IBM Support

Single Sign-On (SSO) fails for IBM FileNet Application Engine (Workplace) logon using Internet Explorer and Windows 7 clients.

Troubleshooting


Problem

IBM FileNet Content Engine and Workplace configured for Single Sign-On (SSO) over Secured Socket Layer (SSL) functions normally when using browsers such as Firefox or Chrome on Windows 7. However, when using Internet Explorer on an Windows 7 client, Workplace prompts for a logon instead of validating the session token to automatically logon the user. SSO functions normally on XP and Vista clients with all browsers.

Symptom

Any attempts to logon to Workplace or even a simple "snoop" using Internet Explorer displays an error very quickly in the browser and then prompts for logon:

"SPNEGO authentication is not supported on this client."

Errors in the WebSphere log are similar too:

00000031 Context E com.ibm.ws.security.spnego.Context begin CWSPN0011E: A non-valid SPNEGO token has been encountered while authenticating a HttpServletRequest: 0000: a1143012 a0030a01 01a10b06 092a8648 ..0. .... .... .*.H 0010: 82f71201 0202 .... ..

Cause

A Windows 7 Security feature was added - "Extended Protection for Authorization." Without a JDK fix in place, requests from the Windows 7 client via Internet Explore fail due to the changes in how Channel Binding Tokens (CBT) are handled.

Environment

Windows 7 and Internet Explorer

Diagnosing The Problem

SSO can be validated on Windows 7 by using any browser other than Internet Explorer such as Firefox or Chrome, or by using a different client version such as Windows XP or Vista and any browser.

Once it's been determined what platform SSO is not functional on, more focused troubleshooting can take place. And note that SSO failure can be seen via other applications and not just via IBM FileNet products.

Resolving The Problem

1) Locate Microsoft KB 976918 "Authentication failure from non-Windows NTLM or Kerberos servers"

2) Choose to follow the steps to change the behavior of Extended Protection for Authorization (on each Windows 7 client) or apply the JDK fix for the known Sun Java bug (bug_id 6857973) to the web application server.

Oracle/Sun fix recommended by Microsoft is to upgrade Java to 6 patch 19.

Please see the Oracle Java release notes for same.

NOTE: For WebSphere 7, the JDK fix is included in APAR PM16905.

The resolution can be validated by following the steps to change the behavior of Extended Protection for Authorization on one Windows 7 client. If SSO is functional on the client after the change, then this issue has been confirmed. Either the JDK fix should be applied to the web server or all Windows 7 clients needing SSO should be modified.

[{"Product":{"code":"SSNVNV","label":"FileNet Content Manager"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Content Engine","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"4.5.0;4.5.1;4.5;5.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
17 June 2018

UID

swg21470600