Page 1 of 1
Atrium Kerberos authentication w/ multiple instances
Posted: Thu Dec 03, 2015 2:34 pm
by SeanTyree
We are currently testing Kerberos authentication on our DEV machine that has 2 instances of Profound setup. One of the instances is setup w/ normal auth & the other is setup w/ Kerberos. Everything is working except the Atrium login. I believe this is due to the fact that both instances have the same setting for PUI_AUTH_REALM = "Profound UI". However, it looks like this directive is left out of the section that was un-commented for Kerberos. Can this setting be changed when using Kerberos?
Thanks,
Sean
Re: Atrium Kerberos authentication w/ multiple instances
Posted: Fri Dec 04, 2015 11:06 am
by Scott Klement
I'm not sure I understand what problem you're having...
The PUI_AUTH_REALM setting is not usually in a particular section of the config file, it's defined globally... so it is always un-commented (by default, anyway!)
Code: Select all
SetEnv PUI_AUTH_REALM "Profound UI"
It's my understanding (and I'm no expert here) that this is used with Atrium's sign-on feature when you use the /profoundui/atrium URL. The idea is to make that sign-on screen use the same auth realm that's used when accessing the /profoundui/atrium/menu URL so that once you've signed on to the Atrium sign-on screen, you don't have to sign on again.
However, if you are using Kerberos, you should not be using the /profoundui/atrium sign-on. You should be going straight to /profoundui/atrium/menu so that you can bypass the need for any signon at all. So PUI_AUTH_REALM would not come into play at all in that case..
Does that help?
Re: Atrium Kerberos authentication w/ multiple instances
Posted: Fri Dec 04, 2015 1:52 pm
by SeanTyree
Hi Scott,
Here's our situation. We created a second instance of Profound in order to test SSO. When navigating to /profoundui/welcome or /profoundui/designer# (or any other non-Atrium link on the same port), I am automatically signed in as expected. However, when I naviagate to /profoundui/atrium/menu, I get a 401 Authorization required. Navigating to /profoundui/atrium brings up the Atrium sign-on as expected.
Any ideas why Atrium isn't recognizing the Kerberos authentication?
Thanks,
Sean
Re: Atrium Kerberos authentication w/ multiple instances
Posted: Fri Dec 04, 2015 2:07 pm
by Scott Klement
Hi Sean,
Sorry, I do not know why that would be. You may be able to find some answers by looking in the /www/INSTANCE-NAME/logs/error_log.XXXXX files.
Atrium programs should name PUI0003xxx (between 3000-3999) so you might see log entries that refer to those names, possibly with a helpful error message that explains why.
Please keep in mind that Kerberos is not a feature of Profound UI itself, but rather is a feature of the IBM HTTP Server (powered by Apache). We will try to help you as much as we can, but if this is really a malfunction in Kerberos, you'll end up talking to IBM.
-SK