We have (what I would consider to be) a very straightforward, on-premise, Maximo deployment that connects to Active Directory only for authentication -- User and Group creation & management are handled manually in Maximo. We also have SPNEGO/Kerberos SSO. So, for
years now, users who were logged in to a domain computer could get into Maximo without typing their username/password.
Until this month. My first notice from a user that this was no longer working happened on the same day that we installed security patches on our Domain Controllers. That's the only thing I'm aware of that changed in the environment; I certainly hadn't changed Maximo. I had not yet installed the new Microsoft patches yet (but I have now).
I have a viable workaround, by having users use the actual login form. When they type in their username and password, it works fine. So just SSO is broken, not LDAP.
I know those patches started phasing out some older encryption methods. The one I think that's causing the issue is RC4-HMAC. I saw reference to it in the krb5.conf file.
Does anyone know what can be done to make SSO work again (no, removing the security patches is not an acceptable option)? What needs to be done to make it use a different encryption, such as AES-256?
#Administration#Security------------------------------
Travis Herron
Pensacola Christian College
------------------------------