WebSphere 6.1 native SPNEGO TAI - Websphere

This is a discussion on WebSphere 6.1 native SPNEGO TAI - Websphere ; Hi, I have the following set up. Server: Windows 2003 SP1, WAS 6.1 FP 5, IIS 6 (IIS and WAS on same box) Client: IE 6.0 SP1 I have configured the native WAS 6.1 SPNEGO TAI with SPNs, keytab and ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: WebSphere 6.1 native SPNEGO TAI

  1. WebSphere 6.1 native SPNEGO TAI

    Hi,
    I have the following set up.

    Server:
    Windows 2003 SP1, WAS 6.1 FP 5, IIS 6 (IIS and WAS on same box)
    Client:
    IE 6.0 SP1

    I have configured the native WAS 6.1 SPNEGO TAI with SPNs, keytab and ini files. I set up IIS default app pool to run as my service account to which the SPN is registered. I can pull up the snoop page and see the user priniciple listed (com.ibm.ws.security.spnego.UserPrincipal
    ). SPNEGO authentication seems to be taking place as per the logs, however I am getting the following in the systemerr.log when I hit the snoop page -->

    [4/2/07 14:46:53:589 CDT] 0000001e SystemErr R org.ietf.jgss.GSSException, major code: 4, minor code: 0
    major string: Unsupported name type
    minor string: Unrecognized name type: 2
    [4/2/07 14:46:53:589 CDT] 0000001e SystemErr R at com.ibm.security.jgss.i18n.I18NException.throwGSSE xception(I18NException.java:24)
    [4/2/07 14:46:53:589 CDT] 0000001e SystemErr R at com.ibm.security.jgss.mech.krb5.z.a(z.java:85)
    [4/2/07 14:46:53:589 CDT] 0000001e SystemErr R at com.ibm.security.jgss.mech.krb5.z.getStringNameTyp e(z.java:201)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.security.jgss.GSSNameImpl.(GSSNameImpl.java:59)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.security.jgss.GSSManagerImpl.createName(GS SManagerImpl.java:44)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.security.jgss.GSSContextImpl.getTargName(G SSContextImpl.java:276)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.security.jgss.GSSContextImpl.toString(GSSC ontextImpl.java:135)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.ws.security.spnego.Context.begin(Context.j ava:89)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.ws.security.spnego.SpnegoHandler.handleReq uest(SpnegoHandler.java:199)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.ws.security.spnego.TrustAssociationInterce ptorImpl.negotiateValidateandEstablishTrust(TrustA ssociationInterceptorImpl.java:68)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.ws.security.web.TAIWrapper.negotiateAndVal idateEstablishedTrust(TAIWrapper.java:102)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.ws.security.web.WebAuthenticator.handleTru stAssociation(WebAuthenticator.java:266)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.ws.security.web.WebAuthenticator.authentic ate(WebAuthenticator.java:1356)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.ws.security.web.WebCollaborator.authorize( WebCollaborator.java:628)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.ws.security.web.EJSWebCollaborator.preInvo ke(EJSWebCollaborator.java:317)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.ws.webcontainer.webapp.WebAppSecurityColla borator.preInvoke(WebAppSecurityCollaborator.java: 141)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.ws.wswebcontainer.servlet.ServletWrapper.h andleRequest(ServletWrapper.java:433)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.ws.webcontainer.webapp.WebApp.handleReques t(WebApp.java:3163)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequ est(WebGroup.java:254)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.ws.webcontainer.WebContainer.handleRequest (WebContainer.java:811)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.ws.wswebcontainer.WebContainer.handleReque st(WebContainer.java:1433)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.ws.webcontainer.channel.WCChannelLink.read y(WCChannelLink.java:100)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.ws.http.channel.inbound.impl.HttpInboundLi nk.handleDiscrimination(HttpInboundLink.java:465)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.ws.http.channel.inbound.impl.HttpInboundLi nk.handleNewInformation(HttpInboundLink.java:394)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.ws.http.channel.inbound.impl.HttpInboundLi nk.ready(HttpInboundLink.java:274)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.ws.tcp.channel.impl.NewConnectionInitialRe adCallback.sendToDiscriminators(NewConnectionIniti alReadCallback.java:214)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.ws.tcp.channel.impl.NewConnectionInitialRe adCallback.complete(NewConnectionInitialReadCallba ck.java:113)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.ws.tcp.channel.impl.AioReadCompletionListe ner.futureCompleted(AioReadCompletionListener.java :152)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.io.async.AbstractAsyncFuture.invokeCallbac k(AbstractAsyncFuture.java:213)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.io.async.AbstractAsyncFuture.fireCompletio nActions(AbstractAsyncFuture.java:195)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.io.async.AsyncFuture.completed(AsyncFuture .java:136)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.io.async.ResultHandler.complete(ResultHand ler.java:195)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.io.async.ResultHandler.runEventProcessingL oop(ResultHandler.java:743)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.io.async.ResultHandler$2.run(ResultHandler .java:873)
    [4/2/07 14:46:53:605 CDT] 0000001e SystemErr R at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.j ava:1469)

    Any ideas on what this means? Is the SPNEGO SSO working or not? Last time I opened a support ticket they said as long as I could see the user principle listed that it was working. The actual application we will be running is not in-house yet to test with.

    Any help would be appreciated.

    Thanks!

  2. Re: WebSphere 6.1 native SPNEGO TAI

    shannon.d.hughes@exxonmobil.com wrote:
    > Hi, I have the following set up.
    >
    > Server: Windows 2003 SP1, WAS 6.1 FP 5, IIS 6 (IIS and WAS on same
    > box) Client: IE 6.0 SP1
    >
    > I have configured the native WAS 6.1 SPNEGO TAI with SPNs, keytab and
    > ini files. I set up IIS default app pool to run as my service
    > account to which the SPN is registered. I can pull up the snoop page
    > and see the user priniciple listed
    > (com.ibm.ws.security.spnego.UserPrincipal ). SPNEGO authentication
    > seems to be taking place as per the logs, however I am getting the
    > following in the systemerr.log when I hit the snoop page -->
    >



    > Any ideas on what this means? Is the SPNEGO SSO working or not?
    > Last time I opened a support ticket they said as long as I could see
    > the user principle listed that it was working.


    That's nonsense. If they try to close the PMR you should escalate it,
    ask to speak to the duty manager. If you're getting errors in the logs
    they should tell you why or admit that it's a bug.

+ Reply to Thread