It looks like a simiral issue, it was solved by by changing the serviceaccountname value , to the value matching the User logon name in active directory. On the tab FilnetP8kerberosservice
Original Message:
Sent: Fri August 25, 2023 12:30 AM
From: Lakshya Agarwal
Subject: FileNet API using SSO kerberos/SPNEGO AES256
Hello, I faced similar issue after the Java upgrade to 8.0.7.20 so I created 2 new SPN mapped to the 2 separate accounts
HTTP/<FQDN_SERVERNAME>
FNCEWS/<FQDN_SERVERNAME>
and the merged both keytab files
When Client Application tries to make connection using SPN starting with FNCEWS then it fails but works when they uses SPN starting HTTP
Have you faced similar issue ?
Thanks
------------------------------
Lakshya Agarwal
Original Message:
Sent: Tue March 07, 2023 04:51 AM
From: Maarten Vekens
Subject: FileNet API using SSO kerberos/SPNEGO AES256
We are currently using SSO using kerberos/SPNEGO on our Filenet API.
As we will disable old encryption types, we are testing our lab environment using AES256. I have followed the guidelines explained on the link below
SPNEGO single-sign-on errors observed after installing Novembers 11, 2022 Microsoft Security Fixes
Ibm |
remove preview |
|
SPNEGO single-sign-on errors observed after installing Novembers 11, 2022 Microsoft Security Fixes |
Microsoft®️issued a November 11, 2022 security fix against their Microsoft Windows™️ Operating System which included a change that caused issues with SPNEGO single-sign-on. This technote is designed to assist you in identifying the problems that may arise when using SPNEGO with WebSphere Application Server, and offers some corrective actions you can take. |
View this on Ibm > |
|
|
We are using IBM Content engine 5.5.10 on Websphere 9.0.5.11, I have updated JAVA to the latest version found on the IBM site, ibm-java-sdk-8.0-7.20-win-x64-installmgr.
-On JAVA we have activated the unlimited policy.
-On active directory, user is set to server aes256
-we have resetted the user account
-keytab is created using aes256 only
ktpass /out D:\FileNetT.keytab /mapuser SOMEUSER /pass T*TS4EVER /princ HTTP/someurl@SOME.DOMAIN /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1 /kvno 0
-ini file will only approve aes256
default_tkt_enctypes = aes256-cts-hmac-sha1-96
default_tgs_enctypes = aes256-cts-hmac-sha1-96
Single sign on on websphere DMGR, navigator and ACCE is working without any issue, it's only when we make a call to the filenet API that we received an access denied.
000000D8 WSI FNRCE0000E - ERROR [WSIAuthenticatorImpl] Echec de la connexion de services Web Kerberos : Failed Kerberos service ticket login: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n major string: General failure, unspecified at GSSAPI level\n minor string: Error: java.lang.Exception: Error: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n major string: General failure, unspecified at GSSAPI level\n minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.crypto.KrbCryptoException, status code: 0\n message: com.ibm.security.krb5.internal.KrbException, status code: 31\n message: Integrity check on decrypted field failed. Message : Failed Kerberos service ticket login: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n major string: General failure, unspecified at GSSAPI level\n minor string: Error: java.lang.Exception: Error: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n major string: General failure, unspecified at GSSAPI level\n minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.crypto.KrbCryptoException, status code: 0\n message: com.ibm.security.krb5.internal.KrbException, status code: 31\n message: Integrity check on decrypted field failed: Failed Kerberos service ticket login: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n major string: General failure, unspecified at GSSAPI level\n minor string: Error: java.lang.Exception: Error: org.ietf.jgss.GSSException, major code: 11, minor code: 0\n major string: General failure, unspecified at GSSAPI level\n minor string: Kerberos error while decoding and verifying token: com.ibm.security.krb5.internal.crypto.KrbCryptoException, status code: 0\n message: com.ibm.security.krb5.internal.KrbException, status code: 31\n message: Integrity check on decrypted field failed
I'm a little bit stuck on this issue? Anybody an idea?
attached I added some extra logging, advance logging on SPNEGO/kerberos did not provided much more. For me it looks like filenet can't talk to the keytab.
------------------------------
Maarten Vekens
------------------------------