AD SSO Authentication in Satellite UI fails after upgrading to Red Hat Satellite 6.11
Issue
-
The AD authentication has been configured with the integration of gssproxy service properly, But UI login still fails for external users.
-
Following errors were observed in the
/var/log/httpd/foreman-ssl_error_ssl.log
of the affected satellite server.[Tue Aug 09 15:31:58.830065 2022] [authnz_pam:warn] [pid 1014] [client 10.74.XX.XX:40106] PAM account validation failed for user user@domain.com: Permission denied [Tue Aug 09 15:31:58.830404 2022] [authz_core:error] [pid 1014] [client 10.74.XX.XX:40106] AH01631: user user@domain.com: authorization failure for "/users/extlogin/":
or
[Wed Aug 17 14:31:34.143494 2022] [auth_gssapi:error] [pid 93678:tid 139707719587584] [client 10.74.XX.XX:40106] GSS ERROR gss_localname() failed: [A required input parameter could not be read (Unknown error)]
-
SSO authentication via curl also fails at the OS level despite having a valid Kerberos ticket for the Active-Directory user.
# curl -k -u : --negotiate https://`hostname -f`/users/extlogin <html><meta http-equiv="refresh" content="0; URL=/users/login"><body>Kerberos authentication did not pass.</body></html>
Environment
- Red Hat Satellite 6.11
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.