Products | Versions |
---|---|
TIBCO BPM Enterprise (formerly TIBCO ActiveMatrix BPM) | 4.0.0, 4.1.0, 4.2.0 |
After following the steps per the documentation "Configuring ActiveMatrix BPM to Use Kerberos" the user gets a login prompt upon accessing Openspace/Workspace.
BPMNode.log contains the following error:
09 Jan 2019 10:33:11,363 [httpConnector_33 - /bpm/AuthenticationService] [ERROR] [amx.bpm.app] com.tibco.amx.governance.pa.action.authentication.trinity.AuthenticationByKerberosModule - Error while performing SPNEGO authentication. SPNEGO Authentication failed.
com.tibco.governance.pa.action.security.SecurityException: Failed to authenticate username and password.
at com.tibco.governance.pa.action.authentication.celm.AuthenticationByCelmConnection.authenticatePublicCredentials(AuthenticationByCelmConnection.java:147)
at com.tibco.governance.pa.action.authentication.trinity.AuthenticationByKerberosModule.authenticatePublicCredentials(AuthenticationByKerberosModule.java:206)
at com.tibco.governance.pa.action.authentication.trinity.AuthenticationByKerberosModule.authenticateByKerberos(AuthenticationByKerberosModule.java:82)
at com.tibco.governance.pa.action.authentication.trinity.AuthenticationByCelmModule.authenticateByCelm(AuthenticationByCelmModule.java:172)
at com.tibco.governance.pa.action.authentication.trinity.TrinityAuthenticationByCelm.authenticateByAsp(TrinityAuthenticationByCelm.java:51)
at com.tibco.governance.pa.action.authentication.trinity.TrinityAuthenticationByJaas.authenticate(TrinityAuthenticationByJaas.java:96)
at com.tibco.governance.pa.action.authentication.AuthenticationByJaasAction.performAction(AuthenticationByJaasAction.java:166)
at com.tibco.governance.pa.action.authentication.AuthenticationAbstractAction.execute(AuthenticationAbstractAction.java:49)
at com.tibco.governance.agent.action.api.AbstractActionManager.executeAction(AbstractActionManager.java:162)
....
Caused by: KrbException: Client not found in Kerberos database (6)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:776)
... 76 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
... 79 more
The above error indicates that when BPM is trying to authenticate the ticket with the KDC, it gets the error "Client not found in Kerberos database". Per Microsoft "Kerberos and LDAP Troubleshooting Tips" potential cause: The account for the user name being requested doesn't exist in Active Directory or is incorrect in Active Directory.