PeopleSoft Desktop Single Sign-on via Kerberos – Part 2

In Part 1 we started our SSO config by getting our Linux servers to talk to the KDC and we should have a working keytab file for our SPN. Now lets setup some things for our Weblogic to utilize this.

First, create the following krbLogin.conf file
krbServer {
com.sun.security.auth.module.Krb5LoginModule required
storeKey=true
useKeyTab=true
keyTab="/home/psoft/krb5.keytab"
isInitiator=false
principal="HTTP/websrv.testdomain.com";
};

Update the keyTab property to point to where ever you placed your keytab file and the principal should match your SPN you created. In this proof of concept I just placed this file in /home/psoft with the keytab file.

Now we need to tell Weblogic to use these files. We do this on the corresponding JAVA_OPTIONS line in setEnv.sh, in my case it now reads
JAVA_OPTIONS_LINUX="-jrockit -XnoOpt -Xms512m -Xmx512m -Dtoplink.xml.platform=oracle.toplink.platform.xml.jaxp.JAXPPlatform -Dcom.sun.xml.namespace.QName.useCompatibleSerialVersionUID=1.0 -Djava.security.auth.login.config=/home/psoft/krbLogin.conf -Djava.security.krb5.conf=/etc/krb5.conf"
We added the following to the end of the options variable.
-Djava.security.auth.login.config=/home/psoft/krbLogin.conf
-Djava.security.krb5.conf=/etc/krb5.conf

Next lets edit web.xml in our PORTAL.war/WEB-INF directory we need to add the following
<filter>
<filter-name>KerberosSSO</filter-name>
<filter-class>com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOFilter</filter-class>
<init-param>
<param-name>checkSecureConnection
</param-name>
<param-value>false</param-value>
</init-param>
<init-param>
<param-name>validateToken</param-name>
<param-value>true</param-value>
</init-param><init-param>
<param-name>verbose</param-name>
<param-value>true</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>KerberosSSO</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

Here we apply the KerberosSSOFilter (which Oracle provides source for if you’d like to improve it) to the url-pattern /* so any request will go through the filter.

    The parameters

  1. checkSecureConnection: I set to false as i’m not using SSL in this environment. change to true if your using SSL
  2. validateToken: start with true so we can troubleshoot and verify things work at the web layer
  3. verbose: self explanatory, set to true until it works

After making these updates restart Weblogic and check for errors on startup in the logs. We are now to the point where we can test the Weblogic filter and make sure basic configuration is working.
Lets move on to our Windows workstation that is part of our Domain. Lets make sure our browser is setup for this. In most corporate environments this should already be setup. For IE, on the Security tab in Internet Options check the site options, if your PeopleSoft URL is not detected as part of the intranet, add it here by clicking sites -> advanced and adding it manually. Once this is done, lets see what happens. You won’t get logged in but we can see if the Kerberos Token is being processed properly. First lets tail PIA_stdout.log, then lets login through the normal webpage. After logging in here’s what we should have seen.
<Aug 29, 2012 9:18:10 PM EDT> <Notice> <Stdout> <BEA-000000> <KerberosSSOFilter: Requesting Kerberos token. (Connection is NOT secure)>
<Aug 29, 2012 9:18:10 PM EDT> <Notice> <Stdout> <BEA-000000> <KerberosSSOFilter: Received valid token for user@TESTDOMAIN.LOCAL.>
<Aug 29, 2012 9:18:10 PM EDT> <Notice> <Stdout> <BEA-000000> <KerberosSSOFilter: Sending token for mutual authentication.>
<Aug 29, 2012 9:18:35 PM EDT> <Notice> <Stdout> <BEA-000000> <KerberosSSOFilter: Received valid token for user@TESTDOMAIN.LOCAL.>
<Aug 29, 2012 9:18:35 PM EDT> <Notice> <Stdout> <BEA-000000> <KerberosSSOFilter: Sending token for mutual authentication.>
<Aug 29, 2012 9:18:35 PM EDT> <Notice> <Stdout> <BEA-000000> <KerberosSSOFilter: Valid session id. Not requesting Kerberos token.>
<Aug 29, 2012 9:18:35 PM EDT> <Notice> <Stdout> <BEA-000000> <KerberosSSOFilter: Valid session id. Not requesting Kerberos token.>

We can see the SSOFilter requests the token, see’s that it’s valid and identifies the user and domain. After logging in the SSOFilter see’s a valid session id and stops requesting the Kerberos Token.

