1 Reply Latest reply on Mar 22, 2011 9:09 AM by soverbosch

Jboss negotiation - GSSException: Failure unspecified at GSS

asa951 Aug 4, 2009 6:37 AM

Hi,

I've downloaded and setup Jboss Negotiation as described in the manual, and although the basic negotiation and security domain test passes, I cannot get the secure servlet to working. I've reinstalled and redid the configuration from scratch, but to no avail.

AD server:
Win 2003

App Server:
jboss-5.0.1.GA (tried with 5.1.0 GA with the same results)
jdk1.6.0_14
winxp

Client:
IE7

I would really appreciate if somebody can have a look, since I've come to a dead end and seeing no way out of it.

Thanks,
Asa

The log file: (sorry about it being so long)

15:32:12,017 TRACE [SecurityRolesAssociation] Setting threadlocal:{}
15:32:17,470 DEBUG [arjLogger] StatusModule: first pass
15:32:17,486 TRACE [JBossAuthorizationContext] Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.secur
ity.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
15:32:17,486 DEBUG [txojLoggerI18N] [com.arjuna.ats.internal.txoj.recovery.TORecoveryModule_3] - TORecoveryModule - first pass
15:32:17,486 TRACE [NegotiationAuthenticator] Authenticating user
15:32:17,486 DEBUG [loggerI18N] [com.arjuna.ats.internal.jta.recovery.info.firstpass] Local XARecoveryModule - first pass
15:32:17,486 DEBUG [NegotiationAuthenticator] Header - null
15:32:17,486 DEBUG [NegotiationAuthenticator] No Authorization Header, sending 401
15:32:17,501 TRACE [SecurityRolesAssociation] Setting threadlocal:null
15:32:17,501 TRACE [SecurityRolesAssociation] Setting threadlocal:null
15:32:17,517 TRACE [SecurityRolesAssociation] Setting threadlocal:{}
15:32:17,517 TRACE [JBossAuthorizationContext] Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.secur
ity.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
15:32:17,533 TRACE [NegotiationAuthenticator] Authenticating user
15:32:17,533 DEBUG [NegotiationAuthenticator] Header - Negotiate YIIE3gYGKwYBBQUCoIIE0jCCBM6gJDAiBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICCqKCBKQEg
..
..
bPXVIWJPGwz/sqTVPanQ8JnGaqzF8eP3gB+N02a+aFL1w=
15:32:17,579 TRACE [Hex] 0x60 0x82 0x04 0xde 0x06 0x06 0x2b 0x06 0x01 0x05 0x05 0x02 0xa0 0x82 0x04 0xd2 0x30 0x82 0x04 0xce 0xa0 0x24 0x30 0x22 0x06
..
..
0xfb 0x2a 0x4d 0x53 0xda 0x9d 0x0f 0x09 0x9c 0x66 0xaa 0xcc 0x5f 0x1e 0x3f 0x78 0x01 0xf8 0xdd 0x36 0x6b 0xe6 0x85 0x2f 0x5c
15:32:17,642 DEBUG [NegotiationAuthenticator] Creating new NegotiationContext
15:32:17,642 TRACE [NegotiationContext] associate 4801672
15:32:17,658 TRACE [SPNEGO] Begin isValid, principal:663114DA6CEA65A4B3ED20F84D1D2E93, cache info: null
15:32:17,658 TRACE [SPNEGO] defaultLogin, principal=663114DA6CEA65A4B3ED20F84D1D2E93
15:32:17,658 TRACE [XMLLoginConfigImpl] Begin getAppConfigurationEntry(SPNEGO), size=12
15:32:17,658 TRACE [XMLLoginConfigImpl] End getAppConfigurationEntry(SPNEGO), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.negotiation.spnego.SPNEGOLoginModule
ControlFlag: LoginModuleControlFlag: requisite
Options:
name=serverSecurityDomain, value=host
name=password-stacking, value=useFirstPass

