Kerberos Authentication ( Integrated Windows Authentication )

Setup
, , , , , ,
#1

Hello Everyone,

I’m currently working on setting up Integrated Windows Authentication between our Active Directory and the ForgeRock Identity Platform (Access Management).I am following this article for setting up Kerberos (Knowledge - ForgeRock BackStage)

Here are the steps I’ve completed so far:

  1. Created a service account in Active Directory and granted the necessary permissions for Kerberos.
  2. Set up the Service Principal Name (SPN) for the service account.
  3. Generated the Keytab File.
  4. Configured the Krb5.ini file on my Windows environment.
  5. Established the authentication tree in ForgeRock Access Management.
  6. Configured the browser for Kerberos authentication.
    I have attached the image for all the configuration below.

However, when testing the authentication flow through the authentication tree, the process gets stuck at a blank page. In the authentication logs, I’ve encountered the following error:

KerberosNode: 2024-02-01T19:08:38.513+05:30: Thread[https-jsse-nio-9090-exec-3]: TransactionId[2c5d6e96-b581-4192-91ae-6a9f2f9a51ee-4856] ERROR: Service subject is null

I’d appreciate any assistance or insights you may have on resolving this issue. Thank you!

image
image1087×275 63.8 KB

image
image221×655 29.3 KB

image
image

image
image1462×310 30.8 KB

image
image500×626 121 KB

#2

Hello @Schauhan,

Upon researching the message you are seeing in your logs: ERROR: Service subject is null, I’ve found a Knowledge Base article that may assist if Kerberos authentication fails when using the Kerberos authentication node. Please review.

https://backstage.forgerock.com/knowledge/kb/article/a62965844

According to this document please look at these 4 causes and possible solutions (depending on the cause), and see if any of them are applicable.

  1. The password entered is incorrect.
  2. If you are using the keytab to get the key (for example, by setting the useKeyTab option to true in the Krb5LoginModule entry in the JAAS login configuration file), then the key might have changed since you updated the keytab.
  3. Clock skew - If the time on the KDC and on the client differ significantly (typically 5 minutes), this error can be returned.
  4. The Kerberos realm name is not all uppercase.

Solution

This issue can be resolved by applying the appropriate solution depending on the cause:

  1. Verify the password. A new keytab file needs to be created each time the password is changed/updated for the Service account.
  2. Consult your Kerberos documentation to generate a new keytab, and use that keytab file.
  3. Synchronize the clocks (or have a system administrator do so).
  4. Make the Kerberos realm name all uppercase. It is recommended to have all uppercase realm names. For example, @FORGEROCK.COM. See Naming Conventions for Realm Names and Hostnames.

I hope this information is helpful! If your issue still exists after going through the checks provided here, please let us know which version of AM is in use.

Warm Regards,
Ed

#3

@Schauhan one other thing to look for that has tripped me up in the past - make sure that the kvno of the keytab file aligns with the kvno of your Kerberos principal in AD. The article that you linked has a PowerShell command you can use to check the version number in AD.