So far so good. Next up, the application server side.


Posted

in

,

by

Tags:

Comments

44 responses to “PeopleSoft Desktop Single Sign-on via Kerberos – Part 2”

  1. Velmurugan Avatar

    Hi,
    I am getting this error message In PIA_STDOUT.LOG file

    could not load user defined filter in web.xml: com.peoplesoft.pt.desktopss.kerberos.kerberosSSOFilter.
    javax:servlet.serveltException: Kerberos server login failed

    caused by : javax.security.auth.login.LoginException: unable to find LoginModule class:com.sun.security.auth.mobile.krb5LoginModule

    I am using PT 8.53.08
    WEBLOGIC 10.3.6

    Regards
    Vel

    1. Randy Avatar

      Vel, better late than never. If you haven’t figured this out yet. It looks like you have a typo in your krbLogin.conf file.

      krbServer {
      com.sun.security.auth.module.Krb5LoginModule required

      is how it should start, but you must have

      krbServer {
      com.sun.security.auth.mobile.Krb5LoginModule required

      It’s module, not mobile.

  2. philippe Avatar
    philippe

    regarding your comments “Here we apply the KerberosSSOFilter (which Oracle provides source for if you’d like to improve it) to the url-pattern /* so any request will go through the filter” , i need to improve the source .can you tel me please how to compile the source into class?

    1. Randy Avatar

      Good question, the files are in the SDK directory on an application server or file server install. $PS_HOME/sdk/desktopsso/src/com/peoplesoft/pt/desktopsso/kerberos/. They provide a makefile to use with however you setup their SDK environment, but I don’t have any docs on that. I created a project in Netbeans and used the makefile to give me hints on what was required. The project I have has weblogic.jar and $PS_HOME/class added, Netbeans said I was missing one class and that was psft.pt8.auth.Base64 so I copied it where it needed to be from the webserver.

  3. Vishu Avatar
    Vishu

    Hi Randy,

    Have you came across this below error while configuring kerberos? Oracle don’t have any reply on this, I tried.

    <Could not load user defined filter in web.xml: com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOFilter.
    java.lang.IllegalArgumentException: No Configuration was registered that can handle the configuration named krbServer
    at com.bea.common.security.jdkutils.JAASConfiguration.getAppConfigurationEntry(JAASConfiguration.java:130)
    at javax.security.auth.login.LoginContext.init(LoginContext.java:260)
    at javax.security.auth.login.LoginContext.(LoginContext.java:349)
    at com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOFilter.init(KerberosSSOFilter.java:142)
    at weblogic.servlet.internal.FilterManager$FilterInitAction.run(FilterManager.java:343)
    Truncated. see log file for complete stacktrace
    >

    1. Randy Avatar

      Can’t say I’ve seen it until now, but check the your krbLogin.conf. It should start with

      krbServer {

      just as shown in the error. It is case sensitive and should be lower case except for the S.

      The code in the KerberosSSOFilter first checks the web.xml file for an init-param named krbLoginName, but none of the documentation has you specify it, so if it’s not found it defaults to krbServer. Since the configuration it’s looking for doesn’t match the configuration name, you’ll get the error you have.

      Let me know if that helps.

  4. vishu Avatar
    vishu

    Thanks a lot Randy, really appreciate your help. Your advice solved my issue. I was putting below directly in krb5Login.conf as per Oracle’s direction (wondering why they have provided this kind of instruction):

    com.sun.security.jgss.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    principal=”@REALM.NAME” useKeyTab=true
    keyTab= storeKey=true debug=true;
    };

    com.sun.security.jgss.accept {
    com.sun.security.auth.module.Krb5LoginModule Required
    principal=”@REALM.NAME” useKeyTab=true
    keyTab= storeKey=true debug=true;
    };

  5. chung chau Avatar
    chung chau

    Hi Vishu,
    I have to same exact error from PIA log, can you clarify what script did you use for krbLogin.conf? Mine is as follow:

    krbServer {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    useKeyTab=true
    keyTab=”D:/Kerberos/krb5.keytab” — location of keytab file
    isInitiator=false
    principal=”HTTP/webservername.CORP.DOMAINNAME.COM”;
    debug=true
    };

    Thanks

    1. Randy Avatar

      So you are getting the error:

      Could not load user defined filter in web.xml: com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOFilter.
      java.lang.IllegalArgumentException: No Configuration was registered that can handle the configuration named krbServer

      ?

