-
1. Re: Problem with SPNEGO Negotiation
dlofthouse Jul 30, 2008 12:24 PM (in response to chausberger)Your first problem is that your web browser is not trusting JBoss so is not even starting the SPNEGO process.
Have you followed through the active directory chapter fully to properly map the service principal in active directory? Until this is done none of the settings in the browser will cause the browser to trust JBoss as one of the first check IE does is that it can obtain a ticket for the service principal.
Secondly did you follow the Internet Explorer instructions so that the host name would be trusted? -
2. Re: Problem with SPNEGO Negotiation
chausberger Jul 30, 2008 4:59 PM (in response to chausberger)Thanks. I will check the active directory settings again.
I was using Firefox, not IE, but I guess this applies to Firefox, too.
Claus -
3. Re: Problem with SPNEGO Negotiation
dlofthouse Jul 31, 2008 5:13 AM (in response to chausberger)Yes for Firefox there is another section in the user guide on the changes needed to the Firefox configuration and Firefox will also require the service principal to be correctly configured before it will start the negotiation process.
-
4. Re: Problem with SPNEGO Negotiation
chausberger Jul 31, 2008 10:08 AM (in response to chausberger)Hello
thanks a lot for the help.
The Basic Negotiation and Security Domain Tests now work and everything is as described in the users guide.
But when I test "Secured", I get
HTTP Status 403 - Access to the requested resource has been denied
first, I had no spnego-roles.properties and spnego-users.properties but I've added them now.
I don't see any error messages in the stdout logging of the JBoss server (I've configured the logging as described in the users guide).
Any idea what my error here could be?
Claus -
5. Re: Problem with SPNEGO Negotiation
dlofthouse Jul 31, 2008 10:22 AM (in response to chausberger)I think you need to double check the roles that the user is being associated with, if you have enabled TRACE logging for org.jboss.security you should see something similar to the following in the server.log after the authentication process has completed: -
2008-07-24 21:35:08,768 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject: Principal: darranl@JBOSS.ORG Principal: Roles(members:Trader,Users,Banker,ipausers) Principal: CallerPrincipal(members:darranl@JBOSS.ORG) , sc=org.jboss.security.SecurityAssociation$SubjectContext@c05c2{principal=A1C423689601B6D6CC7D7682CBFB0525,subject=17368622}
If you are using the negotiation toolkit this requires the user to have the 'Users' role.
Also as you are using the UsersRolesLoginModule as the second login module in the chain verify that the principal name does match the values you are using in the roles properties file, this should be the first principal in the list - in the example above this is 'darranl@jboss.org'. -
6. Re: Problem with SPNEGO Negotiation
chausberger Jul 31, 2008 10:50 AM (in response to chausberger)does this mean that I have to specifiy the principal for the windows user that get's authenticated via SPNEGO in both the spnego-roles.properties and in login-config.xml in the UsersRolesLoginModule ?
My UsersRolesLoginModule looks like this:
</login-module>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag="required">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="principal">hausberger@MYDOMAIN</module-option>
<module-option name="usersProperties">props/spnego-users.properties</module-option>
<module-option name="rolesProperties">props/spnego-roles.properties</module-option>
</login-module>
and my spnego-roles.properties like this:
hausberger@MYDOMAIN=Users
when I access the negotion toolkit page I get this in the server.log:
2008-07-31 16:45:33,865 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, sub
Principal: hausbergers@MYDOMAIN
Principal: Roles(members)
Principal: CallerPrincipal(members:hausbergers@MYDOMAIN)
when I access the "Secured" page, I get this in the server.log:
2008-07-31 16:47:13,205 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
2008-07-31 16:47:13,205 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
2008-07-31 16:47:13,205 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
2008-07-31 16:47:14,046 TRACE [org.jboss.security.negotiation.spnego.SPNEGOAuthenticator] Authenticating user
2008-07-31 16:47:14,046 TRACE [org.jboss.security.negotiation.spnego.SPNEGOAuthenticator] Already authenticated 'hausbergers@MYDOMAIN'
2008-07-31 16:47:14,046 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
2008-07-31 16:47:14,126 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
2008-07-31 16:47:14,127 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
2008-07-31 16:47:14,127 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
2008-07-31 16:47:14,129 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
2008-07-31 16:47:14,129 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
2008-07-31 16:47:14,129 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
does this mean that the user has the "members" role? where would I add the "Users" role?
the log also says "already authenticated".
sorry for all the questions, I am new to JBoss.
Claus -
7. Re: Problem with SPNEGO Negotiation
dlofthouse Jul 31, 2008 11:08 AM (in response to chausberger)Did you cut and paste those examples or type by hand?
In your properties file you have: -
hausberger@MYDOMAIN=Users
But in the log you have: -
hausbergers@MYDOMAIN
So there is a 's' missing before the '@'
You may also need to restart your JBossAS instance as it could be possible that the original credentials are being cached.
No need to apologise for the questions, I am currently putting together the candidate release ready to GA the library I can take some of these points and add them to the troubleshooting section of the user guide. -
8. Re: Problem with SPNEGO Negotiation
chausberger Jul 31, 2008 11:25 AM (in response to chausberger)Hi Darran
thanks a lot. This was just a typo here in the forum. The principals are equal in my configuration, so there must be another error.
I restarted the server 2 times. no change. still the same error.
looking forward to the GA. This is really a great tool and exactly what I was lookingn for.
Claus -
9. Re: Problem with SPNEGO Negotiation
dlofthouse Jul 31, 2008 11:33 AM (in response to chausberger)We will keep the actual discussion within the forum but would it be possible for you to please zip up the server.log and your login-config.xml and e-mail both to me - I will have a quick look, at this stage I think it sounds like a minor error is stopping the roles from being correctly loaded.
-
10. Re: Problem with SPNEGO Negotiation
chausberger Aug 1, 2008 2:56 AM (in response to chausberger)I just sent you an email.
Claus -
11. Re: Problem with SPNEGO Negotiation
dlofthouse Aug 1, 2008 8:02 AM (in response to chausberger)Thanks for the files, I have just had a look at the logs.
I see the following output when the spnego-roles.properties file is read: -2008-07-31 16:44:11,259 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[hausberger@MYDOMAIN]
The format of the 'spnego-roles.properties' file should actually be.hausberger@MYDOMAIN=Users
So the user principal comes first and then after the '=' is a comma separated list of the users roles which in this example is just the 'Users' role.
I also see in the configuration for the UsersRoleLoginModule you have: -<module-option name="principal">hausberger@MYDOMAIN</module-option>
This is not required and should be removed. -
12. Re: Problem with SPNEGO Negotiation
chausberger Aug 1, 2008 8:37 AM (in response to chausberger)thanks for the answer.
my spnego-roles.properties looks like this:
hausberger@MYDOMAIN=Users
so, this seems to be correct.
I still get "HTTP Status 403 - Access to the requested resource has been denied".
Claus -
13. Re: Problem with SPNEGO Negotiation
dlofthouse Aug 1, 2008 12:15 PM (in response to chausberger)Can you just double check that the case of the complete username before the '=' matches exactly the case of the user that is being returned after the SPNEGO negotiation - re-reading your log it is looking to me as though the first letter may be upper case but in your properties it is lower case.
-
14. Re: Problem with SPNEGO Negotiation
chausberger Aug 4, 2008 3:16 AM (in response to chausberger)Hi Darran
I checked again and indeed it was the wrong case. Now it works.
what's weird: the principal is "Hausberger@MYDOMAIN", but my windows login is "hausberger" which is lowercase "h".
where does the upper case come frome? Active Directoy?
Claus