I have configured Kerberos and it works good. When i launch Genie in the Webbrowser i become a Kerberos ticket, but then i get the sign on Screen.
How can i bypass the sign on Screen in the Genie Session?
Kerberos Single Sign on
-
- New User
- Posts: 6
- Joined: Thu Apr 19, 2012 9:14 am
- First Name: Matthias
- Last Name: Breder
- Company Name: Ecclesia Versicherungsdienst
- Country: Germany
- Contact:
- Brian
- Profound Logic Staff Member
- Posts: 286
- Joined: Thu Apr 14, 2011 10:23 am
- First Name: Brian
- Last Name: May
- Company Name: Profound Logic Software
- Contact:
Re: Kerberos Single Sign on
did you modify your httpd.conf file and restart Profound UI as instructed here?
http://www.profoundlogic.com/docs/display/PUI/Kerberos
http://www.profoundlogic.com/docs/display/PUI/Kerberos
-
- New User
- Posts: 6
- Joined: Thu Apr 19, 2012 9:14 am
- First Name: Matthias
- Last Name: Breder
- Company Name: Ecclesia Versicherungsdienst
- Country: Germany
- Contact:
Re: Kerberos Single Sign on
Yes, i modified the httpd.conf based on the manual.
I become i kerberos ticket when i access the URL, i can this with the 'klist' command.
But then i become the sign on screen, it shows like the sign on screen on the 5250 emulation.
I don't have any idea what i can do now.
Maybe i have to edit the userprofile on the system i?
I become i kerberos ticket when i access the URL, i can this with the 'klist' command.
But then i become the sign on screen, it shows like the sign on screen on the 5250 emulation.
I don't have any idea what i can do now.
Maybe i have to edit the userprofile on the system i?
- David
- Profound Logic Staff Member
- Posts: 690
- Joined: Fri Jan 04, 2008 12:11 pm
- First Name: David
- Last Name: Russo
- Company Name: Profound Logic Software
- Contact:
Re: Kerberos Single Sign on
The default "httpd.conf" directives allow for a dual-purpose setup. It will use Kerberos only when a certain URL pattern is used. Otherwise, the 5250 sign on display will be used.
To launch using Kerberos authentication through the HTTP server:
http://yourserver:8080/profoundui/auth/genie
To make all URLs use Kerberos authentication, you'd have to put the example directives inside a Directory block which applies to all URLs.
Another thing to look at is your web browser. Which one are you using? The only current browser which will do Kerberos without any configuration is Chrome. In Internet Explorer, you have to turn on the option:
Internet Options->Advanced->Security->Enable Integrated Windows Authentication.
For FireFox, see here:
http://grolmsnet.de/kerbtut/firefox.html
To launch using Kerberos authentication through the HTTP server:
http://yourserver:8080/profoundui/auth/genie
To make all URLs use Kerberos authentication, you'd have to put the example directives inside a Directory block which applies to all URLs.
Another thing to look at is your web browser. Which one are you using? The only current browser which will do Kerberos without any configuration is Chrome. In Internet Explorer, you have to turn on the option:
Internet Options->Advanced->Security->Enable Integrated Windows Authentication.
For FireFox, see here:
http://grolmsnet.de/kerbtut/firefox.html
-
- New User
- Posts: 6
- Joined: Thu Apr 19, 2012 9:14 am
- First Name: Matthias
- Last Name: Breder
- Company Name: Ecclesia Versicherungsdienst
- Country: Germany
- Contact:
Re: Kerberos Single Sign on
My default Browser is Chrome.
I attached a Screenshot of the Chrome window and the httpd.conf file from the HTTP Server.
Which block i have to edit?
I attached a Screenshot of the Chrome window and the httpd.conf file from the HTTP Server.
Which block i have to edit?
- Attachments
-
- httpd.conf.txt
- httpd.conf
- (5.14 KiB) Downloaded 279 times
-
- Screenshot
- screenshot2.jpg (55.11 KiB) Viewed 3624 times
- David
- Profound Logic Staff Member
- Posts: 690
- Joined: Fri Jan 04, 2008 12:11 pm
- First Name: David
- Last Name: Russo
- Company Name: Profound Logic Software
- Contact:
Re: Kerberos Single Sign on
The configuration looks fine -- you'd only have to make changes if you want to use a different URL, other than /profoundui/auth/genie.
We can look at that separately after we get it working for you, if you like.
A couple of things to consider:
1. I think the basic Kerberos setup is good, because you would not even get the Genie page at all (you'd get an authentication error) if this was not working properly. When you use the /profoundui/auth/genie URL, Kerberos authentication is required to even view the page. So that much is good, I think.
