Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Authenticating with Windows Desktop SSO in AM (All versions) does not proceed when using a non-Microsoft Edge browser

Last updated Aug 17, 2021

The purpose of this article is to provide assistance if authenticating with Windows Desktop SSO (WDSSO) in AM does not proceed when using a non-Microsoft Edge browser, such as Chrome™ or Firefox®. The user sees a "401 Unauthorized / Access denied" error.


1 reader recommends this article

Symptoms

The user sees a 401 Unauthorized / Access denied error when they attempt to access a resource protected by AM, even though they are logged in to Microsoft® Windows® and another authentication module exists in the authentication chain.

An error similar to the following is shown in the Authentication log:

amLoginModule:03/11/2014 11:52:22:563 PM CET: Thread[http-bio-8080-exec-8,5,main] Login, class = com.sun.identity.authentication.modules.windowsdesktopsso.WindowsDesktopSSO, module=WDSSO, file=/config/auth/default/WindowsDesktopSSO.xml amLoginModule:03/11/2014 11:52:22:563 PM CET: Thread[http-bio-8080-exec-8,5,main] AMLoginModuleiplanet-am-auth-shared-state-behavior-pattern is set to tryFirstPass amLoginModule:03/11/2014 11:52:22:563 PM CET: Thread[http-bio-8080-exec-8,5,main] This module is not done yet. CurrentState: 1 amLoginModule:03/11/2014 11:52:22:563 PM CET: Thread[http-bio-8080-exec-8,5,main] callback stateLength in file = 1 amLoginModule:03/11/2014 11:52:22:563 PM CET: Thread[http-bio-8080-exec-8,5,main] callback size for state 1=1 amLoginModule:03/11/2014 11:52:22:563 PM CET: Thread[http-bio-8080-exec-8,5,main] clone #0 is PagePropertiesCallback amLoginModule:03/11/2014 11:52:22:563 PM CET: Thread[http-bio-8080-exec-8,5,main] Login, state = 1 amCallback:03/11/2014 11:52:22:563 PM CET: Thread[http-bio-8080-exec-8,5,main] callback handler method amAuth:03/11/2014 11:52:22:563 PM CET: Thread[http-bio-8080-exec-8,5,main] Setting page timeout :120 amAuth:03/11/2014 11:52:22:563 PM CET: Thread[http-bio-8080-exec-8,5,main] setting Last Callback Sent :1394578342563 amCallback:03/11/2014 11:52:22:563 PM CET: Thread[http-bio-8080-exec-8,5,main] Set callbacks, throwing java.lang.Error. amJAAS:03/11/2014 11:52:22:563 PM CET: Thread[http-bio-8080-exec-8,5,main] LoginContext.invoke():Handling expected java.lang.Error amAuth:03/11/2014 11:52:22:563 PM CET: Thread[http-bio-8080-exec-8,5,main] Caught java.lang.Error returned from DSAMEHandler java.lang.Error: return from DSAMECallback   at com.sun.identity.authentication.service.DSAMECallbackHandler.handle(DSAMECallbackHandler.java:141)    at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1134)    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)    at java.lang.reflect.Method.invoke(Method.java:597) ... amAuth:03/11/2014 11:52:22:563 PM CET: Thread[http-bio-8080-exec-8,5,main] AMLoginContext:Thread started... returning. amAuthContextLocal:03/11/2014 11:52:22:563 PM CET: Thread[http-bio-8080-exec-8,5,main] after AMLoginContext::exceuteLogin :  amAuth:03/11/2014 11:52:22:563 PM CET: Thread[http-bio-8080-exec-8,5,main] getStatus : status is... : 2 amAuth:03/11/2014 11:52:22:563 PM CET: Thread[http-bio-8080-exec-8,5,main] getStatus : status is... : 2 amAuthContextLocal:03/11/2014 11:52:22:563 PM CET: Thread[http-bio-8080-exec-8,5,main] Status at the end of login() : in_progress amAuthContextLocal:03/11/2014 11:52:22:563 PM CET: Thread[http-bio-8080-exec-8,5,main] AuthContextLocal::hasMoreRequirements() amAuth:03/11/2014 11:52:22:563 PM CET: Thread[http-bio-8080-exec-8,5,main] getStatus : status is... : 2 amAuth:03/11/2014 11:52:22:563 PM CET: Thread[http-bio-8080-exec-8,5,main] getStatus : status is... : 2 amAuth:03/11/2014 11:52:22:563 PM CET: Thread[http-bio-8080-exec-8,5,main] Recd Callback in amlc.getRequiredInfo : com.sun.identity.authentication.spi.PagePropertiesCallback@2f466880 amAuth:03/11/2014 11:52:22:563 PM CET: Thread[http-bio-8080-exec-8,5,main] Recd Callback in amlc.getRequiredInfo : com.sun.identity.authentication.spi.HttpCallback@3776c3bf amLoginViewBean:03/11/2014 11:52:22:563 PM CET: Thread[http-bio-8080-exec-8,5,main] In getLoginDisplay, has More Requirements amAuthContextLocal:03/11/2014 11:52:22:563 PM CET: Thread[http-bio-8080-exec-8,5,main] AuthContextLocal::getRequirements() amAuth:03/11/2014 11:52:22:563 PM CET: Thread[http-bio-8080-exec-8,5,main] getStatus : status is... : 2 amAuth:03/11/2014 11:52:22:563 PM CET: Thread[http-bio-8080-exec-8,5,main] getStatus : status is... : 2 amLoginViewBean:03/11/2014 11:52:22:563 PM CET: Thread[http-bio-8080-exec-8,5,main] Start authorization negotiation... amLoginViewBean:03/11/2014 11:52:22:563 PM CET: Thread[http-bio-8080-exec-8,5,main] header: WWW-Authenticate, value: Negotiate, code: 401

