Error 401 in jboss Negotiation war for the secured test
ellis2323 Feb 28, 2009 8:48 PMHello,
My full story with FreeIPA and jboss negotiation could be found on my blog: ellis2323.blogspot.com
To do short:
- i have installed to VM with Fedora Core 10
- i have installed FreeIPA on the first
- i have installed a server on the second
Kerberos is working. I can use ssh without prompting ssh!!!
My goal: build a webservice to browse a filesystem. I have already done it with python with "root" access. Now i want use impersonation with JAAS and Delegation with Kerberos to use the SSH service to access a filesystem.
Now i have installed jboss and jboss-negotiation-toolkit.war (2.0.3GA).
But i can't have the third test working. I have search during 3 days but
no idea. The message is a checksum error :
2:20:21,919 INFO [BasicNegotiationServlet] No Authorization Header, sending 401 02:20:22,027 INFO [BasicNegotiationServlet] Authorization header received - decoding token. 02:20:37,558 INFO [STDOUT] Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /usr/java/jboss/server/default/conf/test.keytab refreshKrb5Config is false principal is host/server1.scigems.org@SCIGEMS.ORG tryFirstPass is false useFirstPass is false storePass is false clearPass is false 02:20:37,582 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG 02:20:37,583 INFO [STDOUT] >>> KeyTabInputStream, readName(): HTTP 02:20:37,583 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org 02:20:37,585 INFO [STDOUT] >>> KeyTab: load() entry length: 87; type: 18 02:20:37,585 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG 02:20:37,586 INFO [STDOUT] >>> KeyTabInputStream, readName(): HTTP 02:20:37,586 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org 02:20:37,586 INFO [STDOUT] >>> KeyTab: load() entry length: 71; type: 17 02:20:37,587 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG 02:20:37,588 INFO [STDOUT] >>> KeyTabInputStream, readName(): HTTP 02:20:37,588 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org 02:20:37,588 INFO [STDOUT] >>> KeyTab: load() entry length: 79; type: 16 02:20:37,589 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG 02:20:37,589 INFO [STDOUT] >>> KeyTabInputStream, readName(): HTTP 02:20:37,589 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org 02:20:37,590 INFO [STDOUT] >>> KeyTab: load() entry length: 71; type: 23 02:20:37,590 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG 02:20:37,590 INFO [STDOUT] >>> KeyTabInputStream, readName(): HTTP 02:20:37,590 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org 02:20:37,591 INFO [STDOUT] >>> KeyTab: load() entry length: 63; type: 1 02:20:37,591 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG 02:20:37,591 INFO [STDOUT] >>> KeyTabInputStream, readName(): host 02:20:37,591 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org 02:20:37,593 INFO [STDOUT] >>> KeyTab: load() entry length: 87; type: 18 02:20:37,593 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG 02:20:37,605 INFO [STDOUT] >>> KeyTabInputStream, readName(): host 02:20:37,605 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org 02:20:37,606 INFO [STDOUT] >>> KeyTab: load() entry length: 71; type: 17 02:20:37,607 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG 02:20:37,607 INFO [STDOUT] >>> KeyTabInputStream, readName(): host 02:20:37,608 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org 02:20:37,609 INFO [STDOUT] >>> KeyTab: load() entry length: 79; type: 16 02:20:37,609 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG 02:20:37,611 INFO [STDOUT] >>> KeyTabInputStream, readName(): host 02:20:37,611 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org 02:20:37,611 INFO [STDOUT] >>> KeyTab: load() entry length: 71; type: 23 02:20:37,612 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG 02:20:37,612 INFO [STDOUT] >>> KeyTabInputStream, readName(): host 02:20:37,613 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org 02:20:37,613 INFO [STDOUT] >>> KeyTab: load() entry length: 63; type: 1 02:20:37,621 INFO [STDOUT] Added key: 1version: 10 02:20:37,623 INFO [STDOUT] Added key: 23version: 10 02:20:37,623 INFO [STDOUT] Added key: 16version: 10 02:20:37,623 INFO [STDOUT] Added key: 17version: 10 02:20:37,624 INFO [STDOUT] Added key: 18version: 10 02:20:37,624 INFO [STDOUT] Ordering keys wrt default_tkt_enctypes list 02:20:37,630 INFO [STDOUT] Using builtin default etypes for default_tkt_enctypes 02:20:37,631 INFO [STDOUT] default etypes for default_tkt_enctypes: 02:20:37,631 INFO [STDOUT] 3 02:20:37,631 INFO [STDOUT] 1 02:20:37,632 INFO [STDOUT] 23 02:20:37,632 INFO [STDOUT] 16 02:20:37,632 INFO [STDOUT] 17 02:20:37,633 INFO [STDOUT] 18 02:20:37,633 INFO [STDOUT] . 