15:32:17,673 TRACE [SPNEGOLoginModule] initialize
15:32:17,673 TRACE [SPNEGOLoginModule] Security domain: SPNEGO
15:32:17,673 DEBUG [SPNEGOLoginModule] serverSecurityDomain=host
15:32:17,673 TRACE [SPNEGOLoginModule] login
15:32:17,673 TRACE [XMLLoginConfigImpl] Begin getAppConfigurationEntry(host), size=12
15:32:17,673 TRACE [XMLLoginConfigImpl] End getAppConfigurationEntry(host), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: com.sun.security.auth.module.Krb5LoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=principal, value=HOST/javauser@MY.DOMAIN
name=useKeyTab, value=true
name=storeKey, value=true
name=keyTab, value=P:/JBoss/jboss-5.0.1.GA/server/default/conf/keytabs/javauser.host.keytab
name=useTicketCache, value=false
name=debug, value=true
name=refreshKrb5Config, value=true
name=doNotPrompt, value=true

15:32:17,704 INFO [STDOUT] Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true Key
Tab is P:/JBoss/jboss-5.0.1.GA/server/default/conf/keytabs/javauser.host.keytab refreshKrb5Config is true principal is HOST/javauser@MY.DOMAIN tryFirs
tPass is false useFirstPass is false storePass is false clearPass is false
15:32:17,704 INFO [STDOUT] Refreshing Kerberos configuration
15:32:17,704 INFO [STDOUT] Refreshing Keytab
15:32:17,720 INFO [STDOUT] >>> KeyTabInputStream, readName(): MY.DOMAIN
15:32:17,720 INFO [STDOUT] >>> KeyTabInputStream, readName(): HOST
15:32:17,720 INFO [STDOUT] >>> KeyTabInputStream, readName(): javauser
15:32:17,720 INFO [STDOUT] >>> KeyTab: load() entry length: 58; type: 23
15:32:17,720 INFO [STDOUT] Added key: 23version: 16
15:32:17,720 INFO [STDOUT] Ordering keys wrt default_tkt_enctypes list
15:32:17,720 INFO [STDOUT] default etypes for default_tkt_enctypes:
15:32:17,736 INFO [STDOUT] 23
15:32:17,736 INFO [STDOUT] .
15:32:17,736 INFO [STDOUT] 0: EncryptionKey: keyType=23 kvno=16 keyValue (hex dump)=
0000: 91 FF 0F B9 48 16 7E B4 D0 80 B5 33 06 86 C0 2F ....H......3.../
15:32:17,736 INFO [STDOUT] principal's key obtained from the keytab
15:32:17,736 INFO [STDOUT] Acquire TGT using AS Exchange
15:32:17,751 INFO [STDOUT] default etypes for default_tkt_enctypes:
15:32:17,751 INFO [STDOUT] 23
15:32:17,751 INFO [STDOUT] .
15:32:17,751 INFO [STDOUT] >>> KrbAsReq calling createMessage
15:32:17,751 INFO [STDOUT] >>> KrbAsReq in createMessage
15:32:17,751 INFO [STDOUT] >>> KrbKdcReq send: kdc=cmbdc UDP:88, timeout=30000, number of retries =3, #bytes=137
15:32:17,767 INFO [STDOUT] >>> KDCCommunication: kdc=cmbdc UDP:88, timeout=30000,Attempt =1, #bytes=137
15:32:17,783 INFO [STDOUT] >>> KrbKdcReq send: #bytes read=144
15:32:17,783 INFO [STDOUT] >>> KrbKdcReq send: #bytes read=144
15:32:17,783 INFO [STDOUT] >>> KDCRep: init() encoding tag is 126 req type is 11
