Client not found in Kerberos database

Products	Versions
TIBCO BPM Enterprise (formerly TIBCO ActiveMatrix BPM)	4.0.0, 4.1.0, 4.2.0

Description

After following the steps per the documentation "Configuring ActiveMatrix BPM to Use Kerberos" the user gets a login prompt upon accessing Openspace/Workspace.

BPMNode.log contains the following error:

09 Jan 2019 10:33:11,363 [httpConnector_33 - /bpm/AuthenticationService] [ERROR] [amx.bpm.app] com.tibco.amx.governance.pa.action.authentication.trinity.AuthenticationByKerberosModule - Error while performing SPNEGO authentication. SPNEGO Authentication failed.
com.tibco.governance.pa.action.security.SecurityException: Failed to authenticate username and password.
    at com.tibco.governance.pa.action.authentication.celm.AuthenticationByCelmConnection.authenticatePublicCredentials(AuthenticationByCelmConnection.java:147)
    at com.tibco.governance.pa.action.authentication.trinity.AuthenticationByKerberosModule.authenticatePublicCredentials(AuthenticationByKerberosModule.java:206)
    at com.tibco.governance.pa.action.authentication.trinity.AuthenticationByKerberosModule.authenticateByKerberos(AuthenticationByKerberosModule.java:82)
    at com.tibco.governance.pa.action.authentication.trinity.AuthenticationByCelmModule.authenticateByCelm(AuthenticationByCelmModule.java:172)
    at com.tibco.governance.pa.action.authentication.trinity.TrinityAuthenticationByCelm.authenticateByAsp(TrinityAuthenticationByCelm.java:51)
    at com.tibco.governance.pa.action.authentication.trinity.TrinityAuthenticationByJaas.authenticate(TrinityAuthenticationByJaas.java:96)
    at com.tibco.governance.pa.action.authentication.AuthenticationByJaasAction.performAction(AuthenticationByJaasAction.java:166)
    at com.tibco.governance.pa.action.authentication.AuthenticationAbstractAction.execute(AuthenticationAbstractAction.java:49)
    at com.tibco.governance.agent.action.api.AbstractActionManager.executeAction(AbstractActionManager.java:162)
....
Caused by: KrbException: Client not found in Kerberos database (6)
    at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
    at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
    at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
    at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:776)
    ... 76 more
Caused by: KrbException: Identifier doesn't match expected value (906)
    at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
    at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
    at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
    at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
    ... 79 more

The above error indicates that when BPM is trying to authenticate the ticket with the KDC, it gets the error "Client not found in Kerberos database". Per Microsoft "Kerberos and LDAP Troubleshooting Tips" potential cause: The account for the user name being requested doesn't exist in Active Directory or is incorrect in Active Directory.

Environment

ALL

Resolution

Check the SPN to make sure it is correct and ensure there are no duplicates. Ask the KDC administrator to run this command on KDC :

dsquery user -upn <SPN>

<SPN> is like HTTP/amxbpm.xyz.com@XYZ.COM.

The output will be like :

C:\Users\Administrator>dsquery user -upn HTTP/amxbpm.xyz.com@XYZ.COM
"CN=XYZ,CN=Users,DC=tibco,DC=com"

1. If the above output indicates 2 user accounts then it is a case of multiple users linked to the same SPN. Probably setspn and ktpass commands were run with the same SPNs for 2 users. The solution would be to regenerate the keytab file and follow the documented steps to configure it in Administrator.

2. If dsquery doesn't give any output means the "HTTP/amxbpm.xyz.com@XYZ.COM" UPN is not set for any user. The solution would be to regenerate the keytab file and follow the documented steps to configure it in Administrator.

Some other ways to find duplicates using setspn :

setspn -L <mapped user>

setspn -X

3. Once the keytab file is regenerated and reconfigured make sure to run the following command on the client machine(from where you are running openspace/workspace) to purge the old tickets :

> klist purge

4. Retry logging into Openspace/Workspace after clearing the browser cache.

Issue/Introduction

After configuring Kerberos, Openspace/Workspace presents the login screen. The exception in BPM node logs : KrbException: Client not found in Kerberos database (6)

Additional Information

"Configuring ActiveMatrix BPM to Use Kerberos"
https://docs.tibco.com/pub/amx-bpm/4.2.0/doc/html/bpmhelp/GUID-1AAFD611-25E2-4935-8A7B-4BCC16BA1E2F.html

"Using ActiveMatrix Administrator"
https://docs.tibco.com/pub/amx-bpm/4.2.0/doc/html/bpmhelp/GUID-6A6CE4D1-68EF-4ACE-B116-E3688DAA091D.html

Appendix D: Kerberos and LDAP Troubleshooting Tips
https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb463167(v=technet.10)

Welcome to "KB Articles"