Recent Changes

Implemented the Windows Desktop SSO authentication module.

Causes

The browser cannot return a Kerberos™ token during the SPNEGO handshake because it cannot retrieve a Kerberos service ticket for AM from Active Directory®.

Two common reasons for the browser failing to send a Kerberos token are:

  • The AM FQDN is not listed as a trusted host in the browser.
  • The Service Principal Name (SPN) is not set up correctly in Active Directory.

Solution

This issue can be resolved by checking the following:

  1. Check if the Kerberos service ticket was retrieved for AM using the Klist utility from Microsoft:
    • If the Kerberos service ticket does exist for the AM FQDN - check your browser settings to ensure the browser is correctly set up for SPNEGO (Integrated Windows Authentication) and update where necessary. See How do I set up Kerberos authentication in AM (All versions)? for further information.
    • If the Kerberos service ticket does not exist for the AM FQDN - proceed to the next step.

For example, running the klist command:$ klist

Produces an output such as the following:Server: HTTP/host1.example.com @ FORGEROCK.COM KerbTicket Encryption Type: RSADSI RC4-HMAC(NT) Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize Start Time: 3/17/2016 11:33:06 (local) End Time: 3/17/2016 21:31:54 (local) Renew Time: 3/24/2016 11:31:54 (local) Session Key Type: RSADSI RC4-HMAC(NT) Cache Flags: 0 Kdc Called: SVR1

  1. Check the AM FQDN is listed as a trusted host in the browser and add it if it's not listed. You can check as follows according to which browser you are using:
    • Chrome - since Chrome uses the Microsoft Edge settings, you should check the AM FQDN is added to the trusted site list in Microsoft Edge (Security tab > Trusted Sites > Sites).
    • Firefox - the AM FQDN should be added to the network.negotiate-auth.trusted-uris and network.automatic-ntlm-auth.trusted-uris settings (accessed via about:config).
  2. Check the SPN for the AM service in Active Directory and correct if necessary. Ensure the FQDN which matches the SPN in AD is used and the specified authcontext matches the auth module/chain for WDSSO. You can use the following command to check the SPN: $ setspn -l [account]replacing [account] with the name of the account created for AM. An example command looks like this: $ setspn -l openamand gives an output as follows: Registered ServicePrincipalNames for CN=OpenAM,OU=employees,DC=example,DC=com: HTTP/host1.example.com
Note

If none of these resolve the issue, another problem must exist with the Kerberos protocol between the browser and Active Directory; you can attempt to track this down using utilities such as the Microsoft Network Monitor or the Microsoft Message Analyzer.

See Also

How do I troubleshoot Kerberos and WDSSO issues in AM (All versions)?

Kerberos token is not valid error when authenticating with Windows Desktop SSO in AM (All versions) using Microsoft Edge

How do I set up Kerberos authentication in AM (All versions)?

Configuring and troubleshooting WDSSO in AM

Setspn Utility

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.