15:32:17,783 INFO [STDOUT] >>>KRBError:
15:32:17,783 INFO [STDOUT] sTime is Tue Aug 04 15:32:17 IST 2009 1249380137000
15:32:17,783 INFO [STDOUT] suSec is 958551
15:32:17,798 INFO [STDOUT] error code is 25
15:32:17,798 INFO [STDOUT] error Message is Additional pre-authentication required
15:32:17,798 INFO [STDOUT] realm is MY.DOMAIN
15:32:17,798 INFO [STDOUT] sname is krbtgt/MY.DOMAIN
15:32:17,798 INFO [STDOUT] eData provided.
15:32:17,798 INFO [STDOUT] msgType is 30
15:32:17,798 INFO [STDOUT] >>>Pre-Authentication Data:
15:32:17,798 INFO [STDOUT] PA-DATA type = 11
15:32:17,814 INFO [STDOUT] PA-ETYPE-INFO etype = 23
15:32:17,814 INFO [STDOUT] >>>Pre-Authentication Data:
15:32:17,814 INFO [STDOUT] PA-DATA type = 2
15:32:17,814 INFO [STDOUT] PA-ENC-TIMESTAMP
15:32:17,814 INFO [STDOUT] >>>Pre-Authentication Data:
15:32:17,814 INFO [STDOUT] PA-DATA type = 15
15:32:17,814 INFO [STDOUT] AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
15:32:17,829 INFO [STDOUT] Pre-Authenticaton: find key for etype = 23
15:32:17,829 INFO [STDOUT] AS-REQ: Add PA_ENC_TIMESTAMP now
15:32:17,814 INFO [STDOUT] >>>KrbAsReq salt is MY.DOMAINHOSTjavauser
15:32:17,829 INFO [STDOUT] >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
15:32:17,829 INFO [STDOUT] >>> KrbAsReq calling createMessage
15:32:17,829 INFO [STDOUT] >>> KrbAsReq in createMessage
15:32:17,829 INFO [STDOUT] >>> KrbKdcReq send: kdc=cmbdc UDP:88, timeout=30000, number of retries =3, #bytes=220
15:32:17,845 INFO [STDOUT] >>> KDCCommunication: kdc=cmbdc UDP:88, timeout=30000,Attempt =1, #bytes=220
15:32:17,845 INFO [STDOUT] >>> KrbKdcReq send: #bytes read=1218
15:32:17,845 INFO [STDOUT] >>> KrbKdcReq send: #bytes read=1218
15:32:17,845 INFO [STDOUT] >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
15:32:17,845 INFO [STDOUT] >>> KrbAsRep cons in KrbAsReq.getReply HOST/javauser
15:32:17,845 INFO [STDOUT] principal is HOST/javauser@MY.DOMAIN
15:32:17,845 INFO [STDOUT] EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 91 FF 0F B9 48 16 7E B4 D0 80 B5 33 06 86 C0 2F ....H......3.../
15:32:17,861 INFO [STDOUT] Added server's keyKerberos Principal HOST/javauser@MY.DOMAINKey Version 16key EncryptionKey: keyType=23 keyBytes (hex dump
)=
0000: 91 FF 0F B9 48 16 7E B4 D0 80 B5 33 06 86 C0 2F ....H......3.../
15:32:17,861 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal HOST/javauser@MY.DOMAIN to Subject
15:32:17,861 INFO [STDOUT] Commit Succeeded
15:32:17,861 DEBUG [SPNEGOLoginModule] Subject = Subject:
Principal: HOST/javauser@MY.DOMAIN
Private Credential: Ticket (hex) =
0000: 61 82 03 85 30 82 03 81 A0 03 02 01 05 A1 0B 1B a...0...........
...
....
0380: 2C C8 7A 75 FE 68 A5 81 F4 ,.zu.h...