  6. chung chau Avatar
    chung chau

    Hi Randy,
    Yes I am still trying to resolve that PIA.log error. I see Vishu had a different version of krbLogin.conf script that do not started with ‘krbServer….” and wondering how did he resolved it. As I mention I did try modified to his version but still no success. Thanks

    1. RN Avatar
      RN

      Hello:
      Did you ever get a resolution on your issue. We are getting the same error and wondering what you did to get around it.
      Thanks

      RN

  7. Vikrant Kumar Avatar
    Vikrant Kumar

    Hi Randy,

    We have implemented Kerberos on PeopleTools 8.53.11, We have Load balanced environment, all the three webservers are load balanced. The Load balancer is SSL deployed and ssl offloading is happening at Load balancer end, The PeopleSoft Webservers are plain http. We have registered our SPN again the Load balancer URL, We have updated the web.xml check secure connection parameter as true, But its not working. The PIA Logs giving invalid token, Can you please suggest what could be the issue. Is SSL offloading is causing issue, or do we need to generate keytab again. Is there any extra settings we need to do, I have done all configuration inline with your inputs in the blog.

    Thanks

    Regards
    Vikrant

    1. Randy Avatar

      This invalid token message is displayed when a GSSException is caught. They can be generated for several different reasons. If I had to guess I would say the most common for a PeopleSoft setup is related to key versions. You can try recreating the keytab file which should clean up a version problem. Also ensure the time on the client and the server are in sync, Kerberos requests are time sensitive. I have a custom version of the filter I use to debug these types of problems. Contact me through the about page if you are interested in trying it.

      1. Anand Avatar
        Anand

        Hi Randy,

        I too face the problem as invalid token . Can you let me know how i can contact you.

        1. Randy Avatar

          I worked with Anand to determine his problem. He’s running a complex environment with load balancers and reverse proxys. After a troubleshooting session with my custom debugging Kerberos filter and providing him some additional background on how things worked, he found that when passing through the load balancer the Kerberos ticket was being truncated. He figured out that this was due to the load balancer configuration. Once his networking team configured the load balancer to handle a much larger http header it worked. Great find Anand and thanks for sharing your findings!

  8. RN Avatar
    RN

    Hi Randy:
    We are trying to implement desktop SSO on AIX. I am going with the presumption that if it works on linux then it should work on AIX. We are on PT8.53.12 and getting the following error on web.xml. Someone reported a similar error but it is not the same. Please help.

    <Could not load user defined filter in web.xml: com.peoplesoft.pt.desktopsso.k
    erberos.KerberosSSOFilter.
    java.lang.IllegalArgumentException: No Configuration was registered that can handle the configuration named krbServer
    at com.bea.common.security.jdkutils.JAASConfiguration.getAppConfigurationEntry(JAASConfiguration.java:130)
    at javax.security.auth.login.LoginContext.init(LoginContext.java:272)
    at javax.security.auth.login.LoginContext.(LoginContext.java:369)
    at com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOFilter.init(KerberosSSOFilter.java:142)
    at weblogic.servlet.internal.FilterManager$FilterInitAction.run(FilterManager.java:343)
    Truncated. see log file for complete stacktrace
    >

    1. Randy Avatar

      This still sounds like a problem in the krbLogin.conf file. Weblogic is not finding a configuration that matches the name krbServer which is hard coded in the filter and used by default. Whats your krbLogin.conf file look like and is it readable by Weblogic?

      1. RN Avatar
        RN

        Hi Randy:
        Thank you for getting back to me on this. Here is my krbLogin.conf and yes it is readable by weblogic. (btw we are trying to do this configuration on an AIX environment. I am assuming this should not be an issue given the fact that you have done SSO on linux.)

        krbServer {
        com.sun.security.auth.module.Krb5LoginModule required
        storeKey=true
        useKeyTab=true
        keyTab=”/etc/krb5/krb5.keytab”
        isInitiator=false
        principal=”HTTP/server.domain.org”;
        };

        Thanks for your help.

