Jump to content

Kerberos on Windows

Jeremy Sturgill

Recommended Posts

We recently converted webFOCUS over to using Kerberos.  Overall, this is working well.  No on needs to supply credentials.  We can use Klist - and see a Kerberos ticket.  All works well.

For about 7 hours.

For the life of me - we can't figure out why it seems the Kerberos ticket is not auto-renewing.   Around the 7 hour mark (of our 10 hour krb5.ini lifetime - (speculating here) ) - people start seeing "No Single Sign on ticket".  And - they are dead in the water.   Not everyone gets this the same time - or - it's maybe more accurate to say - not everyone notices this as the same time.

They are able to clear cache - or - more specifically -they can just delete the single webFOCUS cookie -and they are back in business.

We do have a case open with Tibco - but - as of yet - we don't have a good handle on "why" not everyone is getting the refreshed session.

I'm wondering if anyone here has Kerberos working properly - and maybe has some suggestions?

The parts of the krb5.ini that we think should be honored - but - doesn't seem to match our expectations:


 ticket_lifetime = 36000
 renew_lifetime = 7d


Edited by Jeremy Sturgill
Link to comment
Share on other sites

@Jeremy Sturgill  I think your kerberos ticket is timing out - time out starts at the time when the ticket is "issued" for the user. I wonder aboout the 7 day renew 

I think this is causing WebFOCUS not to renew the ticket unless you delete it via cache deletion.

Your ticket lifetime seems to be 36000 seconds = 10 hours but the renew is 7 days???



In addition please check this manual -https://docs.tibco.com/pub/wf-wf/9.2.3/doc/pdf/IBI_wf-wf_9.2.3_security_administration.pdf?id=11

Link to comment
Share on other sites

  • 2 weeks later...

Thank you Patrick.


A 10 hour lifetime - and 7 day renew are default Kerberos settings in the windows world.


That was indeed the doc we followed for our initial setup.


We are still struggling with renews though.  Though troubleshooting - it's clear - if people are inactive - and get signed out - when they come back after the Kerberos timeout - they are properly re-authed - and get back into webFOCUS.  This is good.


However - if people are working all day - the IBI_SESSION_TIMEOUT is pushed PAST the Kerberos end time.  When this happens - people are unable to re-auth.


People see "Reporting Server Error - No Single Sign On ticket" error.


They are then hosed until one of the following actions happens:

  • Wait for web session to expire.
  • Clear Cache
  • Clear the webFOCUS specific cookie


Ideally - we'll be able to find some setting that help it to renew - o r- we can reduce the IBI_SESSION_TIMEOUT - but this feels like it just narrows the window when bad things happen - and isn't really a fix.

Link to comment
Share on other sites

Last comment - as we found this interesting.

Although we have the Kerberos tickets set up for 10 hours - it "appears" everyone gets the same End Time - until hat 10 hour chunk has finished.  This means - the later in the day you log in - the less and less of the 10 hours you get.


It took a bit to figure this out .  We have several users starting at 4:30 AM....but most users start at 7:00 AM.  But - they ALL got the 2:30 PM Kerberos end time.  I initially thought they were only getting 75% of the 10 hours - but- this does not appear to be the case.   They just seem to get the same end time -as whoever logged in first for the day. 


I naively assumed- each person would get a full 10 hours.  That does not seem to be the case.


If we can figure out how each person gets the full 10 hours - my problem goes away.

If we can figure out how the renewals can be happy - even if the IBI_SESSION_TIMEOUT  is pushed past the Kerberos end time - I think we'll be good.


  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...