When the users and groups are configured to be qualified with QualifyUserPrincipal = true and QualifyGroupName = true (default configuration), Windows Single Sign-On (SSO) fails; the Web browser displays 401 Unauthorized error.
Messages in the Management Server logs:
ERROR [http-exec-4] com.quest.nitro.web.tomcat.NitroSpnegoAuthenticator - Expecting Negotiagte but found: Bearer eyJ0eXAiOiJKV1Q ...
INFO [http-exec-6] com.quest.forge.rest.resources.SecurityResource - login failed
javax.security.auth.login.FailedLoginException: Login failed.
Behavior is seen when accessing the Web Interface through AUI (/aui) but works when using the Classic Console (/console/).
WORKAROUND 1
Apply the following changes for the server not to append the domain to the usernames and groups.
QualifyUserPrincipal
and QualifyGroupName
to false
in [FMS_HOME]/config/krb5-auth.config
; for example:
QualifyUserPrincipal = false; QualifyGroupName = false;
Note: With the above change new users and groups without the domain will be created.
WORKAROUND 2
The following steps allow usernames to be qualified, but groups will not be automatically imported and need to be added manually.
QualifyUserPrincipal
and QualifyGroupName
to true
in [FMS_HOME]/config/krb5-auth.config
; for example:
QualifyUserPrincipal = true; QualifyGroupName = true;
UserQueryFilter = "(&(objectClass=user)(userPrincipalName={0}))";
STATUS
This issue has been logged as defect Id. FOG-8711. Waiting for a fix in future release of Foglight.
© ALL RIGHTS RESERVED. Feedback Conditions d’utilisation Confidentialité Cookie Preference Center