PROBLEM
I get an error trying to enable SPNEGO on the WebSphere application server (WAS ND, single node) 9.0.0.7 . I have succeeded on another server, but for this one I can't find the problem.
I get the following error message:
org.ietf.jgss.GSSException, major code: 13, minor code: 0 major string: Invalid credentials minor string: Cannot get credential from JAAS Subject for principal: HTTP/server.aa.bbb.ccc@DDDDDDD.BBB.CCC
And from the trace file:
javax.security.auth.login.FailedLoginException: Cannot retrieve key from keytab HTTP/server.aa.bbb.ccc@DDDDDDD.BBB.CCC
CONFIGURATION
- On the domain controller:
setspn -A HTTP/server.aa.bbb.ccc AD-ACCOUNT-1 ktpass -out AD-ACCOUNT-1.keytab -princ HTTP/server.aa.bbb.ccc@DDDDDDD.BBB.CCC -mapuser AD-ACCOUNT-1 -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL /pass <PASSWORD>- WAS is successfully configured with LDAP connection using the user
AD-ACCOUNT-1. - Keytab stored as
/app/sysx/WebSphere/AppServer/AD-ACCOUNT-1.keytab $AdminTask createKrbConfigFile {-krbPath /app/sysx/WebSphere/AppServer/profiles/InfoSphere/krb5.conf -realm DDDDDDD.BBB.CCC -kdcHost ddddddd.bbb.ccc -dns ddddddd.bbb.ccc -keytabPath /app/sysx/WebSphere/AppServer/AD-ACCOUNT-1.keytab -encryption aes256-cts-hmac-sha1-96}- WAS Admin web console: Global security > SPNEGO web authentication
- Kerberos config file:
/app/sysx/WebSphere/AppServer/profiles/InfoSphere/krb5.conf - Keytab:
/app/sysx/WebSphere/AppServer/AD-ACCOUNT-1.keytab - SPNEGO Filter:
Host name:
server.aa.bbb.cccKerberos Realm Name:DDDDDDD.BBB.CCCFilter Criteria:request-url^=ibm/iis/igc/services|ibm/iis/igc/secure|ibm/iis/igc-rest;request-url!=noSPNEGOTrim:Checked
- Kerberos config file:
I have tried adding all aliases to the /etc/hosts based on similar cases I found online, but it didn't help.
