Kerberos Implementation - wsadmin Command does not show the list of scheduled tasks

anon-766 · January 12, 2021, 9:55pm

After implementing kerberos, the wsadmin Command "Scheduler.listAllTasks()" does not show any scheduled Tasks, the output of the command:

wsadmin>Scheduler.listAllTasks()
Now-begin: Tue Jan 12 22:38:31 CET 2021

Task Name Status Next Fire Time Interval
Skipping Communities application. It is assumed that it's cluster is
not running, or it is not installed.

Skipping Activities application. It is assumed that it's cluster is
not running, or it is not installed.

Skipping Forums application. It is assumed that it's cluster is
not running, or it is not installed.

Skipping Profiles application. It is assumed that it's cluster is
not running, or it is not installed.

Skipping Files application. It is assumed that it's cluster is
not running, or it is not installed.

Skipping Wikis application. It is assumed that it's cluster is
not running, or it is not installed.

Skipping News application. It is assumed that it's cluster is
not running, or it is not installed.

Skipping Search application. It is assumed that it's cluster is
not running, or it is not installed.

Skipping Metrics application. It is assumed that it's cluster is
not running, or it is not installed.

Now-end: Tue Jan 12 22:38:31 CET 2021

All Clusters Servers are running.

When trying to run the command, I can see the following error in the deployment manager log:

[1/12/21 22:38:31:635 CET] 000000f3 Krb5WSSecurit E SECJ9314E: An unexpected exception occurred when trying to run initSecContext() method : GSSException: org.ietf.jgss.GSSException, major code: 11, minor code: 41
major string: General failure, unspecified at GSSAPI level
minor string: Kerberos error formatting credential for delegation: 41
at com.ibm.security.jgss.i18n.I18NException.throwGSSException(Unknown Source)
at com.ibm.security.jgss.mech.krb5.g.a(Unknown Source)
at com.ibm.security.jgss.mech.krb5.g.a(Unknown Source)
at com.ibm.security.jgss.mech.krb5.g.initSecContext(Unknown Source)
at com.ibm.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at com.ibm.security.jgss.GSSContextImpl.initSecContext(Unknown Source)
at com.ibm.ISecurityLocalObjectTokenBaseImpl.Krb5WSSecurityContextImpl$1.run(Krb5WSSecurityContextImpl.java:508)
at java.security.AccessController.doPrivileged(AccessController.java:770)
at javax.security.auth.Subject.doAs(Subject.java:570)
at com.ibm.ISecurityLocalObjectTokenBaseImpl.Krb5WSSecurityContextImpl.initSecContext(Krb5WSSecurityContextImpl.java:273)
at com.ibm.ISecurityLocalObjectTokenBaseImpl.Krb5WSSecurityContextImpl.initSecContext(Krb5WSSecurityContextImpl.java:157)
at com.ibm.ws.management.connector.soap.SOAPConnectorClient.processInternal(SOAPConnectorClient.java:1285)
at com.ibm.ws.management.connector.soap.SOAPConnectorClient.getSecurityHeader(SOAPConnectorClient.java:1095)
at com.ibm.ws.management.connector.soap.SOAPConnectorClient.invokeTemplateOnce(SOAPConnectorClient.java:783)
at com.ibm.ws.management.connector.soap.SOAPConnectorClient.invokeTemplate(SOAPConnectorClient.java:697)
at com.ibm.ws.management.connector.soap.SOAPConnectorClient.invokeTemplate(SOAPConnectorClient.java:687)
at com.ibm.ws.management.connector.soap.SOAPConnectorClient.queryNames(SOAPConnectorClient.java:599)
at com.ibm.ws.management.connector.soap.SOAPConnectorClient.invoke(SOAPConnectorClient.java:524)
at com.sun.proxy.$Proxy39.queryNames(Unknown Source)
at com.ibm.ws.management.AdminClientImpl.queryNames(AdminClientImpl.java:108)
at com.ibm.ws.management.AdminServiceImpl.queryNames(AdminServiceImpl.java:679)
at com.ibm.ws.management.connector.AdminServiceDelegator.queryNames(AdminServiceDelegator.java:113)
at sun.reflect.GeneratedMethodAccessor92.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at com.ibm.ws.management.connector.soap.SOAPConnector.invoke(SOAPConnector.java:503)
at com.ibm.ws.management.connector.soap.SOAPConnector.service(SOAPConnector.java:335)
at com.ibm.ws.management.connector.soap.SOAPConnection.handleRequest(SOAPConnection.java:65)
at com.ibm.ws.http.HttpConnection.readAndHandleRequest(HttpConnection.java:733)
at com.ibm.ws.http.HttpConnection.run(HttpConnection.java:522)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1892)

Any ideas what the issue might be? Are there any debug parameters I can set to get a more detailed error?

All Connections Applications are running as expected, there are no errors in the GUI.

Thank you in advance.

anon-1009 · January 13, 2021, 6:22am

It looks like the Spnego Filter includes the soap url. Never had this. Does ISC login use Kerberos too?

anon-766 · January 13, 2021, 7:45am

No, the ISC login does not use Kerberos.

Before I configured Kerberos, I had SPNEGO in use for a long time. With SPNEGO only I did not have this issue...

anon-827 · January 13, 2021, 8:12am

Hi,

this sentence confuses me. I thought, SPNego always comes together with Kerberos.

So following this instruction: https://help.hcltechsw.com/connections/v65/admin/secure/t_install_kerb_add_spnego_tai_to_was.html

What of the optional settings did you take? What did you change to produce this error? Maybe Step 7: Kerberos and LTPA?

I never understood why the header says "and Kerberos optionally".

anon-766 · January 13, 2021, 8:37am

Hi Martin,

you are right, tt was the step 7, I activated "The Kerberos and LTPA", because we want to use Mail Plugin with MS Exchange as the backend...

The documentation says that you need to set this option if you want to use Connections Mail Plugin with Exchange as backend, that is why I have done this.

Best regards,

Milan

anon-827 · January 13, 2021, 9:00am

Unfortunately, I have never set this option. So I have no experience.

Currently, there are 2 options:

1) wsadmin tries to send Kerberos authentication which does not work

2) wsadmin sends basic authentication data but WebSphere Server tries to decrypt the Kerberos information and fails.

Are you using Windows or Linux? On Windows, it is more likely that wsadmin is trying to send Kerberos information.

There are 2 settings, that influence this behavior on the wsadmin side: Dmgr/properties/soap.client.props
com.ibm.SOAP.securityEnabled=false
com.ibm.SOAP.authenticationTarget=BasicAuth

In case 2) where the WebSphere server is trying to decrypt Kerberos but wsadmin is sending basic auth: I have no idea where to look at it.

anon-766 · January 13, 2021, 9:14am

I am using Linux.

Thank you very much Martin, I will try to find out more.