederJoe

    I completed the Peoplesoft SSO Kerberos setup. During testing using DEFAULT url, it does sign in automatically but only with default userid ‘PUBUSER’. Any advise? Thanks

    OS: Windows server 2008 R2 64-bits

    1. varma Avatar
      varma

      Were you able to fix this issue? I am facing the same issue and would appreciate if you can share the solution.

  13. Alok Avatar

    Hi Randy,

    Hope you are doing fine. We are facing a situation while configuring the Kerberos for multiple AD domains.

    With single AD domain, everything works fine. But if we are trying to adjust kerberos config files for multiple domains, and trying to login, it is failing and just logging as public user.

    Area where we need help: How to merge the multiple domains in krb5.conf and krb5Login.conf.

    Attached are the examples how we are trying and its not working

    krb5.conf

    [libdefaults]
    default_realm = DOMAIN1
    ticket_lifetime = 2400
    dns_lookup_realm = false
    dns_lookup_kdc = true

    [realms]
    DOMAIN1 = {
    kdc = DOMAIN1
    admin_server = DOMAIN1
    default_domain = DOMAIN1
    }
    DOMAIN2 = {
    kdc = DOMAIN2
    admin_server = DOMAIN2
    default_domain = DOMAIN2
    }
    DOMAIN3 = {
    kdc = DOMAIN3
    admin_server = DOMAIN3
    default_domain = DOMAIN3
    }

    [domain_realm]
    .domain1 = DOMAIN1
    DOMAIN1 = DOMAIN1
    .domain2 = DOMAIN2
    DOMAIN2 = DOMAIN2
    .domain3 = DOMAIN3
    DOMAIN3 = DOMAIN3

    krb5Login.conf

    krbServer
    {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    useKeyTab=true
    keyTab=”/unixs913/apps/psf/v092000/krb5/1.keytab”
    isInitiator=false
    principal=”HTTP/unixs913.*****.****.com”};

    krbServer
    {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    useKeyTab=true
    keyTab=”/unixs913/apps/psf/v092000/krb5/2.keytab”
    isInitiator=false
    principal=”HTTP/unixs913.*****.****.com”};

    krbServer
    {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    useKeyTab=true
    keyTab=”/unixs913/apps/psf/v092000/krb5/3.keytab”
    isInitiator=false
    principal=”HTTP/unixs913.*****.****.com”};

    1. Randy Avatar

      Hi, I’ll have to look into this a bit. It is not something I’ve done anywhere yet. I will send you an email in the next few days.

      1. Rajendra Avatar
        Rajendra

        Hi Randy,

        We are facing exactly same problem, could you please send me the solution you have provided to Alok.

        Many Thanks

    2. Vijay Avatar
      Vijay

      We are also having a similar requirement. Were you guys able to find a solution for this?

      1. Randy Avatar

        Yes, it is possible to authenticate against multiple Kerberos Realms. However it will not work with the delivered solution I documented here. It is not as simple as just adding additional realms to the configuration. It requires a custom solution and has additional security considerations. If this is something you are still interested in you can contact me via the About Page

  14. Vikrant Avatar
    Vikrant

    Dear Randy,
    We are doing Kerberos SSO setup in Linux, for PT 8.53.11. On one environment got it working, but we had to make some changes, and we generated the KeyTab file again, after that its not working. We followed each step which you have documented here.
    Let me mention what we have done so far.

    my kinit user@testdomail.local is generating ticket.
    [1] Service Principal: krbtgt/TESTDOMAIN.LOCAL@TESTDOMAIN.LOCAL Valid starting: Nov 20, 2014 06:48
    Expires: Nov 20, 2014 16:48

    [psadmin@hlxc0ps001 etc]$ kinit -k -t /home/psadmin/krb5.keytab HTTP/webserver@TESTDOMAIN.LOCAL New ticket is stored in cache file /tmp/krb5cc_6101
    [psadmin@hlxc0ps001 etc]$ klist

    Credentials cache: /tmp/krb5cc_6101

    Default principal: HTTP/webserver@TESTDOMAIN.LOCAL , 1 entry found.

