Jive - Kerberos SSO Login - Unsupported Mechanism Error

Overview

When customers upgrade their hosted/on-premises (HOPS) instances to Jive 9.1 and above, they may face an error logging in with Kerberos Single Sign-On (SSO). The error message in sbs.log says GSSException: Unsupported mechanism requested. The users will be asked to log in with usernames and passwords, despite Kerberos being configured.

This article walks you through the solution for this error.

Solution

In Jive HOPS 9.1, we moved from Oracle JDK 8.0  to Amazon Corretto 8.0 JDK. The Amazon Corretto 8 JDK has a different out of the box configuration of their crypto providers when comparing it to the one found in Oracle JDK 8.0

1. You need to edit the file:

   /usr/local/jive/java/jre/lib/security

    

2. Existing security.provider.X entries need to be deleted or commented out. For example:

   security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
   security.provider.2=com.sun.net.ssl.internal.ssl.Provider BCFIPS
   security.provider.3=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
   security.provider.4=sun.security.provider.Sun

3. These entries need to be enabled

   security.provider.1=sun.security.provider.Sun
   security.provider.2=sun.security.rsa.SunRsaSign
   security.provider.3=sun.security.ec.SunEC
   security.provider.4=com.sun.net.ssl.internal.ssl.Provider
   security.provider.5=com.sun.crypto.provider.SunJCE
   security.provider.6=sun.security.jgss.SunProvider
   security.provider.7=com.sun.security.sasl.Provider
   security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
   security.provider.9=sun.security.smartcardio.SunPCSC

4. Restart Jive

<supportagent>

See tickets #2790743, #2330130, and #2038642

</supportagent>

Testing

The users who were previously not able to log in using Kerberos SSO should now be able to log in successfully, without needing to enter a username and password.