Our deployment keeps getting an odd SECJ0118E exception when authenticating with Form authentication with Mozilla or Chrome browser not configured for Active Directory Domain.
All instructions into WebSphere infocenter for enabling fallback to default authentication were correctly applied. We noticed that standard WebSphere security tracing (*=info:com.ibm.ws.security.*=all:com.ibm.websphere.security.*=all:com.ibm.websphere.wim.*=all:com.ibm.wsspi.wim.*=all:com.ibm.ws.wim.*=all)
provided into trace a lot of Kerberos exceptions.
[30/12/13 17.36.57:246 CET] 0000005e
Krb5LoginModu < login() Exit
javax.security.auth.login.FailedLoginException: Errore di login:
com.ibm.security.krb5.KrbException, codice di stato: 68
messaggio: Nessuno
messaggio: Nessuno
at
com.ibm.security.jgss.i18n.I18NException.throwFailedLoginException(I18NException.java:30)
at
com.ibm.security.auth.module.Krb5LoginModule.a(Krb5LoginModule.java:719)
at
com.ibm.security.auth.module.Krb5LoginModule.b(Krb5LoginModule.java:742)
Double checking WebSphere security settings we noticed that Authentication mechanism was mistakenly set to Kerberos and LTPA instead of simple LTPA, as suggested for SPNEGO.
Reverting back to simple LTPA fixed everything.
Comments