-
Title
Single Sign-on stopped working after ktpass command issued again. Error "Acquire server credential failed" reported. -
Description
Single Sign-on (SSO) stopped working after the ktpass command was issued again. The new keytab file was placed on the Foglight Management Server (FMS) host but a blank page was displayed when users attempted to access the Foglight console using SSO.
The following type of errors may be reported when the FMS was started with debug switches ( -Dquest.debug=1 -Dsun.security.krb5.debug=true -Dsun.security.spnego.debug=true).
YYYY-MM-DD hh:mm:ss.SSS ERROR [forge-startup] com.quest.nitro.service.security.krb5.Krb5AuthenticationService - Acquire server credential failed.
javax.security.auth.login.LoginException: No CallbackHandler available to garner authentication information from the userYYYY-MM-DD hh:mm:ss.SSS ERROR [forge-startup] com.quest.nitro.service.security.krb5.Krb5AuthenticationService - Acquire server credential failed.
javax.security.auth.login.LoginException: Pre-authentication information was invalid (24) -
Cause
CAUSE 1
When the FMS starts the Krb5AuthenticationService the server acquires the credential from the keytab file. The message indicates the keytab file was not created correctly.
The ktpass command had been run without substituting in the actual REALM for the string "REALM" in the following command so the credentials were not working.
ktpass -princ HTTP/@REALM -mapuser "\" -pass -out
CAUSE 2
The ktpass command has been run with the -setpass and -setupn parameters which could cause mismatch with the account credentials or the key version number (kvno).
-
Resolution
RESOLUTION 1
Run the ktpass command with the actual REALM in place of the string "REALM" and then replace the current keytab file on the FMS host with the newly created keytab file.
For example, if the FMS host is "fmshost.example.com", the REALM is EXAMPLE.COM, the user is sso_foglight and the keytab file is written to "c:\keytab_file" the ktpass command would appear as follows:ktpass -princ HTTP/fmshost.example.com@EXAMPLE.COM -mapuser example.com\sso_foglight -pass [password] -out [keytabFilePath]
RESOLUTION 2
Run the ktpass command without the -setpass and -setupn parameters; for example:
ktpass -princ HTTP/fmshost.example.com@EXAMPLE.COM -mapuser example.com\[user] /pass [password] -ptype KRB5_NT_PRINCIPAL -crypto AES256-SHA1 -out [keytabFilePath]
-
Additional Information
For other issues related to Single Sign-on (SSO) refer to the following articles: