FME Server SSO failed login due to insufficient credentials

To clarify, do all users fail to log into FME Flow using their Windows credentials, even when manually typing them in? Or is it just SSO that fails to log in?

For reference, we have troubleshooting guides for both Single Sign-on and Active Directory. I'd recommend running through their initial troubleshooting steps.

There is also a good discussion/solution in the comments on this similar community question about SSO login failures: https://community.safe.com/s/question/0D54Q000080hLWXSA2/fme-server-single-signon-refuses-logins-while-active-directory-login-works-fine

In summary, please make double-check the tomcat properties file has the correct configurations to allow FME Flow to be accessible from the browser. Let us know how it goes.

Hi ​@kirken,

I imagine you resolved this, can you share how you got around it? I just went from 2023.2.2 to 2024.2.5 and am getting the exact same message including YIIJygYGKwYBBQUCoIIJvjCCCbqgMDAu which I was surprised by because I had assumed that was a token generated for my windows account. I am able to import users and roles without issue, just the authentication fails. I’ve tried pouring over the community and support information, but like I said, I imagine you might have resolved it and I’d be super interested in how.

Ken

Edit: I resolved my issue by filling in the Realm field from what I can tell. I noticed it wasn’t filled in so I dropped the configuration because it looked like the field was locked and re-configured and my SSO started working and I *think* that was the only thing I amended. I say that because again, I was filling everything in from scratch again and it is possible that I corrected something else that I didn’t even realize in the process.

Hi ​@kketola 

Safe does not allow weaker RC4 Encryption by default since version 2023.x - FME thinks that this is weak Encryption. You have to copy it yourself:
FME_SERVER_HOME\FMEServer\Utilities\jre\conf\security\krb5.conf-ORIG

The server documentation says that this encryption (which was recognized as weak a long time ago) must be disabled on the AD side. However, if this is not possible on domain servers (e.g. due to the use of legacy systems), then it can be enabled on the FME server side by adding a new configuration file.
To do this, create a new file in the folder: <FMEFlowDir>\Utilities\jre\conf\security\krb5.conf with the following content:

[libdefaults]
allow_weak_crypto = true

Updating the Windows Domain Configuration

Afterward, restart the FME application server Windows service. If SSO does not work after this, then restart the FME server.