Content Management and Capture

We are currently using SSO using kerberos/SPNEGO on our Filenet API.

As we will disable old encryption types, we are testing our lab environment using AES256. I have followed the guidelines explained on the link below

SPNEGO single-sign-on errors observed after installing Novembers 11, 2022 Microsoft Security Fixes

We are using IBM Content engine 5.5.10 on Websphere 9.0.5.11, I have updated JAVA to the latest version found on the IBM site, ibm-java-sdk-8.0-7.20-win-x64-installmgr.

-On JAVA we have activated the unlimited policy.

-On active directory, user is set to server aes256

-we have resetted the user account

-keytab is created using aes256 only

ktpass /out D:\FileNetT.keytab /mapuser SOMEUSER /pass T*TS4EVER /princ HTTP/someurl@SOME.DOMAIN /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1 /kvno 0

-ini file will only approve aes256

    default_tkt_enctypes = aes256-cts-hmac-sha1-96
    default_tgs_enctypes = aes256-cts-hmac-sha1-96

Single sign on on websphere DMGR, navigator and ACCE is working without any issue, it's only when we make a call to the filenet API that we received an access denied.

000000D8 WSI  FNRCE0000E - ERROR [WSIAuthenticatorImpl] Echec de la connexion de services Web Kerberos : Failed Kerberos service ticket login: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n    major string: General failure, unspecified at GSSAPI level\n    minor string: Error: java.lang.Exception: Error: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n    major string: General failure, unspecified at GSSAPI level\n    minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.crypto.KrbCryptoException, status code: 0\n    message: com.ibm.security.krb5.internal.KrbException, status code: 31\n    message: Integrity check on decrypted field failed. Message : Failed Kerberos service ticket login: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n    major string: General failure, unspecified at GSSAPI level\n    minor string: Error: java.lang.Exception: Error: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n    major string: General failure, unspecified at GSSAPI level\n    minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.crypto.KrbCryptoException, status code: 0\n    message: com.ibm.security.krb5.internal.KrbException, status code: 31\n    message: Integrity check on decrypted field failed: Failed Kerberos service ticket login: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n    major string: General failure, unspecified at GSSAPI level\n    minor string: Error: java.lang.Exception: Error: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n    major string: General failure, unspecified at GSSAPI level\n    minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.crypto.KrbCryptoException, status code: 0\n    message: com.ibm.security.krb5.internal.KrbException, status code: 31\n    message: Integrity check on decrypted field failed

I'm a little bit stuck on this issue? Anybody an idea?

attached I added some extra logging, advance logging on SPNEGO/kerberos did not provided much more. For me it looks like filenet can't talk to the keytab.

------------------------------
Maarten Vekens
------------------------------

Hi Maarten Vekens, The errors look more on Websphere centric rather FileNet API. Please refer to reference below. Thank you.

https://www.ibm.com/support/pages/node/6956902

We are currently using SSO using kerberos/SPNEGO on our Filenet API.

As we will disable old encryption types, we are testing our lab environment using AES256. I have followed the guidelines explained on the link below

SPNEGO single-sign-on errors observed after installing Novembers 11, 2022 Microsoft Security Fixes

We are using IBM Content engine 5.5.10 on Websphere 9.0.5.11, I have updated JAVA to the latest version found on the IBM site, ibm-java-sdk-8.0-7.20-win-x64-installmgr.

-On JAVA we have activated the unlimited policy.

-On active directory, user is set to server aes256

-we have resetted the user account

-keytab is created using aes256 only

ktpass /out D:\FileNetT.keytab /mapuser SOMEUSER /pass T*TS4EVER /princ HTTP/someurl@SOME.DOMAIN /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1 /kvno 0

-ini file will only approve aes256

    default_tkt_enctypes = aes256-cts-hmac-sha1-96
    default_tgs_enctypes = aes256-cts-hmac-sha1-96

Single sign on on websphere DMGR, navigator and ACCE is working without any issue, it's only when we make a call to the filenet API that we received an access denied.

000000D8 WSI  FNRCE0000E - ERROR [WSIAuthenticatorImpl] Echec de la connexion de services Web Kerberos : Failed Kerberos service ticket login: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n    major string: General failure, unspecified at GSSAPI level\n    minor string: Error: java.lang.Exception: Error: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n    major string: General failure, unspecified at GSSAPI level\n    minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.crypto.KrbCryptoException, status code: 0\n    message: com.ibm.security.krb5.internal.KrbException, status code: 31\n    message: Integrity check on decrypted field failed. Message : Failed Kerberos service ticket login: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n    major string: General failure, unspecified at GSSAPI level\n    minor string: Error: java.lang.Exception: Error: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n    major string: General failure, unspecified at GSSAPI level\n    minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.crypto.KrbCryptoException, status code: 0\n    message: com.ibm.security.krb5.internal.KrbException, status code: 31\n    message: Integrity check on decrypted field failed: Failed Kerberos service ticket login: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n    major string: General failure, unspecified at GSSAPI level\n    minor string: Error: java.lang.Exception: Error: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n    major string: General failure, unspecified at GSSAPI level\n    minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.crypto.KrbCryptoException, status code: 0\n    message: com.ibm.security.krb5.internal.KrbException, status code: 31\n    message: Integrity check on decrypted field failed

I'm a little bit stuck on this issue? Anybody an idea?

attached I added some extra logging, advance logging on SPNEGO/kerberos did not provided much more. For me it looks like filenet can't talk to the keytab.

