'Getting basic authentication box appear when trying SSO (Websphere/keytabs)

I am trying to auto login via SSO on an app that is hosted within WebSphere. When i navigate to the SSO URL, it is asking me for a username and password - when i put the credentials in, this works fine. I believe that the issue is within the keytab but everything i have looked at online, seems to indicate that's fine.

The problem

I have an 2x app server that is hosted within Azure, domain joined to domain1.org

These two servers are joined to a load balancer, within Azure but using dns dev-domain1.org

Note: I have tested reverting all dns from dev-domain1.org to the AD domain domain1.org and SSO works.

SPN User

Created within AD: User: DOMAIN1.ORG\USERNAME with SPN HTTP/env.domain1.org

Created the keytab with the following command:

ktpass.exe -princ HTTP/[email protected] -mapuser DOMAIN1.ORG\USERNAME -pass [PASSWORD] -crypto all -kvno 0 -ptype KRB5_NT_PRINCIPAL -out "F:\PATHTOKEYTAB\.keytab "

Updated .conf file

~~ [libdefaults] ~~
    default_realm = AD_DOMAIN
    default_keytab_name = FILE:F:\IBM\WebSphere\AppServer\keytab
    default_tkt_enctypes = rc4-hmac des-cbc-md5
    default_tgs_enctypes = rc4-hmac des-cbc-md5
    forwardable  = true
    renewable  = true
    noaddresses = true
    clockskew  = 300
[realms]
    AD_DOMAIN = {
        kdc = DC01.ad_domain:88
        default_domain = ad_domain
    }
[domain_realm]
    .ad_domain = AD_DOMAIN
    .dns_domain = AD_DOMAIN

Does anyone know how i should be setting up the keytab or even WebSphere itself if i want to use another domain for the URL that is different to the AD/internal domain?

Thanks in advance!

webspherespnegokeytab


Solution 1:[1]

you stated.. if I want to use another domain for the URL that is different from the AD/internal domain?

Are you asking DNS domain or an AD domain? For example, my URL has DNS with server1.ibm.com but the AD domain is domain1.com?

If so first you need to make sure in the AD domain DNS is able to lookup the URL server1.ibm.com

Next, you need to map ibm.com with AD domain domain1.com under krb5.ini file check this URL https://www.ibm.com/docs/en/was-zos/9.0.5?topic=server-creating-kerberos-configuration-file and example -dns austin.ibm.com|raleigh.ibm.com

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Ram

Related Questions

WebSphere Server V.8.5 troubles with Eclipse project

What should I do to handle WebServiceException:

Can any find the solution for this Error in IBM DB2?

How can I prevent a CA7 job with two schedule IDs from conflicting when they run on the same day?

SSL handshake_failure on Websphere 8.5 (working on Tomcat)

How can I get client IP in IBM MobileFirst8

LinkageError: loading constraint violation when overriding method javax/xml/stream/XMLInputFactory.createXMLEventReader

Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96

Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96

How to force Git (2.5+) HTTP transport prefer SPNEGO over Basic authentication?

Use of spnego and kerberos with gss in graal

Java 17 Update - Cannot find key of appropriate type to decrypt AP-REQ - RC4 with HMAC