Hi,

I've a problem while using Kerberos in "Windows Integrated Authentication Provider" for ICWS and Web Client.
(If I switch to NTLM it's working, but this is not an option.)
In the trace I can see that the client is sending a Kerberos ticket (because the authorization string in the header starts with "YII").
In the CIC Server log "ic_stsu" I can see that the server is receiving this token, calls the "AcceptSecurityContext" Function with this token and gets the error "SEC_I_CONTINUE_NEEDED".
As a result, the server is sending the password request to the client again, and the client opens the unwanted User/Password window or simply says "unauthorized".

So my question is: What must I Change in the CIC 2018R2 patch 8 configuration, so that the CIC server is accepting the Kerberos tokens from the clients.

icsts::AuthWindows::process_auth_request() : Failed on AcceptSecurityContext:
ErrorCode: error::icsts
Description: AcceptSecurityContext() returned SEC_I_CONTINUE_NEEDED

Any ideas?

------------------------------
Andreas Tikart
Fiebig GmbH
------------------------------

I've found a solution. You need to create some additionals SPNs.

Example icws:
If the CIC Server is "cic.mydomain.com" and the service user is "icadmin" then you must use:
setspn -s HTTP/cic.mydomian.com MYDOMAIN\icadmin

Example Interaction Connect:
If the CIC Connect Server is "webserver.mydomain.com" and the Apache Webserver is running  using the "icadmin" windows Service account then you must use the SPN from above plus:
setspn -s HTTP/webserver.mydomian.com MYDOMAIN\icadmin



------------------------------
Andreas Tikart
Fiebig GmbH
------------------------------

Original Message:
Sent: 07-11-2018 08:44
From: Andreas Tikart
Subject: Kerberos SSO not Working

Hi,

I've a problem while using Kerberos in "Windows Integrated Authentication Provider" for ICWS and Web Client.
(If I switch to NTLM it's working, but this is not an option.)
In the trace I can see that the client is sending a Kerberos ticket (because the authorization string in the header starts with "YII").
In the CIC Server log "ic_stsu" I can see that the server is receiving this token, calls the "AcceptSecurityContext" Function with this token and gets the error "SEC_I_CONTINUE_NEEDED".
As a result, the server is sending the password request to the client again, and the client opens the unwanted User/Password window or simply says "unauthorized".

So my question is: What must I Change in the CIC 2018R2 patch 8 configuration, so that the CIC server is accepting the Kerberos tokens from the clients.

icsts::AuthWindows::process_auth_request() : Failed on AcceptSecurityContext:
ErrorCode: error::icsts
Description: AcceptSecurityContext() returned SEC_I_CONTINUE_NEEDED

Any ideas?

------------------------------
Andreas Tikart
Fiebig GmbH
------------------------------