We are currently testing Kerberos authentication on our DEV machine that has 2 instances of Profound setup. One of the instances is setup w/ normal auth & the other is setup w/ Kerberos. Everything is working except the Atrium login. I believe this is due to the fact that both instances have the same setting for PUI_AUTH_REALM = "Profound UI". However, it looks like this directive is left out of the section that was un-commented for Kerberos. Can this setting be changed when using Kerberos?
Thanks,
Sean
Atrium Kerberos authentication w/ multiple instances
-
SeanTyree
- Profound User
- Posts: 76
- Joined: Fri Jan 11, 2013 6:11 pm
- First Name: Sean
- Last Name: Tyree
- Company Name: US HealthWorks
- State / Province: California
- Zip / Postal Code: 91355
- Country: United States
- Contact:
-
Scott Klement
- Experienced User
- Posts: 2711
- Joined: Wed Aug 01, 2012 8:58 am
- First Name: Scott
- Last Name: Klement
- Company Name: Profound Logic
- City: Milwaukee
- State / Province: Wisconsin
Re: Atrium Kerberos authentication w/ multiple instances
I'm not sure I understand what problem you're having...
The PUI_AUTH_REALM setting is not usually in a particular section of the config file, it's defined globally... so it is always un-commented (by default, anyway!)
It's my understanding (and I'm no expert here) that this is used with Atrium's sign-on feature when you use the /profoundui/atrium URL. The idea is to make that sign-on screen use the same auth realm that's used when accessing the /profoundui/atrium/menu URL so that once you've signed on to the Atrium sign-on screen, you don't have to sign on again.
However, if you are using Kerberos, you should not be using the /profoundui/atrium sign-on. You should be going straight to /profoundui/atrium/menu so that you can bypass the need for any signon at all. So PUI_AUTH_REALM would not come into play at all in that case..
Does that help?
The PUI_AUTH_REALM setting is not usually in a particular section of the config file, it's defined globally... so it is always un-commented (by default, anyway!)
Code: Select all
SetEnv PUI_AUTH_REALM "Profound UI"
However, if you are using Kerberos, you should not be using the /profoundui/atrium sign-on. You should be going straight to /profoundui/atrium/menu so that you can bypass the need for any signon at all. So PUI_AUTH_REALM would not come into play at all in that case..
Does that help?
-
SeanTyree
- Profound User
- Posts: 76
- Joined: Fri Jan 11, 2013 6:11 pm
- First Name: Sean
- Last Name: Tyree
- Company Name: US HealthWorks
- State / Province: California
- Zip / Postal Code: 91355
- Country: United States
- Contact:
Re: Atrium Kerberos authentication w/ multiple instances
Hi Scott,
Here's our situation. We created a second instance of Profound in order to test SSO. When navigating to /profoundui/welcome or /profoundui/designer# (or any other non-Atrium link on the same port), I am automatically signed in as expected. However, when I naviagate to /profoundui/atrium/menu, I get a 401 Authorization required. Navigating to /profoundui/atrium brings up the Atrium sign-on as expected.
Any ideas why Atrium isn't recognizing the Kerberos authentication?
Thanks,
Sean
Here's our situation. We created a second instance of Profound in order to test SSO. When navigating to /profoundui/welcome or /profoundui/designer# (or any other non-Atrium link on the same port), I am automatically signed in as expected. However, when I naviagate to /profoundui/atrium/menu, I get a 401 Authorization required. Navigating to /profoundui/atrium brings up the Atrium sign-on as expected.
Any ideas why Atrium isn't recognizing the Kerberos authentication?
Thanks,
Sean
-
Scott Klement
- Experienced User
- Posts: 2711
- Joined: Wed Aug 01, 2012 8:58 am
- First Name: Scott
- Last Name: Klement
- Company Name: Profound Logic
- City: Milwaukee
- State / Province: Wisconsin
Re: Atrium Kerberos authentication w/ multiple instances
Hi Sean,
Sorry, I do not know why that would be. You may be able to find some answers by looking in the /www/INSTANCE-NAME/logs/error_log.XXXXX files.
Atrium programs should name PUI0003xxx (between 3000-3999) so you might see log entries that refer to those names, possibly with a helpful error message that explains why.
Please keep in mind that Kerberos is not a feature of Profound UI itself, but rather is a feature of the IBM HTTP Server (powered by Apache). We will try to help you as much as we can, but if this is really a malfunction in Kerberos, you'll end up talking to IBM.
-SK
Sorry, I do not know why that would be. You may be able to find some answers by looking in the /www/INSTANCE-NAME/logs/error_log.XXXXX files.
Atrium programs should name PUI0003xxx (between 3000-3999) so you might see log entries that refer to those names, possibly with a helpful error message that explains why.
Please keep in mind that Kerberos is not a feature of Profound UI itself, but rather is a feature of the IBM HTTP Server (powered by Apache). We will try to help you as much as we can, but if this is really a malfunction in Kerberos, you'll end up talking to IBM.
-SK
Who is online
Users browsing this forum: No registered users and 4 guests