        1. Randy Avatar

          I have never configured this on AIX. I do know AIX uses an IBM JDK. Try changing com.sun.security.auth.module.Krb5LoginModule to com.ibm.security.auth.module.Krb5LoginModule. I beleive I saw the IBM JDK uses a different LoginModule. But an incorrect configuration for the krb5LoginModule usually generates an error indicating that problem, such as unable to find LoginModule class. You can see an example of that error in the first comment on this post actually. Your error indicates a problem just trying to find the krbServer entry in the krbLogin.conf file. I’ve never seen a reason to not trust this particular error message, unlike other errors which are never really caused by what they state is happening. If you look at the command line for the PIA Weblogic Java process with ps while it’s running do you see the -Djava.security.auth.login.config option referencing the correct path to krbLogin.conf?

  9. Nacho Avatar
    Nacho

    Hi Randy.

    Firstly thank you for the nice tutorial about implementing kerberos on PeopleSoft.
    However I’ve got the same problem than Vishu. This error is diplayed on stdout.log
    “Could not load user defined filter in web.xml: com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOFilter.
    java.lang.IllegalArgumentException: No Configuration was registered that can handle the configuration named krbServer”

    I’m using Linux instead of AIX.
    The content of krbLogin.conf is the following:
    krbServer {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    useKeyTab=true
    keyTab=”/datos/usuarios/ccemple/usuarioscau-tran.keytab”
    isInitiator=false
    principal=”HTTP/usuarioscau-tran.cm.es@GRUPO.CM.ES”;
    };

    Also in appearance the PIA process shows the right option to get the krbLogin.conf when I check it with ps command, in my case:

    -Djava.security.auth.login.config=/datos/usuarios/ccemple/krbLogin.conf
    -Djava.security.auth.login.config=/datos/usuarios/ccemple/krb5.conf
    These files are accesible to be read by weblogic.
    Could you help me with this issue.
    I’ll appreciate any help than you can give me.
    Thanks.
    Regards

    1. Randy Avatar

      Are you really using -Djava.security.auth.login.config for both the krbLogin.conf and krb5.conf? Maybe that’s the problem if you are. At first glance your login.conf syntax looks OK.

      -Djava.security.auth.login.config=/datos/usuarios/ccemple/krbLogin.conf
      -Djava.security.auth.login.config=/datos/usuarios/ccemple/krb5.conf

      should be

      -Djava.security.auth.login.config=/datos/usuarios/ccemple/krbLogin.conf
      -Djava.security.krb5.conf=/datos/usuarios/ccemple/krb5.conf

      1. Nacho Avatar
        Nacho

        Hi Randy, thank you for your reply.
        Finally it worked and, as you had seen, the mistake was in the Djava.security.krb5.conf.

        Thanks and happy new year.
        Regards.

  10. Velu Avatar
    Velu

    Hi Randy,

    Thanks for the wonderful blog. We have successfully implemented the kerberos sso for intranet by following your blog.

    If we try to access our URL over internet it is popping up for username and password , when we provide the credentials,its going to login page.

    When we trace the token generated at app server level Internet and Intranet token is different.

    I mean Intranet token is such big whereas in Internet its only one line. I read the comment written by you that you worked with anand ,in which load balancer is truncating the token.

    We do not have load balancer in place . Do we have to set any firewall settings or do we need to open any ports?

    Could you please help to make it work kerberos over internet.

  11. Fibe Avatar
    Fibe

    Hi Randy

    We are trying to setup Kerberos and have followed you great tutorial. Thanks a lot for that.

    We are under Linux with weblogic 10.3 and use Pttools 8.53.12 using IE 11.

    Till to the end of page 2 everything works fine, but we are not able to open the URL with the IE browser. We have always NTLM requiring us to enter a user/password.

