Client not found in Kerberos database
Article ID: KB0079445
Updated On:
| Products | Versions |
|---|---|
| TIBCO BPM Enterprise (formerly TIBCO ActiveMatrix BPM) | 4.0.0, 4.1.0, 4.2.0 |
Description
After following the steps per the documentation "Configuring ActiveMatrix BPM to Use Kerberos" the user gets a login prompt upon accessing Openspace/Workspace.
BPMNode.log contains the following error:
09 Jan 2019 10:33:11,363 [httpConnector_33 - /bpm/AuthenticationService] [ERROR] [amx.bpm.app] com.tibco.amx.governance.pa.action.authentication.trinity.AuthenticationByKerberosModule - Error while performing SPNEGO authentication. SPNEGO Authentication failed.
com.tibco.governance.pa.action.security.SecurityException: Failed to authenticate username and password.
at com.tibco.governance.pa.action.authentication.celm.AuthenticationByCelmConnection.authenticatePublicCredentials(AuthenticationByCelmConnection.java:147)
at com.tibco.governance.pa.action.authentication.trinity.AuthenticationByKerberosModule.authenticatePublicCredentials(AuthenticationByKerberosModule.java:206)
at com.tibco.governance.pa.action.authentication.trinity.AuthenticationByKerberosModule.authenticateByKerberos(AuthenticationByKerberosModule.java:82)
at com.tibco.governance.pa.action.authentication.trinity.AuthenticationByCelmModule.authenticateByCelm(AuthenticationByCelmModule.java:172)
at com.tibco.governance.pa.action.authentication.trinity.TrinityAuthenticationByCelm.authenticateByAsp(TrinityAuthenticationByCelm.java:51)
at com.tibco.governance.pa.action.authentication.trinity.TrinityAuthenticationByJaas.authenticate(TrinityAuthenticationByJaas.java:96)
at com.tibco.governance.pa.action.authentication.AuthenticationByJaasAction.performAction(AuthenticationByJaasAction.java:166)
at com.tibco.governance.pa.action.authentication.AuthenticationAbstractAction.execute(AuthenticationAbstractAction.java:49)
at com.tibco.governance.agent.action.api.AbstractActionManager.executeAction(AbstractActionManager.java:162)
....
Caused by: KrbException: Client not found in Kerberos database (6)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:776)
... 76 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
... 79 more
The above error indicates that when BPM is trying to authenticate the ticket with the KDC, it gets the error "Client not found in Kerberos database". Per Microsoft "Kerberos and LDAP Troubleshooting Tips" potential cause: The account for the user name being requested doesn't exist in Active Directory or is incorrect in Active Directory.
BPMNode.log contains the following error:
09 Jan 2019 10:33:11,363 [httpConnector_33 - /bpm/AuthenticationService] [ERROR] [amx.bpm.app] com.tibco.amx.governance.pa.action.authentication.trinity.AuthenticationByKerberosModule - Error while performing SPNEGO authentication. SPNEGO Authentication failed.
com.tibco.governance.pa.action.security.SecurityException: Failed to authenticate username and password.
at com.tibco.governance.pa.action.authentication.celm.AuthenticationByCelmConnection.authenticatePublicCredentials(AuthenticationByCelmConnection.java:147)
at com.tibco.governance.pa.action.authentication.trinity.AuthenticationByKerberosModule.authenticatePublicCredentials(AuthenticationByKerberosModule.java:206)
at com.tibco.governance.pa.action.authentication.trinity.AuthenticationByKerberosModule.authenticateByKerberos(AuthenticationByKerberosModule.java:82)
at com.tibco.governance.pa.action.authentication.trinity.AuthenticationByCelmModule.authenticateByCelm(AuthenticationByCelmModule.java:172)
at com.tibco.governance.pa.action.authentication.trinity.TrinityAuthenticationByCelm.authenticateByAsp(TrinityAuthenticationByCelm.java:51)
at com.tibco.governance.pa.action.authentication.trinity.TrinityAuthenticationByJaas.authenticate(TrinityAuthenticationByJaas.java:96)
at com.tibco.governance.pa.action.authentication.AuthenticationByJaasAction.performAction(AuthenticationByJaasAction.java:166)
at com.tibco.governance.pa.action.authentication.AuthenticationAbstractAction.execute(AuthenticationAbstractAction.java:49)
at com.tibco.governance.agent.action.api.AbstractActionManager.executeAction(AbstractActionManager.java:162)
....
