Topic
9 replies Latest Post - ‏2012-11-18T10:21:21Z by SystemAdmin
SystemAdmin
SystemAdmin
9855 Posts
ACCEPTED ANSWER

Pinned topic SPNEGO - SSO

‏2012-06-21T10:59:17Z |
How can I tell if I am passing a Kerberos ticket to a web page. I have set up a SPNEGO linux server, configured the Kerberos client, manually edited krb5.conf to support win2003, created an identity for WebSEAL in an Active Directory domain, Mapped the Kerberos principal to the Active Directory user, copied the keytab file to my linux server, set the correct permissions, verified the authentication of the Web server principal and verified WebSEAL authentication using the keytab file, all successfully. I have then modified the webseal configuration to support SPNEGO and created a junction.

When I login to TAM eb (http) and access my webseal junction for /citrix/Xenapp, I receive 'An authentication error occurred. Contact your system administrator. Log' generated by the citrix secure web gateway.

Using https, I don't even get that far, instead after confirming the certificate, I get..

Access Manager WebSEAL could not complete your request due to an unexpected error.

Diagnostic Information
Method: GET

URL: /

Error Code: 0x13212064

Error Text: HPDIA0100E An internal error has occurred.
Updated on 2012-11-18T10:21:21Z at 2012-11-18T10:21:21Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    9855 Posts
    ACCEPTED ANSWER

    Re: SPNEGO - SSO

    ‏2012-06-21T13:25:47Z  in response to SystemAdmin
    "When I login to TAM eb (http) and access my webseal junction for /citrix/Xenapp"

    When you've configured WebSEAL with SPNEGO integration, you (the user) don't have to "login". Your IE browser should just "go" to the junction.

    So, what do you mean by you "login"?
    • SystemAdmin
      SystemAdmin
      9855 Posts
      ACCEPTED ANSWER

      Re: SPNEGO - SSO

      ‏2012-06-21T13:33:50Z  in response to SystemAdmin
      I am being presented with the webseal login dialogue screen. This login screen is being presented even if I use http://webseal-hostname/Citrix/XenApp1.
      • SystemAdmin
        SystemAdmin
        9855 Posts
        ACCEPTED ANSWER

        Re: SPNEGO - SSO

        ‏2012-06-21T14:00:38Z  in response to SystemAdmin
        What does your "spnego" stanza looks like?
        • SystemAdmin
          SystemAdmin
          9855 Posts
          ACCEPTED ANSWER

          Re: SPNEGO - SSO

          ‏2012-06-21T14:07:38Z  in response to SystemAdmin
          spnego-auth = https

          use-domain-qualified-name = yes

          spnego-krb-service-name = HTTP@webseal-host.com

          spnego-krb-keytab-file = /var/pdweb/keytab-default/webseal-host_HTTP.keytab
          • SystemAdmin
            SystemAdmin
            9855 Posts
            ACCEPTED ANSWER

            Re: SPNEGO - SSO

            ‏2012-06-21T14:19:00Z  in response to SystemAdmin
            Then https is what you should be connecting to, not http.

            And that internal error is likely meaning you've configured something incorrectly.

            Where (full path) is the krb5.conf that you're using? (Some linux systems seem to have one under /etc, AND another one under /etc/krb (or krb5, can't remember), but WebSEAL only uses one of them.
          • SystemAdmin
            SystemAdmin
            9855 Posts
            ACCEPTED ANSWER

            Re: SPNEGO - SSO

            ‏2012-06-21T14:22:05Z  in response to SystemAdmin
            Also, if it helps, look for apache & krb integration. There are a lot of examples on the web.
            Reason why I'm suggesting this is because most configuration mistake are with the "typical" *nix & krb integration (pitfall for most people), and has very little to do with WebSEAL.
            • SystemAdmin
              SystemAdmin
              9855 Posts
              ACCEPTED ANSWER

              Re: SPNEGO - SSO

              ‏2012-06-21T14:51:42Z  in response to SystemAdmin
              Strangely, in the krb5.conf file there is a reference:
              libdefaults
              default_keytab_name = FILE:/etc/krb5/krb5.keytab

              'krb5.keytab' does not exist at all, and none of the logs defined below in the file exist either.

              logging
              kdc = FILE:/var/krb5/log/krb5kdc.log
              admin_server = FILE:/var/krb5/log/kadmin.log
              default = FILE:/var/krb5/log/krb5lib.log

              Thanks for the other suggestion, I'll look for apache & krb integration.
  • SystemAdmin
    SystemAdmin
    9855 Posts
    ACCEPTED ANSWER

    Re: SPNEGO - SSO

    ‏2012-07-13T09:08:21Z  in response to SystemAdmin
    I fixed the problem of authentication using kinit by copying '/usr/local/krb5/krb5.conf' to '/etc/krb5.conf', after walking through the configuration, however in Webseal I still failed to pass the ticket correctly. It seems that we need to purchase TFIM, since we only have TAMeB in order to do what we want which is to use webseal to authenticate users instead of citrix secure gateway. The alternative is to change the authentication method on the IIS part of citrix secure gateway, which will try at a later date and then use either forms or basic authentication.
    Thanks for help
    • SystemAdmin
      SystemAdmin
      9855 Posts
      ACCEPTED ANSWER

      Re: SPNEGO - SSO

      ‏2012-11-18T10:21:21Z  in response to SystemAdmin
      Wanted to know the integration architecture / SSO mechanism used between Webseal and Citrix. Is it the Form based SSO or some other way of integration