    The following configuration is set up:

    krb5.conf:
    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
    [libdefaults]
    default_realm = DOM.LOC
    dns_lookup_realm = true
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    [realms]
    DOM.LOC = {
    kdc = dc.DOM.LOC
    admin_server = dc.DOM.LOC
    }
    [domain_realm]
    .dom.loc = DOM.LOC
    dom.loc = DOM.LOC

    krbLogin.conf:
    krbServer {
    com.sun.security.auth.module.Krb5LoginModule required
    storeKey=true
    useKeyTab=true
    keyTab=”/etc/krb5.keytab”
    isInitiator=false
    principal=”http/peoplesoft.comp.com@DOM.LOC”;
    };

    web.xml:
    JAVA_OPTIONS_LINUX=”-server -Xms512m -Xmx512m -XX:MaxPermSize=256m -Dtoplink.xml.platform=oracle.toplink.platform.xml.jaxp.JAXPPlatform -Dcom.sun.xml.namespace.QName.useCompatibleSerialVersionUID=1.0
    -Djava.security.auth.login.config=/etc/krbLogin.conf -Djava.security.krb5.conf=/etc/krb5.conf -Djava.security.krb5.debug=true”

    In the weblogic logfiles we see the the error “Received invalid token”

    In the reponse Header of IE we found that WWW-Authenticate=”Negotiate” is sent, but there is no tokken sent by weblogic.
    The browser configuration is checked against another site. So it seems something is wrong on weblogic side.

    Any idea what could be the issue?

    Thanks, Fibe

    1. Guna Avatar
      Guna

      Fibe/Randy,

      Did you get this issue fixed? I’m getting the same Received Invalid Token in WebLogic server through the PeopleSoft Kerberos Filter class which reports error from GSSContext. But didn’t print the error from GSSException, but delivered KerberosSSOFilter class designed to write static message Received Invalid token.

      Seems to be failing at line authContext.acceptSecContext(token, 0, token.length) in KerberosSSOFilter.

      I’m trying to compile this java file with complete error log, but no luck so far to compile.

      I’m using IBM Krb5Login module and krb5Login.conf looks as below based on IBM knowledge center.
      https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_71/rzaha/rzahajgssusejaas20.htm

      krbServer {
      com.ibm.security.auth.module.Krb5LoginModule required
      useKeytab=”/psoftapp/kerberos/Marauder_keytab”
      credsType=both
      debug=true
      principal=”HTTP/marauder.clientlan.client.org@CLIENTLAN.CLIENT.ORG”;
      };

      Please help me resolve the “Received Invalid Token” in PIA_weblogic.log

      Regards, Guna

  12. Kyle Avatar

    I ran into same issues the others have:

    com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOFilter.
    java.lang.IllegalArgumentException: No Configuration was registered that can handle the configuration named krbServer

    For me, the problem was I did a copy and paste to create the krbLogin.conf file. I think when I did this it seemed to bring in some bad characters. When I deleted the file and typed it all out manually, this time it worked without issue.

  13. RN Avatar
    RN

    Hello Randy:

    We were able to implement desktop sso for aix. One issue that is causing a problem in our production environment is a service ticket timeout. It seems like the native Microsoft policies set service ticket to 600mins/10hrs. We are having to reboot the webserver every 10hrs to get a new service ticket and SSO to work for our users. Any ideas on how to enable service ticket to auto renew?

    Thanks for your help in advance..

  14. MS Kumar Avatar
    MS Kumar

    Hi Randy,

    Thanks a lot for detailing the steps.
    Requirement : Single sign on on Peoplesoft – AD integration with PeopleSoft 9.1 on AIX unix platform, will this work?
    Don’t have any environment to test it out, so wanted to know the feasibility
    Application version – 9.1
    Tool version – 8.52

  15. abhay singh bisht Avatar
    abhay singh bisht

    Hi Randy,

    Requirement : Single sign on on Peoplesoft – AD integration with PeopleSoft 9.1 on AIX platform.
    Application version – 9.1
    Tool version – 8.52
    I am getting the error ”
    <Could not load user defined filter in web.xml: com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOFilter.
    java.lang.IllegalArgumentException: No Configuration was registered that can handle the configuration named krbServer
    at com.bea.common.security.jdkutils.JAASConfiguration.getAppConfigurationEntry(JAASConfiguration.java:130)
    at javax.security.auth.login.LoginContext.init(LoginContext.java:267)
    at javax.security.auth.login.LoginContext.(LoginContext.java:366)
    at com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOFilter.init(KerberosSSOFilter.java:142)
    at weblogic.servlet.internal.FilterManager$FilterInitAction.run(FilterManager.java:332)
    Truncated. see log file for complete stacktrace
    > ”

    i have already tried all the suggestions above but still the error remains the same

    1. varma Avatar
      varma

      Were you able to fix the issue? I am having the same issue and none of the suggestions listed here worked.

      1. Randy Avatar

        Varma, Your issue is on Windows 2012R2 correct? Not AIX as this user was using? What’s your krbLogin.conf file look like.

        1. varma Avatar
          varma

          –the principal can also have the domain omitted (principal=”HTTP/servername.company.com “)

          krbServer{
          com.sun.security.auth.module.Krb5LoginModule required
          storeKey=true
          useKeyTab=true
          keyTab=”C:\PT8.54\HR9.2\keytab\hcmtest.keytab”
          isInitiator=false
          principal=”HTTP/HQVWWSPST01.abc.com@abc.com”;
          };

          1. Randy Avatar

            What do the options you are passing onto the java command line look like? On Windows the file path should be quoted. Like -Djava.security.auth.login.config=”C:\My\path\to\krbLogin.conf”.
            If you are running Weblogic as a Windows Service and you already added the options with quotes to setEnv or another script after the service was created you need to either recreate the service or use regedit to add them to the command line that the service uses. The service does not use setEnv.sh directly.

          2. varma Avatar
            varma

            After deleting the first line, now the webserver log is not showing the error message however I see the following on the log file, “KerberosSSOFilter: Requesting Kerberos token” and PIA login page is still asking for the password.

          3. varma Avatar
            varma

            SET JAVACMD=%JAVA_OPTIONS% %PSLOGGING% -Dweblogic.Name=%SERVER_NAME% -Dps_vault=%DOMAIN_HOME%\piaconfig\properties\psvault -Djavax.net.ssl.trustStore=”%SSL_KEY_STORE_PATH%” -Dweblogic.ProductionModeEnabled=%PRODUCTION_MODE% -Djava.security.policy=%WL_HOME%\server\lib\weblogic.policy -Dssl.debug=%ENABLE_VERBOSE_SSL% -Dps_home=”%PS_HOME%” %VERBOSE_WL% %HTTP_PROXY% %SERVER_CLASS%

  16. Vijay Avatar
    Vijay

    Hi Randy,
    I have been able to implement desktop single signon on desktop and it works fine. However when I use the URL i.e. either the http://…./signon.html url or http://…./?tab=DEFAULT on a mobile device, it shows a blank screen. I can see that in the PIA_stdout.log file its shows” “. I guess its waiting for us to enter the userid/password that we usually do on desktop. Does it mean that if we have this setup, mobile users cannot login?

    1. Randy Avatar

      Vijay,
      It appears your log didn’t paste well. If you are still having this problem let me know. Mobile users in theory should be able to login, but since they are mobile, and probably not logged into the domain, they probably can’t use Kerberos. What kind of device was it and what browser was the device using. I wonder, if the browser didn’t support the negotiate response from the server this might cause what you described. I’ve honestly never tried using a mobile device. I’ll have to add this to a to do list.

  17. Varma Avatar
    Varma

    I am getting the following error while configuring Kerberos on PT 8.54/HCM9.2 on Windows 2012R2, do you have any suggestions?