------------------------------
Maarten Vekens
------------------------------

thankyou, this is the first thing we tried. SSO is working on navigator, dmgr and acce, but not on the filenet API. 

Hi Maarten Vekens, The errors look more on Websphere centric rather FileNet API. Please refer to reference below. Thank you.

https://www.ibm.com/support/pages/node/6956902

We are currently using SSO using kerberos/SPNEGO on our Filenet API.

As we will disable old encryption types, we are testing our lab environment using AES256. I have followed the guidelines explained on the link below

SPNEGO single-sign-on errors observed after installing Novembers 11, 2022 Microsoft Security Fixes

We are using IBM Content engine 5.5.10 on Websphere 9.0.5.11, I have updated JAVA to the latest version found on the IBM site, ibm-java-sdk-8.0-7.20-win-x64-installmgr.

-On JAVA we have activated the unlimited policy.

-On active directory, user is set to server aes256

-we have resetted the user account

-keytab is created using aes256 only

ktpass /out D:\FileNetT.keytab /mapuser SOMEUSER /pass T*TS4EVER /princ HTTP/someurl@SOME.DOMAIN /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1 /kvno 0

-ini file will only approve aes256

    default_tkt_enctypes = aes256-cts-hmac-sha1-96
    default_tgs_enctypes = aes256-cts-hmac-sha1-96

Single sign on on websphere DMGR, navigator and ACCE is working without any issue, it's only when we make a call to the filenet API that we received an access denied.

000000D8 WSI  FNRCE0000E - ERROR [WSIAuthenticatorImpl] Echec de la connexion de services Web Kerberos : Failed Kerberos service ticket login: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n    major string: General failure, unspecified at GSSAPI level\n    minor string: Error: java.lang.Exception: Error: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n    major string: General failure, unspecified at GSSAPI level\n    minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.crypto.KrbCryptoException, status code: 0\n    message: com.ibm.security.krb5.internal.KrbException, status code: 31\n    message: Integrity check on decrypted field failed. Message : Failed Kerberos service ticket login: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n    major string: General failure, unspecified at GSSAPI level\n    minor string: Error: java.lang.Exception: Error: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n    major string: General failure, unspecified at GSSAPI level\n    minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.crypto.KrbCryptoException, status code: 0\n    message: com.ibm.security.krb5.internal.KrbException, status code: 31\n    message: Integrity check on decrypted field failed: Failed Kerberos service ticket login: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n    major string: General failure, unspecified at GSSAPI level\n    minor string: Error: java.lang.Exception: Error: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n    major string: General failure, unspecified at GSSAPI level\n    minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.crypto.KrbCryptoException, status code: 0\n    message: com.ibm.security.krb5.internal.KrbException, status code: 31\n    message: Integrity check on decrypted field failed

I'm a little bit stuck on this issue? Anybody an idea?

attached I added some extra logging, advance logging on SPNEGO/kerberos did not provided much more. For me it looks like filenet can't talk to the keytab.

------------------------------
Maarten Vekens
------------------------------

We are currently using SSO using kerberos/SPNEGO on our Filenet API.

As we will disable old encryption types, we are testing our lab environment using AES256. I have followed the guidelines explained on the link below

SPNEGO single-sign-on errors observed after installing Novembers 11, 2022 Microsoft Security Fixes

We are using IBM Content engine 5.5.10 on Websphere 9.0.5.11, I have updated JAVA to the latest version found on the IBM site, ibm-java-sdk-8.0-7.20-win-x64-installmgr.

-On JAVA we have activated the unlimited policy.

-On active directory, user is set to server aes256

-we have resetted the user account

-keytab is created using aes256 only

ktpass /out D:\FileNetT.keytab /mapuser SOMEUSER /pass T*TS4EVER /princ HTTP/someurl@SOME.DOMAIN /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1 /kvno 0

-ini file will only approve aes256

    default_tkt_enctypes = aes256-cts-hmac-sha1-96
    default_tgs_enctypes = aes256-cts-hmac-sha1-96

Single sign on on websphere DMGR, navigator and ACCE is working without any issue, it's only when we make a call to the filenet API that we received an access denied.

