[GIS] Connecting FME Server to Active Directory – Failed to create credential

I'm trying to use FME Server's Active Directory integration to authenticate users. The connection works but fails soon after (and single sign on fails).

The account has permission to log on as a service and cross-domain trust is in place.

Any ideas?

Wed-26-Nov-2014 11:38:47 AM   INFORM   main   405404 : Transformation Manager init OK
Wed-26-Nov-2014 11:38:47 AM   WARN     main   408034 : (Active Directory) Key distribution centre (KDC) was not specified in configuration; using connected server as KDC.
Wed-26-Nov-2014 11:38:47 AM   INFORM   main   408001 : (Active Directory) Connecting to an available server in ( PRODUCTION.DOMAIN:389 )...
Wed-26-Nov-2014 11:38:47 AM   INFORM   main   408002 : (Active Directory) Successfully connected to PRODUCTION.DOMAIN.
Wed-26-Nov-2014 11:38:47 AM   INFORM   main   408004 : (Active Directory) Found default naming context "DC=production,DC=domain".
Wed-26-Nov-2014 11:38:47 AM   INFORM   main   408006 : (Active Directory) Using default NT domain "PRODUCTION".
Wed-26-Nov-2014 11:38:47 AM   INFORM   main   408037 : (Active Directory) Using connected server "PRODUCTION.DOMAIN" as KDC.
Wed-26-Nov-2014 11:38:47 AM   INFORM   main   408029 : (Active Directory) Found supported SASL mechanism "GSSAPI".
Wed-26-Nov-2014 11:38:47 AM   INFORM   main   408029 : (Active Directory) Found supported SASL mechanism "GSS-SPNEGO".
Wed-26-Nov-2014 11:38:47 AM   INFORM   main   408029 : (Active Directory) Found supported SASL mechanism "EXTERNAL".
Wed-26-Nov-2014 11:38:47 AM   INFORM   main   408029 : (Active Directory) Found supported SASL mechanism "DIGEST-MD5".
Wed-26-Nov-2014 11:38:47 AM   INFORM   main   408032 : (Active Directory) Configured to use SASL mechanism "GSSAPI" for authentication.
Wed-26-Nov-2014 11:38:47 AM   INFORM   main   408039 : (Active Directory) Authenticating user "AnFMEAccount@DEVELOPMENT.DOMAIN" using SASL mechanism "GSSAPI" with KDC address "PRODUCTION.DOMAIN" and realm "PRODUCTION"...
Wed-26-Nov-2014 11:38:47 AM   INFORM   main   408060 : (Active Directory) Successfully established a new connection to PRODUCTION.DOMAIN.
Wed-26-Nov-2014 11:38:47 AM   ERROR    main   408010 : (Active Directory) Exception: "LDAPException(resultCode=82 (local error), errorMessage='The GSSAPI authentication attempt failed:  java.security.PrivilegedActionException: LDAPException(resultCode=82 (local error), errorMessage='Unable to create the initial GSSAPI SASL request:  javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)] caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds) caused by KrbException: Fail to create credential. (63) - No service creds') caused by LDAPException(resultCode=82 (local error), errorMessage='Unable to create the initial GSSAPI SASL request:  javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)] caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds) caused by KrbException: Fail to create credential. (63) - No service creds')LDAPException(resultCode=82 (local error), errorMessage='Unable to create the initial GSSAPI SASL request:  javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)] caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds) caused by KrbException: Fail to create credential. (63) - No service creds') caused by javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds)] caused by GSSException: No valid credentials provided (Mechanism level: Fail to create credential. (63) - No service creds) caused by KrbException: Fail to create credential. (63) - No service creds')"
Wed-26-Nov-2014 11:38:47 AM   ERROR    main   408003 : (Active Directory) Failed to connect to an available server, or no servers were available.
Wed-26-Nov-2014 11:38:47 AM   FATAL    main   405405 : Security Manager init FAILED
Wed-26-Nov-2014 11:38:47 AM   INFORM   main   405417 : Security Requests Dispatcher init OK
Wed-26-Nov-2014 11:38:47 AM   INFORM   main   405411 : Log Manager init OK
Wed-26-Nov-2014 11:38:47 AM   INFORM   main   408301 : Initializing cluster management ...
Wed-26-Nov-2014 11:38:47 AM   INFORM   main   408304 : Failover is disabled.
Wed-26-Nov-2014 11:38:47 AM   INFORM   main   000000 :

Best Answer

FME Server (LDAP - Lightweight Directory Access Protocol) is case sensitive

Issue LDAPException(resultCode=82 (local error is username/password failure due to case sensitive username/password

SASL Authentication Failure 1

Symptom

When using SASL authentication (Kerberos V5), the following error appears in the log file:

(Active Directory) Exception: "LDAPException(resultCode=82 (local error), errorMessage='An error occurred while attempting to initialize the JAAS login context for GSSAPI authentication: javax.security.auth.login.LoginException: Pre-authentication information was invalid (24) caused by KrbException: Pre-authentication information was invalid (24) caused by KrbException: Identifier doesn't match expected value (906)')"

Cause

The username and/or password was incorrectly entered.

Resolution

Ensure that the username and password is correctly entered. Note that when using SASL authentication (Kerberos V5), the username is case-sensitive, and must match exactly the 'sAMAccountName' value for the account.

To get the user account name:

From AD Explorer, connect to the Active Directory. Browse for and select the entry representing the user account. The user account name appears under the 'sAMAccountName' attribute

Source:

http://docs.safe.com/fme/html/FME_Server_Documentation/Default.htm#AdminGuide/Authent_Failure.htm

Best Answer

Related Solutions

[GIS] Active Directory AND integrated user store on ArcGIS Server 10.2

[GIS] How to run a batch file by FME Server

Related Question