In the process of setting up Single Sign-On (SSO) between Microsoft Active Directory 2012 and WebSphere Application Server, I inadvertently broke my directory ….
Having run this command: -
ktpass -out bpm857.keytab -princ HTTP/bpm857.uk.ibm.com@UK -mapUser UK\bpmbind -mapOp set -pass P455w0rd -ptype KRB5_NT_PRINCIPAL
I then saw this: -
…
[23/04/18 15:29:16:636 BST] 00000104 exception E com.ibm.ws.wim.adapter.ldap.LdapConnection getDirContext CWWIM4520E The 'javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580^@]; resolved object com.sun.jndi.ldap.LdapCtx@d088f31d' naming exception occurred during processing.
[23/04/18 15:29:16:637 BST] 00000104 exception E com.ibm.ws.wim.adapter.ldap.LdapConnection getDirContext
com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E The 'javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580\u0000]; resolved object com.sun.jndi.ldap.LdapCtx@d088f31d' naming exception occurred during processing.
com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E The 'javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580\u0000]; resolved object com.sun.jndi.ldap.LdapCtx@d088f31d' naming exception occurred during processing.
...
[23/04/18 15:53:02:425 BST] 00000166 exception E com.ibm.ws.wim.adapter.ldap.LdapConnection getDirContext CWWIM4520E The 'javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580]; resolved object com.sun.jndi.ldap.LdapCtx@8633793e' naming exception occurred during processing.
[23/04/18 15:53:02:426 BST] 00000166 exception E com.ibm.ws.wim.adapter.ldap.LdapConnection getDirContext
com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E The 'javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580\u0000]; resolved object com.sun.jndi.ldap.LdapCtx@8633793e' naming exception occurred during processing.
[23/04/18 15:53:02:426 BST] 00000166 exception E com.ibm.ws.wim.adapter.ldap.LdapConnection getDirContext
com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E The 'javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580\u0000]; resolved object com.sun.jndi.ldap.LdapCtx@8633793e' naming exception occurred during processing.
...
and this in the browser: -
What did I do wrong ?
Well, when I ran this command: -
ktpass -out bpm857.keytab -princ HTTP/bpm857.uk.ibm.com@UK -mapUser UK\bpmbind -mapOp set -pass P455w0rd -ptype KRB5_NT_PRINCIPAL
to generate the Kerberos keytab, I used the WRONG password :-(
This meant that, when Kerberos attempted to kick in and log me, using the Service Account UK\bpmbind, it did so with the wrong password, causing Windows to lock the account.
Once I reset the password back to the PROPER password, things proceeded more smoothly ….
In other words, I reset the password in Windows back to the same password that WAS was using to bind to AD via LDAP.
I did then go and regenerate the key tab using the CORRECT password :-)
List the Service Principle Names
setspn -l bpmbind
Registered ServicePrincipalNames for CN=bpmbind,CN=Users,DC=uk,DC=ibm,DC=com:
HTTP/bpm857.uk.ibm.com
Delete the "bad" one
setspn -d HTTP/bpm857.uk.ibm.com bpmbind
HTTP/bpm857.uk.ibm.com
Delete the "bad" one
setspn -d HTTP/bpm857.uk.ibm.com bpmbind
Unregistering ServicePrincipalNames for CN=bpmbind,CN=Users,DC=uk,DC=ibm,DC=com
HTTP/bpm857.uk.ibm.com
Updated object
Recreate the keytab AND create a new SPN
ktpass -out bpm857.keytab -princ HTTP/bpm857.uk.ibm.com@UK -mapUser UK\bpmbind -mapOp set -pass Qp455w0rd -ptype KRB5_NT_PRINCIPAL
HTTP/bpm857.uk.ibm.com
Updated object
Recreate the keytab AND create a new SPN
ktpass -out bpm857.keytab -princ HTTP/bpm857.uk.ibm.com@UK -mapUser UK\bpmbind -mapOp set -pass Qp455w0rd -ptype KRB5_NT_PRINCIPAL
Targeting domain controller: was90box.uk.ibm.com
Successfully mapped HTTP/bpm857.uk.ibm.com to bpmbind.
Password successfully set!
Key created.
Output keytab to bpm857.keytab:
Keytab version: 0x502
keysize 60 HTTP/bpm857.uk.ibm.com@UK ptype 1 (KRB5_NT_PRINCIPAL) vno 9 etype 0x17 (RC4-HMAC) keylength 16 (0xd35a1de683986444c22c35127a44b349)
List the Service Principle Names
setspn -l bpmbind
Successfully mapped HTTP/bpm857.uk.ibm.com to bpmbind.
Password successfully set!
Key created.
Output keytab to bpm857.keytab:
Keytab version: 0x502
keysize 60 HTTP/bpm857.uk.ibm.com@UK ptype 1 (KRB5_NT_PRINCIPAL) vno 9 etype 0x17 (RC4-HMAC) keylength 16 (0xd35a1de683986444c22c35127a44b349)
List the Service Principle Names
setspn -l bpmbind
Registered ServicePrincipalNames for CN=bpmbind,CN=Users,DC=uk,DC=ibm,DC=com:
HTTP/bpm857.uk.ibm.com
HTTP/bpm857.uk.ibm.com
Nice :-)
No comments:
Post a Comment