Solved

FME Server Single Sign-On refuses logins while Active Directory login works fine

6 years ago
13 November 2017
26 replies
130 views

+8

helmoet
195 replies

Hi, It must be stunningly simple however we miss the clue, but we're trying to get FME Server to accept Single Sign-On logins. We connected to Active Directory, that seems to work nice since we can use a user and password from the domain and log in, that's a success.

Mon-13-Nov-2017 04:20:33.924 PM  INFORM  RequestHandler-Thread  401831 : Accepted new client connection from /127.0.0.1 on port 7,071

Mon-13-Nov-2017 04:20:33.926 PM  INFORM  RequestHandler-Thread  401933 : Successful login by user XX99999

However, when we press the Use Windows Credentials the login is denied and fmeserver.log shows this error message:

Mon-13-Nov-2017 04:23:22.734 PM  INFORM  RequestHandler-Thread  401831 : Accepted new client connection from /127.0.0.1 on port 7,071

Mon-13-Nov-2017 04:23:22.770 PM  INFORM  RequestHandler-Thread  408043 : (Single Sign-On)  Enabled single sign-on authentication.

Mon-13-Nov-2017 04:23:22.770 PM  INFORM  RequestHandler-Thread  408049 : (Single Sign-On)  Using pre-authenticated credentials (for a service account) to create server credentials...

Mon-13-Nov-2017 04:23:22.802 PM  INFORM  RequestHandler-Thread  408050 : (Single Sign-On)  Created server credentials.

Mon-13-Nov-2017 04:23:22.803 PM  INFORM  RequestHandler-Thread  408056 : (Single Sign-On)  Encountered negotiation requiring multiple steps; authentication still in progress...

Mon-13-Nov-2017 04:23:22.803 PM  ERROR  RequestHandler-Thread  Single sign-on authentication in progress

Mon-13-Nov-2017 04:23:22.807 PM  WARN  RequestHandler-Thread  401934 : Failed login by user YH0GBisGAQUFAqBzMHGgMDAuBgorBgEE... due to insufficient credentials.

Anybody any suggestions? What stuck me is that the user name seems to be encrypted, while if using the explicit credentials they are not.

icon

Best answer by justincornell 4 January 2019, 22:36

View original

Show first post Hide first post

26 replies

1
2

Page 2 / 2

J

+1

justincornell
30 replies
5 years ago
4 January 2019
Best Answer

Greetings @helmoet @RylanAtSafe. We figured it out!! I worked with @RichardAtSafe via a support ticket and it turned out the SPN's were to blame. So the moral of the story is while the SIGNGLE_SIGN_ON_URL can be the CNAME in tomcat properties file and the url in the browser to FME Server can be a CNAME, there MUST be a SPN registration for the HOST name of the computer. Below are the commands we ran to get it to work with the CNAME as the url. The CNAME entries are needed to allow the server to be accessed via the friendly name in the browser and the host names are needed to allow SSO for FME Server. The bold commands below were what fixed the issue.

CNAME SPN registrations

setspn -S http/testfme svcMyServiceAccount
setspn -S http/testfme.mydomain.com svcMyServiceAccount

HOST (machine name) SPN registrations

setspn -S http/MyMachineName svcMyServiceAccount 
setspn -S http/MyMachineName.mydomain.com svcMyServiceAccount

Essentially what I think is happening is that when a Kerberos ticket is attempted to be generated it's using the machine name (HOST) despite the URL that is being specified in the SINGLE_SING_ON_URL. It's likely a server side process generating the Keberos ticket which would mean the machine name needs to be registered with a SPN.

Hope this helps someone else figure this out.

1
2

Page 2 / 2

FME Server Single Sign-On refuses logins while Active Directory login works fine

26 replies

Reply

Community Stats

Reply

Community Stats

Sign up

An FME Account is required to contribute

Login to the community

An FME Account is required to contribute

Scanning file for viruses.

This file cannot be downloaded