Caused by: KrbException: Client not found in Kerberos database (6)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:776)
... 76 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
... 79 more
The above error indicates that when BPM is trying to authenticate the ticket with the KDC, it gets the error "Client not found in Kerberos database". Per Microsoft "Kerberos and LDAP Troubleshooting Tips" potential cause: The account for the user name being requested doesn't exist in Active Directory or is incorrect in Active Directory.
Issue/Introduction
After configuring Kerberos, Openspace/Workspace presents the login screen. The exception in BPM node logs : KrbException: Client not found in Kerberos database (6)
Environment
ALL
Resolution
Check the SPN to make sure it is correct and ensure there are no duplicates. Ask the KDC administrator to run this command on KDC :
dsquery user -upn <SPN>
<SPN> is like HTTP/amxbpm.xyz.com@XYZ.COM.
The output will be like :
C:\Users\Administrator>dsquery user -upn HTTP/amxbpm.xyz.com@XYZ.COM
"CN=XYZ,CN=Users,DC=tibco,DC=com"
1. If the above output indicates 2 user accounts then it is a case of multiple users linked to the same SPN. Probably setspn and ktpass commands were run with the same SPNs for 2 users. The solution would be to regenerate the keytab file and follow the documented steps to configure it in Administrator.
2. If dsquery doesn't give any output means the "HTTP/amxbpm.xyz.com@XYZ.COM" UPN is not set for any user. The solution would be to regenerate the keytab file and follow the documented steps to configure it in Administrator.
Some other ways to find duplicates using setspn :
setspn -L <mapped user>
setspn -X
3. Once the keytab file is regenerated and reconfigured make sure to run the following command on the client machine(from where you are running openspace/workspace) to purge the old tickets :
> klist purge
4. Retry logging into Openspace/Workspace after clearing the browser cache.
dsquery user -upn <SPN>
<SPN> is like HTTP/amxbpm.xyz.com@XYZ.COM.
The output will be like :
C:\Users\Administrator>dsquery user -upn HTTP/amxbpm.xyz.com@XYZ.COM
"CN=XYZ,CN=Users,DC=tibco,DC=com"
1. If the above output indicates 2 user accounts then it is a case of multiple users linked to the same SPN. Probably setspn and ktpass commands were run with the same SPNs for 2 users. The solution would be to regenerate the keytab file and follow the documented steps to configure it in Administrator.
2. If dsquery doesn't give any output means the "HTTP/amxbpm.xyz.com@XYZ.COM" UPN is not set for any user. The solution would be to regenerate the keytab file and follow the documented steps to configure it in Administrator.
Some other ways to find duplicates using setspn :
setspn -L <mapped user>
setspn -X
3. Once the keytab file is regenerated and reconfigured make sure to run the following command on the client machine(from where you are running openspace/workspace) to purge the old tickets :
> klist purge
4. Retry logging into Openspace/Workspace after clearing the browser cache.
Additional Information
"Configuring ActiveMatrix BPM to Use Kerberos"
https://docs.tibco.com/pub/amx-bpm/4.2.0/doc/html/bpmhelp/GUID-1AAFD611-25E2-4935-8A7B-4BCC16BA1E2F.html
"Using ActiveMatrix Administrator"
https://docs.tibco.com/pub/amx-bpm/4.2.0/doc/html/bpmhelp/GUID-6A6CE4D1-68EF-4ACE-B116-E3688DAA091D.html
Appendix D: Kerberos and LDAP Troubleshooting Tips
https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb463167(v=technet.10)
https://docs.tibco.com/pub/amx-bpm/4.2.0/doc/html/bpmhelp/GUID-1AAFD611-25E2-4935-8A7B-4BCC16BA1E2F.html
"Using ActiveMatrix Administrator"
https://docs.tibco.com/pub/amx-bpm/4.2.0/doc/html/bpmhelp/GUID-6A6CE4D1-68EF-4ACE-B116-E3688DAA091D.html
Appendix D: Kerberos and LDAP Troubleshooting Tips
https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb463167(v=technet.10)
Feedback
Yes
No
Powered by
