I've resolved this issue but hae run into it serveral times so wanted to understand what causes it.
typically our company sells our product with VSJ 3.2 packaged inside as well as Tomcat 5.0 and JDK 1.4.2.08. Now from what I understand VSJ uses it's own JDK but when using it for tomcat 5.0 I have run into this error with 4 different customers.
In the tomcat localhost file we see.
"starting filter authFilter
com.wedgetail.idm.sso.ConfigException: Could not validate com.wedgetail.idm.sso.password: DES key type was used with an incorrect service principal name, service principal name was recently changed and a password reset is required, or password was invalid [caused by: com.dstc.security.kerberos.CryptoException: Integrity check failure]
at com.wedgetail.idm.sso.util.MemoryKeyTab.createKeyTab(MemoryKeyTab.java:126)
at com.wedgetail.idm.sso.util.Util.getKeyTab(Util.java:137)
at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:440)
at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:105)
at com.businessobjects.sdk.credential.WrappedResponseAuthFilter.init(WrappedResponseAuthFilter.java:56)
at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:225)
at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:308)"
Now I can reset the password for the service account until I'm blue in the face but it will not resolve this error. Instead I need to go to the mmc, pull up the account properties for the vintela service account, and make sure DES is unchecked.
Our docs specify that DES should be selected yet it causes VSJ to fail in some environments (so far the only thing I think we have in common is windows 2003 native mode).
Can someone tell me any of the following...
1) Is DES required for VSJ or can we use RC4?
2) Should DES be the preferred method of encryption on the VSJ service account? Or can we recommend RC4 and only use DES in if it is needed.
3) Does anyone know what the above error means?
Thanks in advance.
Regards,
Tim
typically our company sells our product with VSJ 3.2 packaged inside as well as Tomcat 5.0 and JDK 1.4.2.08. Now from what I understand VSJ uses it's own JDK but when using it for tomcat 5.0 I have run into this error with 4 different customers.
In the tomcat localhost file we see.
"starting filter authFilter
com.wedgetail.idm.sso.ConfigException: Could not validate com.wedgetail.idm.sso.password: DES key type was used with an incorrect service principal name, service principal name was recently changed and a password reset is required, or password was invalid [caused by: com.dstc.security.kerberos.CryptoException: Integrity check failure]
at com.wedgetail.idm.sso.util.MemoryKeyTab.createKeyTab(MemoryKeyTab.java:126)
at com.wedgetail.idm.sso.util.Util.getKeyTab(Util.java:137)
at com.wedgetail.idm.sso.AbstractAuthenticator.initAuthenticator(AbstractAuthenticator.java:440)
at com.wedgetail.idm.sso.AuthFilter.init(AuthFilter.java:105)
at com.businessobjects.sdk.credential.WrappedResponseAuthFilter.init(WrappedResponseAuthFilter.java:56)
at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:225)
at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:308)"
Now I can reset the password for the service account until I'm blue in the face but it will not resolve this error. Instead I need to go to the mmc, pull up the account properties for the vintela service account, and make sure DES is unchecked.
Our docs specify that DES should be selected yet it causes VSJ to fail in some environments (so far the only thing I think we have in common is windows 2003 native mode).
Can someone tell me any of the following...
1) Is DES required for VSJ or can we use RC4?
2) Should DES be the preferred method of encryption on the VSJ service account? Or can we recommend RC4 and only use DES in if it is needed.
3) Does anyone know what the above error means?
Thanks in advance.
Regards,
Tim