Yesterday, I was working to resolve an issue whereby users from one of a number of Active Directory domains were unable to automagically log in to WebSphere Application Server v7 ( hosting IBM Connections v3 and IBM WebSphere Portal v7 ) using SPNEGO/Kerberos.
The user would arrive at the site, via a load-balanced URL, but would be presented with the login page, rather than getting into the application transparently.
I knew that this worked for me, in another AD domain, so was reasonably confident that the AD and SPNEGO configuration was OK.
Therefore, I enabled tracing in WAS using this trace string: -
( I love the way that WAS 7 allows one to enable tracing in-flight, without needing to restart the JVM ).
I saw the usual bunch of SPNEGO messages, indicating that WAS was pulling out the userPrincipalName (UPN) attribute e.g. firstname.lastname@example.org from the SPNEGO token.
However, I also saw references to a First Failure Data Capture (FFDC) log, and a corresponding com.ibm.websphere.wim.exception.EntityNotFoundException error.
This was the main error within the FFDC log: -
[25/07/12 17:13:28:341 BST] FFDC
com.ibm.websphere.wim.exception.EntityNotFoundException: CWWIM4001E The 'email@example.com' entity was not found.
Given that the error was coming from the WebSphere Identity Manager (WIM) component of WAS, I had a fair suspicion of the root cause.
I compared and contrasted the cell-level wimconfig.xml file, looking at the working domain ( for the UPN firstname.lastname@example.org ): -
and the failing domain ( for the UPN email@example.com ): -
Can you spot the error ? I bet you can ….
I'd forgotten to explicitly add: -
to the definition for the newly added realms ( for the two new AD domains ).
Therefore, WAS/WIM was correctly pulling the userPrincipalName attribute, but did not know what to do with that i.e. what to map it to in WIM.
Once I explicitly mapped userPrincipalName to uid, WAS/WIM could then correctly use it as a login attribute ( along with commonName - cn ), and SSO started working.
Something else to add to my ever-evolving presentation: -
Desktop Single Sign-On in an Active Directory World