Maximo Open Forum

 View Only
  • 1.  SPNEGO SSO broke

    Posted 11 days ago
    We have (what I would consider to be) a very straightforward, on-premise, Maximo deployment that connects to Active Directory only for authentication -- User and Group creation & management are handled manually in Maximo.  We also have SPNEGO/Kerberos SSO.  So, for years now, users who were logged in to a domain computer could get into Maximo without typing their username/password.

    Until this month.  My first notice from a user that this was no longer working happened on the same day that we installed security patches on our Domain Controllers.  That's the only thing I'm aware of that changed in the environment; I certainly hadn't changed Maximo.  I had not yet installed the new Microsoft patches yet (but I have now).

    I have a viable workaround, by having users use the actual login form.  When they type in their username and password, it works fine.  So just SSO is broken, not LDAP.

    I know those patches started phasing out some older encryption methods.  The one I think that's causing the issue is RC4-HMAC.  I saw reference to it in the krb5.conf file.

    Does anyone know what can be done to make SSO work again (no, removing the security patches is not an acceptable option)?  What needs to be done to make it use a different encryption, such as AES-256?
    #Administration
    #Security

    ------------------------------
    Travis Herron
    Pensacola Christian College
    ------------------------------


  • 2.  RE: SPNEGO SSO broke

    Maximo Certified
    Posted 10 days ago
    Travis,
    There could be a few reasons for this. I have not configured SPNEGO/Kerberos SSO in a number of years so a few things to check

    1. There is a certificate you create and this certificate may have expired so it may be worth going through the steps and recreate the certificate. Here are the steps if you don't have them https://www.ibm.com/support/pages/how-configure-single-sign-sso-authentication-ibm%C2%AE-maximo%C2%AE-76x
    2. If you think it may be related to encryption, Microsoft and other software vendors are deprecating older SSL encryption methods and moving towards TLS v1.2 or v1.3. It is likely the security patches may have disable older SSL versions and you can try and configure Websphere to support vTLS v1.2. A quick google search will result in a few articles how to do this and here is one that I just found that will likely be helpful https://jasonmaximo.blogspot.com/2019/11/configure-maximo-using-tls-12.html.


    Mike


    ------------------------------
    Michael Marsonet
    MRM-EAM Consulting Inc.
    ------------------------------



  • 3.  RE: SPNEGO SSO broke

    Posted 9 days ago
      |   view attached
    Hi Travis,

    No idea if this will help you out but it may be worth trying. We had what sounds like a very similar situation affect our SAP business objects installations across all nonprod and prod environments. Appears to have started after Windows update maintenance on 11/20. We don't use LDAP for Maximo so didn't see an issue there, but here's the article that SAP sent involving installing a KB on your DC. It fixed our SSO issue.

    Pete

    ------------------------------
    Pete Iadevaia
    Pima County
    ------------------------------

    Attachment(s)

    pdf
    KBs needed to fix.pdf   142 KB 1 version