Monday, 23 April 2018

WAS and AD and SPNEGO - Oops, I broke my LDAP

In the process of setting up Single Sign-On (SSO) between Microsoft Active Directory 2012 and WebSphere Application Server, I inadvertently broke my directory ….

Having run this command: -

ktpass -out bpm857.keytab -princ HTTP/bpm857.uk.ibm.com@UK -mapUser UK\bpmbind -mapOp set -pass P455w0rd -ptype KRB5_NT_PRINCIPAL

I then saw this: -

[23/04/18 15:29:16:636 BST] 00000104 exception     E com.ibm.ws.wim.adapter.ldap.LdapConnection getDirContext CWWIM4520E  The 'javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580^@]; resolved object com.sun.jndi.ldap.LdapCtx@d088f31d' naming exception occurred during processing.
[23/04/18 15:29:16:637 BST] 00000104 exception     E com.ibm.ws.wim.adapter.ldap.LdapConnection getDirContext
                                 com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E  The 'javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580\u0000]; resolved object com.sun.jndi.ldap.LdapCtx@d088f31d' naming exception occurred during processing.

...
[23/04/18 15:53:02:425 BST] 00000166 exception     E com.ibm.ws.wim.adapter.ldap.LdapConnection getDirContext CWWIM4520E  The 'javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580]; resolved object com.sun.jndi.ldap.LdapCtx@8633793e' naming exception occurred during processing.
[23/04/18 15:53:02:426 BST] 00000166 exception     E com.ibm.ws.wim.adapter.ldap.LdapConnection getDirContext 
                                 com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E  The 'javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580\u0000]; resolved object com.sun.jndi.ldap.LdapCtx@8633793e' naming exception occurred during processing.

...

and this in the browser: -


What did I do wrong ?

Well, when I ran this command: -

ktpass -out bpm857.keytab -princ HTTP/bpm857.uk.ibm.com@UK -mapUser UK\bpmbind -mapOp set -pass P455w0rd -ptype KRB5_NT_PRINCIPAL

to generate the Kerberos keytab, I used the WRONG password :-(

This meant that, when Kerberos attempted to kick in and log me, using the Service Account UK\bpmbind, it did so with the wrong password, causing Windows to lock the account.

Once I reset the password back to the PROPER password, things proceeded more smoothly ….

In other words, I reset the password in Windows back to the same password that WAS was using to bind to AD via LDAP.

I did then go and regenerate the key tab using the CORRECT password :-)

List the Service Principle Names

setspn -l bpmbind

Registered ServicePrincipalNames for CN=bpmbind,CN=Users,DC=uk,DC=ibm,DC=com:
        HTTP/bpm857.uk.ibm.com


Delete the "bad" one

setspn -d HTTP/bpm857.uk.ibm.com bpmbind

Unregistering ServicePrincipalNames for CN=bpmbind,CN=Users,DC=uk,DC=ibm,DC=com
        HTTP/bpm857.uk.ibm.com
Updated object


Recreate the keytab AND create a new SPN

ktpass -out bpm857.keytab -princ HTTP/bpm857.uk.ibm.com@UK -mapUser UK\bpmbind -mapOp set -pass Qp455w0rd -ptype KRB5_NT_PRINCIPAL

Targeting domain controller: was90box.uk.ibm.com
Successfully mapped HTTP/bpm857.uk.ibm.com to bpmbind.
Password successfully set!
Key created.
Output keytab to bpm857.keytab:
Keytab version: 0x502
keysize 60 HTTP/bpm857.uk.ibm.com@UK ptype 1 (KRB5_NT_PRINCIPAL) vno 9 etype 0x17 (RC4-HMAC) keylength 16 (0xd35a1de683986444c22c35127a44b349)

List the Service Principle Names

setspn -l bpmbind

Registered ServicePrincipalNames for CN=bpmbind,CN=Users,DC=uk,DC=ibm,DC=com:
        HTTP/bpm857.uk.ibm.com

Nice :-)

No comments: