When connecting to the servlet an Error page is displayed indicating an Internal Server error.
This error is due to either a configuration problem on the server, a misconfiguration of the client browser, or some other internal failure such as an incorrect response returned from a key distribution center. Depending on your application server, a more detailed message may be displayed in the error page, or you may need to look at the application server log files for the root cause. The following causes are noted belo.
Could not get service ticket for <principal>@<REALM>
This error will be shown in the application server's logs as:
CryptoException: Integrity Check Fail
It is indicative of a keytab that has been created with an incorrect password.
To resolve the problem, you should regenerate the keytab using the correct password.
Error 500: Filter [authFilter]: com.wedgetail.idm.sso.AuthFilter was found, but is missing another required class.
Java 2 Security has been enabled without a suitable policy file.
Either disable Java 2 Security or contact us for help building a suitable security policy file.
[Servlet Error]-[Filter [authFilter]: could not be initialized]: com.dstc.security.kerberos.KerberosException: key type mismatch
This problem only occurs on Microsoft Windows 2003 when a service request is sent in an ENC type that is different from the service ticket returned. It is only a problem with Memory keytabs.
One solution is to change the Active Directory user account for the service so that the Use DES Only option is checked. Alternatively, you could use a file keytab.
I created a new service principal, but then I received an “Integrity check failure” message.
Sometimes Active Directory doesn't set the keys properly for a newly created service principal until you log in to that account once.
Log in as that user, log out and then restart your application server software.
Single Sign-on for Java returns the following HTTP error response codes:
401 (UNAUTHORIZED) -- request is not authorized
403 (FORBIDDEN) -- access to requested resource is forbidden
500 (INTERNAL SERVER ERROR) -- internal server error.
Error responses from Single Sign-on for Java will typically return no content, and display on the client browser as an empty page.
If you want to display different content for such errors, or to take some other action based on such errors, add an <error-page> element to web.xml. For example:
When using Internet Explorer, you are presented with a username and password dialog box rather than being automatically logged in.
This occurs when Internet Explorer does not recognize the hostname as being part of the Intranet Zone. You may not have configured Internet Explorer to use Windows Integrated Authentication.
For SPNEGO, check that your Internet Explorer version is 5.5 or greater.
Follow the steps in to ensure that Internet Explorer has been correctly configured to support SPNEGO.
The following error is encountered when authenticating against the server: [ERROR]: Provider protocol error: com.wedgetail.idm.spnego.server.SpnegoException: java.lang.SecurityException: Unsupported keysize or algorithm parameters
This problem is encountered when using a version of Internet Explorer that does not have the “High Encryption Pack” installed.
There are two work-arounds:
Internet Explorer displays DNS error page
If the user account is disabled at any time, Kerberos can’t renew credentials for the user.
Internet Explorer displays a blank page
Windows Integrated Authentication is not enabled.
You are going through a proxy that does not support session-based authentication.
Disable the proxy in your browser.