Updating or creating the WindowsDesktopSSO authentication module via the configurator tool or ssoadm fails in OpenAM 12.0.0, 12.0.1 and 12.0.2
The purpose of this article is to provide assistance if you receive a "iplanet-am-auth-windowsdesktopsso-keytab does not match the service schema" error when updating or creating the Windows Desktop SSO (WDSSO) authentication module via the configurator tool in OpenAM 12.0.0, 12.0.1 and 12.0.2. Similarly, if you use ssoadm to configure the Windows Desktop SSO authentication module, you see a "File [path_to_keytab] did not exist" error.
1 reader recommends this article
Archived
This article has been archived and is no longer maintained by ForgeRock.
Symptoms
An error similar to the following is shown in the ssoadm Configuration debug log if you use the configurator tool to configure the Windows Desktop SSO authentication module in OpenAM and include the iplanet-am-auth-windowsdesktopsso-keytab-file property:
amCLI:06/14/2015 10:17:25:789 AM PDT: Thread[main,5,main] ERROR: UpdateAuthInstance.handleRequest Message:The attribute name iplanet-am-auth-windowsdesktopsso-keytab does not match the service schema at com.sun.identity.sm.ServiceSchemaImpl.validateAttrValues(ServiceSchemaImpl.java:471) at com.sun.identity.sm.ServiceSchemaImpl.validateAttributes(ServiceSchemaImpl.java:291) at com.sun.identity.sm.ServiceConfig.setAttributes(ServiceConfig.java:536) at com.sun.identity.authentication.config.AMAuthenticationInstance.setAttributeValues(AMAuthenticationInstance.java:155) at com.sun.identity.cli.authentication.UpdateAuthInstance.handleRequest(UpdateAuthInstance.java:98) at com.sun.identity.cli.SubCommand.execute(SubCommand.java:291) at com.sun.identity.cli.CLIRequest.process(CLIRequest.java:212) at com.sun.identity.cli.CLIRequest.process(CLIRequest.java:134) at com.sun.identity.cli.CommandManager.serviceRequestQueue(CommandManager.java:573) at com.sun.identity.cli.CommandManager.<init>(CommandManager.java:170) at com.sun.identity.cli.CommandManager.main(CommandManager.java:147)The following response is shown if you use a ssoadm command to add or update the iplanet-am-auth-windowsdesktopsso-keytab-file property:
File [path_to_keytab] did not exist.Recent Changes
Upgraded to OpenAM 12.0.0, 12.0.1 or 12.0.2
Created or updated the Windows Desktop SSO authentication module via the configurator tool or ssoadm; specifically setting the iplanet-am-auth-windowsdesktopsso-keytab-file property.
Causes
The UpdateAuthInstance class assumes that all properties ending with -file refer to a file rather than a value as is the case with the iplanet-am-auth-windowsdesktopsso-keytab-file property. Since it cannot locate a file when this property is set, it fails.
Solution
This issue can be resolved by upgrading to OpenAM 12.0.3 or later; you can download this version from BackStage.
Workaround
You can workaround this issue by creating a file that contains the required value for the iplanet-am-auth-windowsdesktopsso-keytab-file property and use the iplanet-am-auth-windowsdesktopsso-keytab-file-file property to reference this file instead.
For example, to update the property via ssoadm you would:
- Create a data file (called DATA_FILE to match the next command) that contains the required value for the iplanet-am-auth-windowsdesktopsso-keytab-file property (rather than the actual location of the keytab file itself), for example: /etc/krb5.keytab
- Enter the following command to update the Windows Desktop SSO authentication module: $ ./ssoadm update-auth-instance -e [realmname] -m [moduleinstancename] -u [adminID] -f [passwordfile] -a iplanet-am-auth-windowsdesktopsso-keytab-file-file=DATA_FILE replacing [realmname], [moduleinstancename], [adminID] and [passwordfile] with appropriate values.
See Also
OpenAM Reference › OpenAM Command Line Tools › ssoadm
OpenAM Reference › OpenAM Command Line Tools › configurator.jar
Related Training
N/A
Related Issue Tracker IDs
OPENAM-5894 (Can't update WindowsDesktopSSO module with ssoadm)