PeopleSoft Kerberos Authentication (Desktop Single Signon) – Troubleshooting

Overview

In my last three posts I covered the creation of the Domain Account, SPN and Keyfile, the required configuration on the web and application server and the PeopleCode and security changes. However, as a final bonus I thought I would cover some troubleshooting tips that I found helpful during my implementation.

Troubleshooting

Duplicate SPN

If the authentication is not working, open the PIA_weblogic.log and look for a message like KerberosSSOFilter: Received invalid token. This indicate that the token received from the client browser is incorrect or invalid. To further troubleshoot this issue, download and install Wireshark. Using Wireshark, capture the Kerberos traffic when trying to access the website with Kerberos authentication configured. The filter should be set to kerberos.

wireshark-1

In this case we get an error: KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. Expand the captured package,  and review the KerberosString. It should match the A-record of the target server.

wireshark-2

If a KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN is received and the KerberosString is correct, verify if there are duplicate SPNs by running setspn -X:

Delete any duplicate SPN:

setspn -D HTTP/srv-ihmt-dev.smartpeoplesoftadmin.com <service account>

After deleting the duplicate entry, Wireshark should show something like this:

wireshark-3
Failed to Switch User

If PeopleSoft logs in as the PS_GUEST user instead of the actual client user, check the APPSERVER log, which probably shows something like this:

PSAPPSRV.20528 (54) [2016-09-23T15:15:09.934 GetCertificate](3) Returning context. ID=PS_GUEST, Lang=ENG, UStreamId=1511111111_20528.54, 
Token=HCM/2016-09-23-09.15.09.000000/PS_GUEST/ENG/

You also do not see the following

SetAuthenticationResult(TRUE) called to change user ID from PS_GUEST to JOHNDOE

This indicate that the Application server did not switch user from PS_GUEST to the actual user. This is usually caused by incorrect configuration of the krbLogin.conf or krb5.keytab file. If the webserver and app server are on different machines, the krbLogin.conf and krb5.keytab must be the same on the app server as on the web server. This Kerberos ticket is issued by the web server and needs to be validated by the app server using the same configuration and keytab file.

Of course, there are many other possible issues. Please comment below or contact me at jens@smartpeoplesoftadmin.com

2 thoughts on “PeopleSoft Kerberos Authentication (Desktop Single Signon) – Troubleshooting

  1. I have implemted your solution and it does work, however when accessing the peoplesoft site we get a IE popup to enter login credentials for the webserver.

    How can this be disabled?

    1. You probably need to set your PeopleSoft site as a Trusted Site under Internet Options > Security.
      Then click Custom Level under Security level for this zone. Scroll to the bottom and click the box that says “Automatic logon with current user name and password”
      That should enable pass-through of your AD credentials.

Leave a Reply to Ron Hudson Cancel reply

Your email address will not be published. Required fields are marked *