+2I upgraded my Development machine Thursday, and install ran smooth, import of backup ran smooth. Checked settings and all appear to match up with Staging and Production, but unable to get Single-Sign-On to function again.
Negotiation reported an error: "Failure unspecified at GSS-API level (Mechanism level: Encryption type RC4 with HMAC is not supported/enabled)".
All three of my systems use the same Service-Account, and Staging and Prod have not issue, and Dev worked fine until the upgrade.
+12Hi @David Wright: we noticed that you also created a support case which my colleague @mattmatsafe responded to. Just sharing his response here as well:
FME 2023 uses more secure encryption than previous versions. Our SSO documentation is being updated to reflect this change and the steps below.
If you have access to the Windows Domain server you can configure the encryption types:
Very sorry for the confusion and inconvenience this has caused you.
+2Hi @David Wright: we noticed that you also created a support case which my colleague @mattmatsafe responded to. Just sharing his response here as well:
FME 2023 uses more secure encryption than previous versions. Our SSO documentation is being updated to reflect this change and the steps below.
If you have access to the Windows Domain server you can configure the encryption types:
Very sorry for the confusion and inconvenience this has caused you.
Thank you; yes we did try making the needed fixes and changes and had to update the support case.
+5Hi @David Wright: we noticed that you also created a support case which my colleague @mattmatsafe responded to. Just sharing his response here as well:
FME 2023 uses more secure encryption than previous versions. Our SSO documentation is being updated to reflect this change and the steps below.
If you have access to the Windows Domain server you can configure the encryption types:
Very sorry for the confusion and inconvenience this has caused you.
I have the exact same problem but this solution didn't work.
Where should this GPO bet set? On the FME Server itself or on the Domain Controller?
I set those Options in the as local GPO on the FME Server and rebooted, the issue persists:
+5I have the exact same problem but this solution didn't work.
Where should this GPO bet set? On the FME Server itself or on the Domain Controller?
I set those Options in the as local GPO on the FME Server and rebooted, the issue persists:
The Docs have been updated, the GPO must be set on the Kerberos Server (DC):
https://docs.safe.com/fme/html/FME-Flow/WebUI/Create-Directory-Server-Connection.htm
+2I have the exact same problem but this solution didn't work.
Where should this GPO bet set? On the FME Server itself or on the Domain Controller?
I set those Options in the as local GPO on the FME Server and rebooted, the issue persists:
That isn't always realistic; we tried doing at the GPO level; for each machine and they would not always take if you had a higher/superseding GPO required at a a higher level.
We ended up needing to define a krb5.conf file; and setting...
[libdefaults]
allow_weak_crypto = true
+5I have the exact same problem but this solution didn't work.
Where should this GPO bet set? On the FME Server itself or on the Domain Controller?
I set those Options in the as local GPO on the FME Server and rebooted, the issue persists:
Where did you create the krb5.conf file?
+2I have the exact same problem but this solution didn't work.
Where should this GPO bet set? On the FME Server itself or on the Domain Controller?
I set those Options in the as local GPO on the FME Server and rebooted, the issue persists:
C:\\Program Files\\FMEFlow\\Utilities\\jre\\conf\\security , putting the file here so when the JVM instances activate they read in the krb5.conf file and allow for the use of the lessor settings.
+5I have the exact same problem but this solution didn't work.
Where should this GPO bet set? On the FME Server itself or on the Domain Controller?
I set those Options in the as local GPO on the FME Server and rebooted, the issue persists:
Thanks, this worked. I've tried several other of the "security" folders but not this one 😅
I have the same problem after upgrading from FME Server 2022.2.4 to FME Flow 2023.1.1.
@David Wright So what did u put in the krb5.conf file? 😊
Rgds,
/Erik
+2I have the same problem after upgrading from FME Server 2022.2.4 to FME Flow 2023.1.1.
@David Wright So what did u put in the krb5.conf file? 😊
Rgds,
/Erik
Sure, really simple...
[libdefaults]
allow_weak_crypto = true
These 2-lines are all that was needed.
+5The best solution, if your FME Flow Server runs with a AD service User, is to tick the box "This account supports Kerberos AES 256 bit encryption" in the Active Directory Users Properties and not use the krb5.conf workaround
The best solution, if your FME Flow Server runs with a AD service User, is to tick the box "This account supports Kerberos AES 256 bit encryption" in the Active Directory Users Properties and not use the krb5.conf workaround
This worked for us too, with both AES128 and AES256 enabled on the AD service account that we use as the "Search Account" on the Authentication Service Connection.
Disabling RC4 network wide seems like it might risk breaking some legacy systems, so it's nice to keep using Flow's improved encryption without forcing the change before we've had time to test it properly :)
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