2. Check the system value QRMTSIGN. This must be set to *VERIFY to bypass the 5250 sign on display.
3. Have you configured Enterprise Identity Mapping? This is required in order for the system to map the Windows sign on to an iSeries profile.
We can look at that separately after we get it working for you, if you like.
A couple of things to consider:
1. I think the basic Kerberos setup is good, because you would not even get the Genie page at all (you'd get an authentication error) if this was not working properly. When you use the /profoundui/auth/genie URL, Kerberos authentication is required to even view the page. So that much is good, I think.
2. Check the system value QRMTSIGN. This must be set to *VERIFY to bypass the 5250 sign on display.
3. Have you configured Enterprise Identity Mapping? This is required in order for the system to map the Windows sign on to an iSeries profile.
-
- New User
- Posts: 6
- Joined: Thu Apr 19, 2012 9:14 am
- First Name: Matthias
- Last Name: Breder
- Company Name: Ecclesia Versicherungsdienst
- Country: Germany
- Contact:
Re: Kerberos Single Sign on
The system value QRMTSIGN is set to *VERIFY and Enterprise Identity Mapping is also configured.
The Kerberos authentication works with the sytem i access for windows 5250 emulation very good and when i access the /profoundui/auth/genie URL the Client get a Kerberos Ticket from the system i.
So Kerberos with the HTTP Server works.
The Kerberos authentication works with the sytem i access for windows 5250 emulation very good and when i access the /profoundui/auth/genie URL the Client get a Kerberos Ticket from the system i.
So Kerberos with the HTTP Server works.
- David
- Profound Logic Staff Member
- Posts: 690
- Joined: Fri Jan 04, 2008 12:11 pm
- First Name: David
- Last Name: Russo
- Company Name: Profound Logic Software
- Contact:
Re: Kerberos Single Sign on
In that case, it seems that you have everything configured correctly. If you look at the PROFOUNDUI HTTP server jobs, you can find the job that handles your Genie session by looking for a message like this:
'Handling 5250 session for device QPADEVXXX'
When the automated sign on fails, are there any messages in the job log?
The way it works is like this:
1. Once you are authenticated to the HTTP server using Kerberos (which looks to be working properly in your case), the system creates a profile token in the job. This due to the 'ProfileToken' directive in the "httpd.conf".
2. Genie simply looks for this token, and if present, passes it along to the system APIs which establish the 5250 session.
3. If the system API accepts the token, the sign on display is bypassed automatically.
4. If it rejects the token for some reason, a message gets put into the job log, but the job doesn't fail, you just come to the sign on display.
Are there any useful messages in the log?
'Handling 5250 session for device QPADEVXXX'
When the automated sign on fails, are there any messages in the job log?
The way it works is like this:
1. Once you are authenticated to the HTTP server using Kerberos (which looks to be working properly in your case), the system creates a profile token in the job. This due to the 'ProfileToken' directive in the "httpd.conf".
2. Genie simply looks for this token, and if present, passes it along to the system APIs which establish the 5250 session.
3. If the system API accepts the token, the sign on display is bypassed automatically.
4. If it rejects the token for some reason, a message gets put into the job log, but the job doesn't fail, you just come to the sign on display.
Are there any useful messages in the log?
-
- New User
- Posts: 6
- Joined: Thu Apr 19, 2012 9:14 am
- First Name: Matthias
- Last Name: Breder
- Company Name: Ecclesia Versicherungsdienst
- Country: Germany
- Contact:
Re: Kerberos Single Sign on
I attached the JobLog of the HttpServer Job.
I can't see any error message.
I can't see any error message.
- Attachments
-
- JobLog http server job
- JobLog.JPG (63.27 KiB) Viewed 3565 times
-
- Error JobLog www\profound...\logs\errorlog
- joblog2t.JPG (36.9 KiB) Viewed 3565 times
- David
- Profound Logic Staff Member
- Posts: 690
- Joined: Fri Jan 04, 2008 12:11 pm
- First Name: David
- Last Name: Russo
- Company Name: Profound Logic Software
- Contact:
Re: Kerberos Single Sign on
In that case, it seems you have everything set up properly -- I'm not sure what else to check.
I'd recommend opening an issue with technical support so that we can look at this with you further -- possibly over a web meeting.
I'd recommend opening an issue with technical support so that we can look at this with you further -- possibly over a web meeting.
Who is online
Users browsing this forum: No registered users and 1 guest