    <Could not load user defined filter in web.xml: com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOFilter.
    java.lang.IllegalArgumentException: No Configuration was registered that can handle the configuration named krbServer
    at com.bea.common.security.jdkutils.JAASConfiguration.getAppConfigurationEntry(JAASConfiguration.java:130)
    at javax.security.auth.login.LoginContext.init(LoginContext.java:259)
    at javax.security.auth.login.LoginContext.(LoginContext.java:356)
    at com.peoplesoft.pt.desktopsso.kerberos.KerberosSSOFilter.init(KerberosSSOFilter.java:142)
    at weblogic.servlet.internal.FilterManager$FilterInitAction.run(FilterManager.java:579)
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
    at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:57)
    at weblogic.servlet.internal.FilterManager.loadFilter(FilterManager.java:139)
    at weblogic.servlet.internal.FilterManager.preloadFilters(FilterManager.java:70)
    at weblogic.servlet.internal.FilterManager.preloadFilters(FilterManager.java:89)
    at weblogic.servlet.internal.WebAppServletContext.preloadResources(WebAppServletContext.java:1797)
    at weblogic.servlet.internal.WebAppServletContext.start(WebAppServletContext.java:2828)
    at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1661)
    at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:822)
    at weblogic.application.internal.ExtensibleModuleWrapper$StartStateChange.next(ExtensibleModuleWrapper.java:360)
    at weblogic.application.internal.ExtensibleModuleWrapper$StartStateChange.next(ExtensibleModuleWrapper.java:356)
    at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:42)
    at weblogic.application.internal.ExtensibleModuleWrapper.start(ExtensibleModuleWrapper.java:138)
    at weblogic.application.internal.flow.ModuleListenerInvoker.start(ModuleListenerInvoker.java:124)
    at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:213)
    at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:208)
    at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:42)
    at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:70)
    at weblogic.application.internal.flow.StartModulesFlow.activate(StartModulesFlow.java:24)
    at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:729)
    at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:42)
    at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:258)
    at weblogic.application.internal.EarDeployment.activate(EarDeployment.java:61)
    at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:165)
    at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:80)
    at weblogic.deploy.internal.targetserver.BasicDeployment.activate(BasicDeployment.java:222)
    at weblogic.deploy.internal.targetserver.BasicDeployment.activateFromServerLifecycle(BasicDeployment.java:414)
    at weblogic.management.deploy.internal.DeploymentAdapter$1.doActivate(DeploymentAdapter.java:51)
    at weblogic.management.deploy.internal.DeploymentAdapter.activate(DeploymentAdapter.java:200)
    at weblogic.management.deploy.internal.AppTransition$2.transitionApp(AppTransition.java:30)
    at weblogic.management.deploy.internal.ConfiguredDeployments.transitionApps(ConfiguredDeployments.java:240)
    at weblogic.management.deploy.internal.ConfiguredDeployments.activate(ConfiguredDeployments.java:169)
    at weblogic.management.deploy.internal.ConfiguredDeployments.deploy(ConfiguredDeployments.java:123)
    at weblogic.management.deploy.internal.DeploymentServerService.resume(DeploymentServerService.java:191)
    at weblogic.management.deploy.internal.DeploymentServerService.start(DeploymentServerService.java:99)
    at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:312)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:264)

  18. Raj Avatar
    Raj

    Hello Randy,

    Thank you for creating a detail blog about PeopleSoft Kerberos SSO, it helped quite few admins including me getting the Kerberos setup done.
    We have implemented Kerberos in our POC and works great when the crypto is set to RC4-HMAC(NT) but when enforcing to AES-256-CTS-HMAC-SHA1-96, we see public user landing page versus the user session. Has anyone tried AES-256 versus RC4? If so anything to watch out in the configuration or code.

    OS : Windows 2012 across all layers
    PT 8.55.13, Weblogic 12.1.3

    Thank you in advance!
    Raj

    1. Randy Avatar

      Hi Raj,

      Have you tried installing the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files? http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

  19. Michael Avatar
    Michael

    Hi Randy,

    First of thank you for this article, really really helpful …
    Unfortunately I came to a point where I always have the same error in PIA_Stdout.log the famous “Invalid token one”

    I have put more logging and this is what I get (after having installed the JCE ulimited policy files)

    Do you have any idea, tips on how to get more information about this “Invalid token” issue? It is really difficult to see what is happening since the log files are not really helpful …

    One important thing to mention is that I can get a valid token when using the keytab file with kinit …

    Thanks a lot,
    Michael

  20. Ricky E Woole II Avatar
    Ricky E Woole II

    Hello Randy,
    Thanks for the great article. Was wondering if you could help point me in a direction that might help. We are getting the Received invalid token error. I have gotten the file to recompile and have the additional error of GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) – Cannot find key of appropriate type to decrypt AP REP – AES256 CTS mode with HMAC SHA1-96. Me and my admin have tried everything we can think of or find to resolve this error. Do you have any additional input on getting this corrected? Thanks.

    1. Randy Avatar

      Since it can’t find the key, I would start by double checking your SPN is right and look at the key version numbers. Maybe the key numbers are out of sync between the krb server and the keytab. Also, I’ve seen people use FQDN for SPN and then try to access the site by just hostname. You would need to use the same FQDN as used for the SPN.

  21. Khan Avatar
    Khan

    Hi Randy,

    We moved PeopleSoft environments and Kerberos from Windows to Linux.
    Can we use the same Keytab? we are getting invalid Token issue. Please help me resolve the “Received Invalid Token” in PIA Log

Leave a Reply

Your email address will not be published. Required fields are marked *