02:20:37,634 INFO [STDOUT] principal's key obtained from the keytab 02:20:37,635 INFO [STDOUT] Acquire TGT using AS Exchange 02:20:37,643 INFO [STDOUT] Using builtin default etypes for default_tkt_enctypes 02:20:37,645 INFO [STDOUT] default etypes for default_tkt_enctypes: 02:20:37,646 INFO [STDOUT] 3 02:20:37,646 INFO [STDOUT] 1 02:20:37,647 INFO [STDOUT] 23 02:20:37,648 INFO [STDOUT] 16 02:20:37,648 INFO [STDOUT] 17 02:20:37,649 INFO [STDOUT] 18 02:20:37,650 INFO [STDOUT] . 02:20:37,650 INFO [STDOUT] >>> KrbAsReq calling createMessage 02:20:37,650 INFO [STDOUT] >>> KrbAsReq in createMessage 02:20:37,664 INFO [STDOUT] >>> KrbKdcReq send: kdc=ks.scigems.org UDP:88, timeout=30000, number of retries =3, #bytes=169 02:20:37,741 INFO [STDOUT] >>> KDCCommunication: kdc=ks.scigems.org UDP:88, timeout=30000,Attempt =1, #bytes=169 02:20:37,753 INFO [STDOUT] >>> KrbKdcReq send: #bytes read=274 02:20:37,754 INFO [STDOUT] >>> KrbKdcReq send: #bytes read=274 02:20:37,755 INFO [STDOUT] >>> KDCRep: init() encoding tag is 126 req type is 11 02:20:37,759 INFO [STDOUT] >>>KRBError: 02:20:37,760 INFO [STDOUT] cTime is Sun Sep 05 03:53:02 CEST 1976 210736382000 02:20:37,760 INFO [STDOUT] sTime is Sun Mar 01 02:20:37 CET 2009 1235870437000 02:20:37,760 INFO [STDOUT] suSec is 902837 02:20:37,761 INFO [STDOUT] error code is 25 02:20:37,763 INFO [STDOUT] error Message is Additional pre-authentication required 02:20:37,763 INFO [STDOUT] crealm is SCIGEMS.ORG 02:20:37,764 INFO [STDOUT] cname is host/server1.scigems.org 02:20:37,764 INFO [STDOUT] realm is SCIGEMS.ORG 02:20:37,765 INFO [STDOUT] sname is krbtgt/SCIGEMS.ORG 02:20:37,765 INFO [STDOUT] eData provided. 02:20:37,765 INFO [STDOUT] msgType is 30 02:20:37,767 INFO [STDOUT] >>>Pre-Authentication Data: 02:20:37,767 INFO [STDOUT] PA-DATA type = 2 02:20:37,767 INFO [STDOUT] PA-ENC-TIMESTAMP 02:20:37,769 INFO [STDOUT] >>>Pre-Authentication Data: 02:20:37,769 INFO [STDOUT] PA-DATA type = 19 02:20:37,770 INFO [STDOUT] PA-ETYPE-INFO2 etype = 18 02:20:37,770 INFO [STDOUT] >>>Pre-Authentication Data: 02:20:37,771 INFO [STDOUT] PA-DATA type = 13 02:20:37,771 INFO [STDOUT] KRBError received: NEEDED_PREAUTH 02:20:37,772 INFO [STDOUT] AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ 02:20:37,772 INFO [STDOUT] >>>KrbAsReq salt is SCIGEMS.ORGhostserver1.scigems.org 02:20:37,772 INFO [STDOUT] Pre-Authenticaton: find key for etype = 18 02:20:37,774 INFO [STDOUT] AS-REQ: Add PA_ENC_TIMESTAMP now 02:20:37,775 INFO [STDOUT] >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType 02:20:38,016 INFO [STDOUT] >>> KrbAsReq calling createMessage 02:20:38,017 INFO [STDOUT] >>> KrbAsReq in createMessage 02:20:38,017 INFO [STDOUT] >>> KrbKdcReq send: kdc=ks.scigems.org UDP:88, timeout=30000, number of retries =3, #bytes=241 02:20:38,018 INFO [STDOUT] >>> KDCCommunication: kdc=ks.scigems.org UDP:88, timeout=30000,Attempt =1, #bytes=241 02:20:38,027 INFO [STDOUT] >>> KrbKdcReq send: #bytes read=609 02:20:38,029 INFO [STDOUT] >>> KrbKdcReq send: #bytes read=609 02:20:38,031 INFO [STDOUT] >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType 02:20:38,035 INFO [STDOUT] >>> KrbAsRep cons in KrbAsReq.getReply host/server1.scigems.org 02:20:38,072 INFO [STDOUT] principal is host/server1.scigems.org@SCIGEMS.ORG 02:20:38,073 INFO [STDOUT] EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 16 EA 98 02 F2 C4 51 9E 02:20:38,074 INFO [STDOUT] EncryptionKey: keyType=23 keyBytes (hex dump)=0000: EE CF CF 55 CD 38 50 00 3E 4E 6A 7A E5 44 24 96 ...U.8P.>Njz.D$. 02:20:38,075 INFO [STDOUT] EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 68 A7 70 31 31 01 45 3D AB 08 83 F2 20 67 EA 15 h.p11.E=.... g.. 0010: 64 FB EF 1A 97 45 4A B0 02:20:38,075 INFO [STDOUT] EncryptionKey: keyType=17 keyBytes (hex dump)=0000: D8 C3 7C 67 C3 C7 60 60 56 43 31 96 67 3E 4A 53 ...g..``VC1.g>JS 02:20:38,076 INFO [STDOUT] EncryptionKey: keyType=18 keyBytes (hex dump)=0000: 7C 7F 21 2C E9 3C 08 E7 8A 8B 36 F3 44 D6 2C 1A ..!,.<....6.D.,. 0010: 96 16 75 46 62 04 60 22 C8 33 3E CD 15 6C 3E D7 ..uFb.