Out of support This documentation supports the 8.0 version of BMC Atrium Single Sign-On, which is in "End of Version Support." However, the documentation is available for your convenience. You will not be able to leave comments.Click here to view the documentation for a supported version of Remedy Single Sign-On.

Browser sending NTLM instead of Kerberos

The following entry in the debug log files indicates that the token received from the client is an NTLM (NT LAN Manager) token, not a Kerberos token as required. Verify that the BMC Atrium Single Sign-On server has been setup correctly as a service principal and that the client and successfully request a Ticket for the Service.


amAuthWindowsDesktopSSO:06/28/2011 06:46:14:877 PM CDT: Thread[http-8443-1,5,main]
Retrieved config params from cache.
amAuthWindowsDesktopSSO:06/28/2011 06:46:14:877 PM CDT: Thread[http-8443-1,5,main]
WARNING: Authentication token is NTLM.
amAuthWindowsDesktopSSO:06/28/2011 06:46:14:877 PM CDT: Thread[http-8443-1,5,main]
SPNEGO token:
4e 54 4c 4d 53 53 50 00 01 00 00 00 07 82 08 a2
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
05 02 ce 0e 00 00 00 0f


When a browser is sending an NTLM token instead of the Kerberos token, the failure could be caused by a problem obtaining a service token for the BMC Atrium Single Sign-On server. For example, failure to find a case-sensitive lookup of the principal name results in an NTLM token being sent.

The following trace from an exchange between an IE browser and the BMC Atrium Single Sign-On server shows a successful negotiation.


GET /atriumsso/UI/Login?gx_charset=UTF-8&realm=BmcRealm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, /
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: ibmc-jbhbbk1.adprod.bmc.com:8443
Connection: Keep-Alive
Cookie: s_pers=%20s_lv%3D1270043963949%7C1364651963949%3B%20s_lv_s%3DFirst%2520Visit%7C1270045763949%3B%20s_nr%3D1270043963965%7C1272635963965%3B%20gpv_p8%3Dwebapps.bmc.com%253Aepd%253Afaces%253AproductDownloads.jsp%7C1270045763981%3B; s_vi=[CS]v1|25D9AA60851D2F18-60000104E00EF3FE[CE]; __utma=246752535.599385143.1270043842.1270043842.1270043842.1

HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Pragma: no-cache
Cache-Control: no-cache
Expires: 0
Cache-Control: private
X-DSAMEVersion: Atrium SSO 7.6.04(2011-June-28 13:47)
AM_CLIENT_TYPE: genericHTML

Set-Cookie: AMAuthCookie=AQIC5wM2LY4SfcwV3%2FNDDybcVGsdeW%2B%2BRnGC93rfcaw%2FEf8%3D%40AAJTSQACMDIAAlNLAAkxOTE4MzI0NTIAAlMxAAIwMQ%3D%3D%23; Domain=.bmc.com; Path=/
Set-Cookie: amlbcookie=01; Domain=.bmc.com; Path=/

WWW-Authenticate: Negotiate
Content-Type: text/html;charset=utf-8
Content-Length: 954
Date: Wed, 29 Jun 2011 00:09:46 GMT

GET /atriumsso/UI/Login?gx_charset=UTF-8&realm=BmcRealm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, /
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: ibmc-jbhbbk1.adprod.bmc.com:8443
Connection: Keep-Alive

Authorization: Negotiate YIIE7gYGKwYBBQUCoIIE4jCCBN6gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKw
YBBAGCNwICCqKCBLQEggSwYIIErAYJKoZIhvcSAQICAQBuggSbMIIEl6ADAgEFoQMCAQ6iBwMFACAAAACjggO/
YYIDuzCCA7egAwIBBaEQGw5CU01EU0wuQk1DLkNPTaIuMCygAwIBAqElMCMbBEhUVFAbG2libWMtamJoYmJrMS5h
ZHByb2QuYm1jLmNvbaOCA2wwggNooAMCARehAwIBA6KCA1oEggNWF2cjeeJwxrbN85nRgZ6kQQ49s7I54ndjXLJD
jdc62pRQqDDYaMn6KUBR5zPfwuvNRlL4e3n0MXtNLbUMgMGWiDBZlLVLRJg6p3tydxJC9eEiWYFu ...

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*