Skip to main content

Unable to use Windows/IWA to login to FME Server Web Interface. Have followed all the steps, ensured the SPN is correct, ensured the service account is set correctly, done all the browser checks, and confirmed the Tomcat properties are right.

Going to the URL <server name>/fmetoken/sso/generate throws a 403-Forbidden with a description "The Server Understood the request but refuses to authorize it".

Going to the URL <server name>/fmetoken allows me to generate a token by using userid only. Adding the domain to the front of the username causes the token generation to fail.

So it appears that it's something tied to the domain and how the users credentials are being passed but that leaves me unsure of how/where I missed a configuration that strips the domain during passing of the credentials in order to get a good token returned.

Here is the message that appears when attempting to login:

Here is the message from the sso generation

Found this after making the post but still need to do more work to dig in and resolve it.

 

 

Mon-06-Nov-2017 10:28:05.385 AM INFORM RequestHandler-Thread 408060 : (Active Directory) Successfully connected to <AD Server>

 

Mon-06-Nov-2017 10:28:05.389 AM INFORM RequestHandler-Thread 408049 : (Single Sign-On) Using pre-authenticated credentials (for a service account) to create server credentials...

 

Mon-06-Nov-2017 10:28:05.545 AM INFORM RequestHandler-Thread 408050 : (Single Sign-On) Created server credentials.

 

Mon-06-Nov-2017 10:28:05.555 AM INFORM RequestHandler-Thread 408053 : (Single Sign-On) Negotiation reported an error: "Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)".

 

Mon-06-Nov-2017 10:28:05.555 AM WARN RequestHandler-Thread 408058 : (Single Sign-On) Failed authentication because of an negotiation error. Refer to single sign-on documentation for resolution.

 

Mon-06-Nov-2017 10:28:05.558 AM ERROR RequestHandler-Thread Single sign-on authentication failed

 

Mon-06-Nov-2017 10:28:05.575 AM WARN RequestHandler-Thread 401934 : Failed login by user YIIJrgYGKwYBBQUCoIIJojCCCZ6gMDAu... due to insufficient credentials.

 

 


Hi @scottfierro

 

 

Has the user that you're trying to sign in as been imported into FME Server as a user? You may need to sign in as an admin to set/check this.

 

Can the user sign in if they type their credentials?

With Active Directory now user credentials are case sensitive, so that would need to be honoured (I'm not sure how it's passed through single sign on, or if a different error message would appear).

 

 

We also have this page which has some causes and resolutions to the 'Negotiation reported an error'.

Hi @scottfierro, From your log file it looks like you may need to install the Java Cryptography Extensions.

https://knowledge.safe.com/articles/395/enabling-aes256-in-the-java-runtime-environment-fo.html


Hi @scottfierro

 

 

Has the user that you're trying to sign in as been imported into FME Server as a user? You may need to sign in as an admin to set/check this.

 

Can the user sign in if they type their credentials?

With Active Directory now user credentials are case sensitive, so that would need to be honoured (I'm not sure how it's passed through single sign on, or if a different error message would appear).

 

 

We also have this page which has some causes and resolutions to the 'Negotiation reported an error'.
I'm the admin and yes I have imported both my regular AD account and my admin Z accounts into FME server and confirmed the AD Group I imported into FME server is configured as a role with all the admin level permissions for that role. I cross confirmed it by looking at each AD account's user details and can see all the admin permissions properly marked there.

 

 

Yes, I can sign in with the FME admin account I built at install. Even if I remove the single sign-on configuration I can't get either AD account to login via the Web Interface page. I can generate tokens for both AD accounts and the FME Server admin account by going to the token rest API but only if I supply a userid that has no domain at the front of it.

 

 

I hadn't done this test but it appears the AD login does actually work but only with the stripped domain. Will show those details in separate reply but thanks your post just made me think to try this.

 

 


It appears as though the AD syncing is at least working. Whether I enable or disable the SSO option I can properly login to the server with both of my AD accounts that have been added but I can't have the domain precede the name.

So that makes it a question of what or where in the SSO process is it pulling the full domain/userid or where is it failing to strip the domain?


Hi @scottfierro, From your log file it looks like you may need to install the Java Cryptography Extensions.

https://knowledge.safe.com/articles/395/enabling-aes256-in-the-java-runtime-environment-fo.html

Thanks I will check this out and hopefully it's the missing key.

 

 


@scottfierro did you ever find a resolution to this issue? I have the same problem with FME Server 2018.1.1.1 - Build 18578. My AD sync works but the SSO settings do not appear to work. I did learn the SSO username can't have the domain prefix on the SSO username. It has to just be the username (case sensitive).

 


@scottfierro, I ran into a similar issue and was able to resolve it with a correction of my SPN registrations. Like you I installed the crypto jar files and it didn't work. Nevertheless, I posted the fix in this link https://knowledge.safe.com/answers/84861/view.html

 

Hope it helps!


@scottfierro, I ran into a similar issue and was able to resolve it with a correction of my SPN registrations. Like you I installed the crypto jar files and it didn't work. Nevertheless, I posted the fix in this link https://knowledge.safe.com/answers/84861/view.html

 

Hope it helps!

@justincornell I am having exactly same issue with FME Server 2021 on our Prod environment ( There is no issue on our test environment). Your link https://knowledge.safe.com/answers/84861/view.html stop working. Could I know how you fixed it? Thanks.


Hello @terryj​ 

I believe this is the community page you are looking for https://community.safe.com/s/question/0D74Q000007oCFVSA2/detail

Please see the top answer for @justincornell​ 's resolution


Problem got resolved. Need to register http/MyETLServer to the service account even your web application is using https

For example-  (without domain name, case sensitive)

setspn -S http/MyETLServer fmeserveradmin


Thanks for information


A 403 error is an HTTP status code that indicates a "Forbidden" server response. When you encounter a 403 error in the context of an SSO (Single Sign-On) configuration, it usually means that the server is denying access to the requested resource due to insufficient authentication or authorization. The user attempting to access the resource did not provide valid credentials or failed to properly authenticate with the SSO system. This can occur if the user's credentials are incorrect or if there are problems with the authentication process. Even if a user is authenticated, they may not have the necessary permissions or roles to access a particular resource. Personally, I've heard from https://deeplab.com/darkweb/the-nato-commences-its-most-extensive-cybersecurity-drill-locked-shields-2023 that over time they will be very difficult to hack.


Reply