`".3>..l>. 02:20:38,115 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org@SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=1 keyBytes (hex dump)= 0000: 16 EA 98 02 F2 C4 51 9E 02:20:38,122 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org@SCIGEMS.ORG to Subject 02:20:38,123 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org@SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=23 keyBytes (hex dump)= 0000: EE CF CF 55 CD 38 50 00 3E 4E 6A 7A E5 44 24 96 ...U.8P.>Njz.D$. 02:20:38,125 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org@SCIGEMS.ORG to Subject 02:20:38,126 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org@SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=16 keyBytes (hex dump)= 0000: 68 A7 70 31 31 01 45 3D AB 08 83 F2 20 67 EA 15 h.p11.E=.... g.. 0010: 64 FB EF 1A 97 45 4A B0 02:20:38,126 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org@SCIGEMS.ORG to Subject 02:20:38,127 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org@SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=17 keyBytes (hex dump)= 0000: D8 C3 7C 67 C3 C7 60 60 56 43 31 96 67 3E 4A 53 ...g..``VC1.g>JS 02:20:38,127 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org@SCIGEMS.ORG to Subject 02:20:38,129 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org@SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=18 keyBytes (hex dump)= 0000: 7C 7F 21 2C E9 3C 08 E7 8A 8B 36 F3 44 D6 2C 1A ..!,.<....6.D.,. 0010: 96 16 75 46 62 04 60 22 C8 33 3E CD 15 6C 3E D7 ..uFb.`".3>..l>. 02:20:38,135 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org@SCIGEMS.ORG to Subject 02:20:38,136 INFO [STDOUT] Commit Succeeded 02:20:38,263 INFO [STDOUT] Found key for host/server1.scigems.org@SCIGEMS.ORG(18) 02:20:38,264 INFO [STDOUT] Found key for host/server1.scigems.org@SCIGEMS.ORG(1) 02:20:38,264 INFO [STDOUT] Found key for host/server1.scigems.org@SCIGEMS.ORG(23) 02:20:38,264 INFO [STDOUT] Found key for host/server1.scigems.org@SCIGEMS.ORG(16) 02:20:38,265 INFO [STDOUT] Found key for host/server1.scigems.org@SCIGEMS.ORG(17) 02:20:38,296 INFO [STDOUT] Entered Krb5Context.acceptSecContext with state=STATE_NEW 02:20:38,301 INFO [STDOUT] >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType 02:20:38,306 ERROR [STDERR] Checksum failed ! 02:20:38,311 ERROR [SPNEGOLoginModule] Unable to authenticate GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed) at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:757) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:341) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:294) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:357) at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:118) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:616) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695) at javax.security.auth.login.LoginContext.login(LoginContext.java:594) at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552) at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486) at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365) at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160) at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384) at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92) at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126) at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) at java.lang.Thread.run(Thread.java:636) Caused by: KrbException: Checksum failed at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102) at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:94) at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:176) at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278) at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:145) at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:103) at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:740) ... 36 more Caused by: java.security.GeneralSecurityException: Checksum failed at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:446) at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:269) at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:76) at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:100) ... 42 more 02:20:38,316 INFO [STDOUT] [Krb5LoginModule]: Entering logout 02:20:38,317 INFO [STDOUT] [Krb5LoginModule]: logged out Subject