Skip to main content
Solved

FME Server IWA issue with explicit userPrincipalName

  • November 19, 2013
  • 1 reply
  • 9 views
mschgraffer
Participant

  Hello,

 

 

 

In our company exists a forest-wide UPN suffix 
company.it
 and almost all user accounts have the explicit UPN set to 
fistname.lastname@company.it
. This value is also set in the Active Directory 
userPrincipalName
 attribute. 

  Now we have configured the fme server (FME Server version is FME Server 2013 SP4 - Build 13547 - win64) to perform IWA (SSO), so users authenticate through Kerberos.

 

Since we are given the Kerberos principal, i.e. implicit UPN (sAMAccountName@company.it), which does not match anymore with the 
userPrincipalName
 (explicit UPN), the IWA fails, as can be seen by the fmeserver.log.

 

 

 

Thanks in advance for your help.

 

 

 

 

 

fmeServer.log:

 

Tue-19-Nov-2013 09:00:47 AM   INFORM   RequestHandler-Thread   408041 : (Login Module)     Authenticating single sign-on token "YIIH/gYGKwYBBQUCoIIH8jCCB+6gMDAu...".

 

Tue-19-Nov-2013 09:00:47 AM   INFORM   RequestHandler-Thread   408057 : (Single Sign-On)   Negotiation complete; authentication granted for user "MSchgraffer@SIAG.IT".

 

Tue-19-Nov-2013 09:00:47 AM   INFORM   RequestHandler-Thread   408023 : (Active Directory) Performing search on server with filter "(&(&(objectCategory=person)(objectClass=user))(userPrincipalName=MSchgraffer@SIAG.IT))"...

 

Tue-19-Nov-2013 09:00:47 AM   INFORM   RequestHandler-Thread   408024 : (Active Directory) Search retrieved 0 entries.

 

Tue-19-Nov-2013 09:00:47 AM   WARN     RequestHandler-Thread   408059 : (Single Sign-On)   Failed authentication because user "MSchgraffer@SIAG.IT" could not be found in Active Directory.

 

Tue-19-Nov-2013 09:00:47 AM   WARN     RequestHandler-Thread   401934 : Failed login by user YIIH/gYGKwYBBQUCoIIH8jCCB+6gMDAu... due to insufficient credentials.

Best answer by davideagle

I think that's definitely an issue to directly escalate to Safe Software support I'm afraid. Link at the top of the page.
View original
Did this help you find an answer to your question?
This post is closed to further activity.
It may be a question with a best answer, an implemented idea, or just a post needing no comment.
If you have a follow-up or related question, please post a new question or idea.
If there is a genuine update to be made, please contact us and request that the post is reopened.

1 reply

davideagle
Contributor
Forum|alt.badge.img+19
  • davideagleContributor
  • Contributor
  • Best Answer
  • November 19, 2013
I think that's definitely an issue to directly escalate to Safe Software support I'm afraid. Link at the top of the page.

Helpful Members This Week

Community Stats

30,915
Posts
117,137
Replies
38,720
Members

Latest FME

Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings
A product of
Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.