Question

The JRA Kerberos login failed

Laserfiche SDK Version 10 Security

Updated December 12, 2018

asked on October 24, 2018

I am using Laserfiche SDK 10.2 JRA to do development

I used the code like below for Kerberos login.

I have configured Kerberos configuration as directed by Laserfiche document.

Following is the sample of the code I used: with servername, repoName, username, password replaced.

---------------------------------------------------------------------------------------------------------------------

String serverName = "server IP", repoName = "repository name", userName = "user name", password = "user password";

System.setProperty("java.security.krb5.conf", "C:/Windows/krb5.ini");
System.setProperty("javax.security.auth.useSubjectCredsOnly","true");
System.setProperty("java.security.auth.login.config", "D:/LaserBeam/JRA-Security/jaas.conf");
System.setProperty("sun.security.krb5.debug","true");
Subject subject;

        try {
           LoginContext lc = new LoginContext("Client", new LoginCallbackHandler(userName, password));
           lc.login();                                <==== First Login
           subject = lc.getSubject();
        } catch (LoginException e) {
          System.err.println(e.getMessage());
          return;
        }

int port = 80;

// Create a new session
Session session = new Session();

        // Specify the repository to log in to
        RepositoryRegistration repository = new RepositoryRegistration(serverName, repoName);
        session.logIn(repository, subject);                  <== Second Login

------------------------------------------------------------------------------------------------------------

1) I found that the "First Login" was successful.

Can anybody tell me what I log into? Clearly, it is NOT laserfiche server.

What I am interested is to log into Laserfiche server.

But, the "First Login" was successful without specifying laserfiche server name or ip.

I did debug and found that although the 'First Login" is successful.

The property 'status" of "LoginContext lc " has value of false.

2) I found that 'Second Login" failed with a very long (almost one page) of error messages. Most of them are related to erros in Kerberos.

I think the "Second Login" is the one that actually trying to log into laserfiche server.

However, I do not know why it failed after successful log in of "First Login"/

3) Can anybody show me or tell me what value I should specify in serverName, RepoName, username, and password so that both logins can be successful?

Thanks

0 0

Replies

replied on October 25, 2018 • Show version history

The call to LoginContext.login() will send credentials to your KDC to obtain a TGT. The TGT is then used to obtain a ticket for Laserfiche. The KDC is an Active Directory domain controller (in supported configurations) and obtaining a TGT is more or less equivalent to "logging in to the domain".

Kerberos doesn't work when using an IP addresses for the server name; only fully-qualified domain names (FQDN) are supported when logging in to LFS using Kerberos. Your user name should be your Windows user name without any domain prefix or suffix. For example, if your SAM account name is EXAMPLE\cheng.chien then you should pass in "cheng.chien" for the user name. The password is simply the password for the Windows domain user account.

If you continue to have problem please attach the Kerberos debug output, or if there's sensitive information you can open a support case with Laserfiche and upload the debug output.

0 0

replied on December 5, 2018

Michael:

Thank you for your reply.

Apparently, I successfully login into the domain. (The domain of my pc).

When I tried to use the FQDN of the laserfiche server instead of its IP addess, I got an unknownHostException. I found that my PC and Laserfiche server are in different domain. The error message is "Connect to HTTP server failed.".

How can do for something like this?

Thanks

0 0

replied on December 5, 2018

Michael:

I just attach the debugging error text file.

The sensitive info, I have replaced with some text between square bracket.

[KDC NAME] = Key Distribution Center Name

[KERBEROS REALM] = Default Kerberos Realm

[LASERFICHE SERVER FQDN] = Lserfiche Server Full Qulified Domain Name

Thank you for your help.

John Chien

kerberos error.txt (3.78 KB)

| Download

0 0

replied on December 6, 2018

The error message in the file says JRA can't find the host name of the LFS host, and doesn't seem related to Kerberos.

0 0

replied on December 7, 2018

Michael:

I double checked the Laserfiche server name and found that our company gave me wrong server name.

I am very sorry for this mistake.

I just have it corrected. I believe I got the correct debugging error message now.

My PC and Laserfiche server are in different domain.

The LoginContext login is with my PC's domain which is the first login.

But the second login to Laserfiche server failed.

I just attached the new debugging error file.

Please let me know where is the error?

Thanks

kerberos error.txt (7.98 KB)

| Download

0 0

replied on December 7, 2018

Check that the realm name is capitalized and that you have specified the FQDN for the KDC and the LF server. Also, if you have a CNAME (DNS name alias) for the LF server, do not use it and instead use the canonical DNS host name.

0 0

replied on December 12, 2018

Michael:

Thank you for the response. I tried the suggestions you mentioned here by capitalizing the realm name and using FQDN name for KDC and LF server. However, I still got the same Kerberos error messages as in the previous debugging file.

Following are the things I did in the programming:

1) My PC & LF server are in different domain

2) The krb.conf is configured with my PC's KDC and Realm, not LF server's

3) The windows user login/password (in my PC) is different from the one's in LF server

4) The user login/password I used is none of the above. It is the domain's login and password.

5) I configured the jaas.conf instead of using jgss.conf, because I do not use window user login

I am wondering if any of the above affects the kerberos security check.

Are there anything I should do to make LF server connection works?

Thanks

0 0

You are not allowed to follow up in this post.

Question

Question

The JRA Kerberos login failed

Replies

Sign in to reply to this post.