    [1] Service Principal: krbtgt/TESTDOMAIN.LOCAL@TESTDOMAIN.LOCAL
    Valid starting: Nov 20, 2014 06:52
    Expires: Nov 20, 2014 16:52
    [psadmin@hlxc0ps001 etc]$ kdestroy

    krbServer {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    useKeyTab=true
    keyTab=”/home/psadmin/krb5.keytab”
    isInitiator=false
    principal=”Principle Name as registered”;
    };

    setEnv.sh
    -Djava.security.auth.login.config=/home/psadmin/krbLogin.conf -Djava.security.krb5.conf=/etc/krb5.conf

    Similarly psappsrv configuration file has been changed, along with the web.xml looks like.
    Portal

    KerberosSSO
    com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOFilter

    checkSecureConnection
    false

    validateToken
    true

    verbose
    true

    KerberosSSO
    /*

    After these changes I am continously getting..

    Please help me with this.

    Thanks a lot

    Vikrant

    1. Randy Avatar

      Interesting, not sure why it would break after recreating the keytab file. It looks like you were able to test the keytab file without a problem. The error or log message doesn’t appear to have come through, can you try posting it again. What were the changes you made? The principal in krbLogin.conf matches exactly what you are using in the new keytab file right (case sensitive)?

  15. Renuka Avatar
    Renuka

    Hi Randy,

    I have followed the steps given and aslo in the webserv logs I can see the following log:

    And no error is encountered in the webserv as well as the appserv logs, still while logging in to the PIA I am getting the authorization error and the peoplesoft signon page is dispalyed.

    It would be great if you could please help me out with this.

    1. Renuka Avatar
      Renuka

      The webserver logs shows the following:

  16. Anand Starlin Avatar
    Anand Starlin

    I completed the Peoplesoft SSO Kerberos setup. During testing using DEFAULT url, it does sign in automatically but only with default userid ‘PUBUSER’.
    Please Advice.

    1. Varma Avatar
      Varma

      Were you able to fix this issue?

  17. Ramesh Raj Avatar
    Ramesh Raj

    Hi Randy,

    I have to configure the Desktop SSO for Peoplesoft application. Below are my environment details.

    Windows Active Directory Server
    App and Process scheduler running on Linux Serevr
    Oracle Database.

    Could you please help or guide me how to setup the Desktop SSO for Peoplesoft Application in Linux Environment.

    1. Randy Avatar

      The three part series I wrote on Single Sign-on via Kerberos already documents everything you should need for your environment as it also was done on Linux. If you have specific questions about this process I will try to answer them as time permits. If you are interested in consulting services please contact me via the About page. Thanks and good luck on the implementation.

  18. Ravi Avatar
    Ravi

    Randy

    Thanks for you efforts, great information. we are trying to implement desktop SSO, and configured based on your document. we are on tools 8.54.07 and we also use web profile to switch to virtual address. original is https://manchine.xxx.com/POOND/signon,html will be translated to https://my.xxx.com/POOND/signon.html. when i’m using this webprofile, try to bring up signon page, it gives invalid site name.. i’m not sure what needs to be configured.. below is my
    krb5.conf
    [libdefaults]
    default_realm = XXXXX.XXX
    ticket_lifetime = 2400
    dns_lookup_realm = false
    dns_lookup_kdc = true
    #default_tkt_enctypes = des-cbc-crc
    #default_tgs_enctypes = des-cbc-crc
    #allow_weak_crypto=true
    [realms]
    XXXXX.usnc = {
    kdc = XXX.XX.XX.X
    admin_server = xxx-dc02.XXXXX.COM
    default_domain = XXXXX.USNC
    }

    and krblogin.conf is
    krbServer {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    useKeyTab=true
    keyTab=”C:/krb/krbsrv.keytab”
    isInitiator=false
    principal=”krbsrv@XXXXX.XXX”;
    };
    do we have anything else configured if we are using virtual addressing on webprofiles..

    Thanks and appreciate your help..
    Ravi

  19. GMT Avatar
    GMT

    Hi Randy,

    Very informative blog. Helped us to implement SSO on Linux. However, we are facing one issue. System is logging on with the same default user for all. It is not able to authenticate with the logged on user’s credentials.

    Would appreciate any help in resolving this error.

    1. Randy Avatar

      Hi, I have heard of this happening a few times, usually due to invalid Kerberos tokens being detected by the filter. It’s hard to say what might be the problem there though. Check the Weblogic and app server logs to see what errors if any you are getting, I also use Wireshark to dive deeper when troubleshooting token issues.

      1. GMT Avatar
        GMT

        We are receiving “<KerberosSSOFilter: Received invalid token" in the PIA log.
        On further analysis of our configuration files (krb5.conf and krbLogin.conf), we have observed that "kinit" is working fine when checked explicitly with username and password. However, when we run kinit with the keytab file, we get the error "kinit(v5): Key table entry not found while getting initial credentials".
        Any suggestions for resolution?