000000D8 WSI  FNRCE0000E - ERROR [WSIAuthenticatorImpl] Echec de la connexion de services Web Kerberos : Failed Kerberos service ticket login: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n    major string: General failure, unspecified at GSSAPI level\n    minor string: Error: java.lang.Exception: Error: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n    major string: General failure, unspecified at GSSAPI level\n    minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.crypto.KrbCryptoException, status code: 0\n    message: com.ibm.security.krb5.internal.KrbException, status code: 31\n    message: Integrity check on decrypted field failed. Message : Failed Kerberos service ticket login: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n    major string: General failure, unspecified at GSSAPI level\n    minor string: Error: java.lang.Exception: Error: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n    major string: General failure, unspecified at GSSAPI level\n    minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.crypto.KrbCryptoException, status code: 0\n    message: com.ibm.security.krb5.internal.KrbException, status code: 31\n    message: Integrity check on decrypted field failed: Failed Kerberos service ticket login: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n    major string: General failure, unspecified at GSSAPI level\n    minor string: Error: java.lang.Exception: Error: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n    major string: General failure, unspecified at GSSAPI level\n    minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.crypto.KrbCryptoException, status code: 0\n    message: com.ibm.security.krb5.internal.KrbException, status code: 31\n    message: Integrity check on decrypted field failed

I'm a little bit stuck on this issue? Anybody an idea?

attached I added some extra logging, advance logging on SPNEGO/kerberos did not provided much more. For me it looks like filenet can't talk to the keytab.

------------------------------
Maarten Vekens
------------------------------

Hello, I faced similar issue after the Java upgrade to 8.0.7.20 so I created 2 new SPN mapped to the 2 separate accounts

HTTP/<FQDN_SERVERNAME>

FNCEWS/<FQDN_SERVERNAME>

and the merged both keytab files

When Client Application tries to make connection using SPN starting with FNCEWS then it fails but works when they uses SPN starting HTTP

Have you faced similar issue ?

Thanks

------------------------------
Lakshya Agarwal

Original Message:
Sent: Tue March 07, 2023 04:51 AM
From: Maarten Vekens
Subject: FileNet API using SSO kerberos/SPNEGO AES256

We are currently using SSO using kerberos/SPNEGO on our Filenet API.

As we will disable old encryption types, we are testing our lab environment using AES256. I have followed the guidelines explained on the link below

SPNEGO single-sign-on errors observed after installing Novembers 11, 2022 Microsoft Security Fixes

We are using IBM Content engine 5.5.10 on Websphere 9.0.5.11, I have updated JAVA to the latest version found on the IBM site, ibm-java-sdk-8.0-7.20-win-x64-installmgr.

-On JAVA we have activated the unlimited policy.

-On active directory, user is set to server aes256

-we have resetted the user account

-keytab is created using aes256 only

ktpass /out D:\FileNetT.keytab /mapuser SOMEUSER /pass T*TS4EVER /princ HTTP/someurl@SOME.DOMAIN /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1 /kvno 0

-ini file will only approve aes256

    default_tkt_enctypes = aes256-cts-hmac-sha1-96
    default_tgs_enctypes = aes256-cts-hmac-sha1-96

Single sign on on websphere DMGR, navigator and ACCE is working without any issue, it's only when we make a call to the filenet API that we received an access denied.

000000D8 WSI  FNRCE0000E - ERROR [WSIAuthenticatorImpl] Echec de la connexion de services Web Kerberos : Failed Kerberos service ticket login: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n    major string: General failure, unspecified at GSSAPI level\n    minor string: Error: java.lang.Exception: Error: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n    major string: General failure, unspecified at GSSAPI level\n    minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.crypto.KrbCryptoException, status code: 0\n    message: com.ibm.security.krb5.internal.KrbException, status code: 31\n    message: Integrity check on decrypted field failed. Message : Failed Kerberos service ticket login: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n    major string: General failure, unspecified at GSSAPI level\n    minor string: Error: java.lang.Exception: Error: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n    major string: General failure, unspecified at GSSAPI level\n    minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.crypto.KrbCryptoException, status code: 0\n    message: com.ibm.security.krb5.internal.KrbException, status code: 31\n    message: Integrity check on decrypted field failed: Failed Kerberos service ticket login: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n    major string: General failure, unspecified at GSSAPI level\n    minor string: Error: java.lang.Exception: Error: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n    major string: General failure, unspecified at GSSAPI level\n    minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.crypto.KrbCryptoException, status code: 0\n    message: com.ibm.security.krb5.internal.KrbException, status code: 31\n    message: Integrity check on decrypted field failed

I'm a little bit stuck on this issue? Anybody an idea?

attached I added some extra logging, advance logging on SPNEGO/kerberos did not provided much more. For me it looks like filenet can't talk to the keytab.

------------------------------
Maarten Vekens
------------------------------