  20. Vikrant Kumar Avatar
    Vikrant Kumar

    Hi Randy,

    I see that Kerberos implementation is removed from PeopleTools 8.54 peoplebooks. Can you please suggest that, If it is still possible to implement Kerberos SSO with PeopleTools 8.54, Deos PeopleSoft provide all the required Java files?

    Thanks
    Vikrant Kumar

    1. Randy Avatar

      Yes, the files are still delivered with 8.54 and I’ve had it working on 8.54. I have not looked at 8.55 yet to see if they are still with that version.

  21. Varma Avatar
    Varma

    Randy, thanks for the informative blog. I was able to follow the steps and configure the Peoplesoft SSO Kerberos but during testing using DEFAULT url, it does sign in automatically but only with default userid ‘PUBUSER’. Any thoughts on why this is happening?

    1. Randy Avatar

      Varma,
      Kerberos authentication is still failing for your test user either at the web or the app.
      You are getting signed in as PUBUSER because you have roles assigned to PUBUSER that allow PUBUSER to actually login. PUBUSER needs no roles at all for this to work properly and in fact, having no roles is preferred so that users that may fail kerb auth for legitimate reasons can still be presented a sign on page. Your logs probably indicate an invalid token was received. But that is a generic error and difficult to troubleshoot without detailed analysis.

      1. varma Avatar
        varma

        Randy,

        Webserver is looking fine and I guess authentication is failing at app server level. Here is the log from webserver,

        Could you please help me troubleshoot the kerberos authentication on application server level? I tried the Peoplecode trace but its not showing anything since authentication is failed. “Authorization Error — Contact your Security Administrator”

  22. Jens Nielsen Avatar

    Thanks to Randy for the excellent posts.
    I use the documentation to get my own implementation of Kerberos SSO to work. However, since I’m on a pure Windows based system there were some tweaks that were required.
    I have documented my configuration on my website, and I invite people to review my configuration here: http://smartpeoplesoftadmin.com/

  23. Abhishek Avatar
    Abhishek

    We recently implemented kerberos SSO with our Peoplesoft environment and it worked fine. But I had issue with keytab file, when we got keytab file with encryption method “AES256-SHA1 and AES128-SHA1” it was not working,but when we got keytab file with encryption method “RC4-HMAC-NT” it worked. In our org going forward we can’t get keytab file with “RC4-HMAC-NT”, so can you provide some guidance/changes we need to adopt with keytab file “AES256-SHA1 and AES128-SHA1”.

    1. Prabhu Avatar
      Prabhu

      Abhishek, Did you get SSO working with AES256-SHA1 encryption? I have been trying to do the same, but with no success.
      I have AD service account configured for both 256 & 128 encryption support, copied the unlimited JCE framework for JDK 7, and check the PS server supportes these encryptions in the local group policy, however, no success yet. When I try kinit command, it just gives me “Found Unsupported Keytype (18)” error. Keytype 18 is refering to AES 256 encryption. But like you said SSO works with RC4-HMAC-NT. Any ideas is much appreciated. Thanks,

  24. Sankar Avatar
    Sankar

    Hi
    I am trying to implement the Kerberos SSO.The kinit is validated for ticket,all configurations are done and I am able to see in the log the token and the userid capturing properly. But when I log in the setauthentication true is not happening and it logged in as the public user.

    I copied the class files under the small pt folder and even added the class folder in the CLASSPATH

    Tracing the sign-on peoplecode shows that there’s a problem is at this point:

    &validator = GetJavaClass(“com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOValidator”).getInstance();
    Local string &username = &validator.validate(&krbToken)

    Please help

  25. Ron Hudson Avatar
    Ron Hudson

    Can this work on Tools 8.57? I know Oracle has removed the Kerberos classes, but I was hoping I could get it to work. I have it working on tools 8.54 but our users will not accept giving it up on tools 8.57.

  26. Wade Walden Avatar
    Wade Walden

    Did anyone ever get this working in Peoplesoft and what versions of JDK, Tools, other.

  27. Anil Avatar
    Anil

    Hello Randy

    I have implemented this in PeopleSoft Fin environment successfully but when i tried the same in PeopleSoft HCM environment by following same set of steps which i did in FIN environment, i am getting message “” in webserver log. OS is windows 2016. Can you please suggest on this ?

Leave a Reply

Your email address will not be published. Required fields are marked *