Client Principal = HOST/javauser@MY.DOMAIN
Server Principal = krbtgt/MY.DOMAIN@MY.DOMAIN
Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: E8 01 B9 F8 84 29 31 80 A5 80 11 09 49 3A 22 55 .....)1.....I:"U

Forwardable Ticket false
Forwarded Ticket false
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket false
Initial Ticket false
Auth Time = Tue Aug 04 15:32:17 IST 2009
Start Time = Tue Aug 04 15:32:17 IST 2009
End Time = Wed Aug 05 01:32:17 IST 2009
Renew Till = null
Client Addresses Null
Private Credential: Kerberos Principal HOST/javauser@MY.DOMAINKey Version 16key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 91 FF 0F B9 48 16 7E B4 D0 80 B5 33 06 86 C0 2F ....H......3.../

15:32:18,001 DEBUG [SPNEGOLoginModule] Logged in 'host' LoginContext
15:32:18,001 TRACE [SPNEGOLoginModule] Result - false
15:32:18,001 INFO [STDOUT] [Krb5LoginModule]: Entering logout
15:32:18,001 INFO [STDOUT] [Krb5LoginModule]: logged out Subject
15:32:18,001 TRACE [SPNEGOLoginModule] super.loginOk false
15:32:18,017 TRACE [SPNEGOLoginModule] abort
15:32:18,017 TRACE [SPNEGO] Login failure
javax.security.auth.login.LoginException: Continuation Required.
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:161)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)
at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
15:32:18,064 TRACE [SPNEGO] End isValid, false
15:32:18,064 TRACE [Base64] oRQwEqADCgEBoQsGCSqGSIb3EgECAg==
15:32:18,064 TRACE [NegotiationContext] clear 4801672
15:32:18,064 TRACE [SecurityRolesAssociation] Setting threadlocal:null
15:32:18,079 TRACE [SecurityRolesAssociation] Setting threadlocal:null
15:32:18,079 TRACE [SecurityRolesAssociation] Setting threadlocal:{}
15:32:18,079 TRACE [JBossAuthorizationContext] Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.secur
ity.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
15:32:18,079 TRACE [NegotiationAuthenticator] Authenticating user
15:32:18,079 DEBUG [NegotiationAuthenticator] Header - Negotiate oYIErDCCBKiiggSkBIIEoGCCBJwGCSqGSIb3EgECAgEAboIEizCCBIegAwIBBaEDAgEOogcDBQAgAAAAo4IDt
...
..
mcwWQ6DvPs8quun311lSBMU8E5Gey/euaZDKpB18oJNRkoeZaN95N1UvMgy8/Lz/5mjM1qun5l3+/GcpgCaQxZRgEk+T/6EQropSfXxdI7l+oix+iM4tHlQAAwdwfYLx
15:32:18,126 TRACE [Hex] 0xa1 0x82 0x04 0xac 0x30 0x82 0x04 0xa8 0xa2 0x82 0x04 0xa4 0x04 0x82 0x04 0xa0 0x60 0x82 0x04 0x9c 0x06 0x09 0x2a 0x86 0x48
...
...
0x26 0x90 0xc5 0x94 0x60 0x12 0x4f 0x93 0xff 0xa1 0x10 0xae 0x8a 0x52 0x7d 0x7c 0x5d 0x23 0xb9 0x7e 0xa2 0x2c 0x7e 0x88 0xce 0x2d 0x1e 0x54 0x00 0x03
0x07 0x70 0x7d 0x82 0xf1
15:32:18,220 TRACE [NegotiationContext] associate 4801672
15:32:18,220 TRACE [SPNEGO] Begin isValid, principal:663114DA6CEA65A4B3ED20F84D1D2E93, cache info: null
15:32:18,220 TRACE [SPNEGO] defaultLogin, principal=663114DA6CEA65A4B3ED20F84D1D2E93
15:32:18,220 TRACE [XMLLoginConfigImpl] Begin getAppConfigurationEntry(SPNEGO), size=12
15:32:18,220 TRACE [XMLLoginConfigImpl] End getAppConfigurationEntry(SPNEGO), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.negotiation.spnego.SPNEGOLoginModule
ControlFlag: LoginModuleControlFlag: requisite
Options:
name=serverSecurityDomain, value=host
name=password-stacking, value=useFirstPass

15:32:18,236 TRACE [SPNEGOLoginModule] initialize
15:32:18,236 TRACE [SPNEGOLoginModule] Security domain: SPNEGO
15:32:18,251 DEBUG [SPNEGOLoginModule] serverSecurityDomain=host
15:32:18,251 TRACE [SPNEGOLoginModule] login
15:32:18,251 TRACE [XMLLoginConfigImpl] Begin getAppConfigurationEntry(host), size=12
15:32:18,251 TRACE [XMLLoginConfigImpl] End getAppConfigurationEntry(host), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: com.sun.security.auth.module.Krb5LoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=principal, value=HOST/javauser@MY.DOMAIN
name=useKeyTab, value=true
name=storeKey, value=true
name=keyTab, value=P:/JBoss/jboss-5.0.1.GA/server/default/conf/keytabs/javauser.host.keytab
name=useTicketCache, value=false
name=debug, value=true
name=refreshKrb5Config, value=true
name=doNotPrompt, value=true

15:32:18,283 INFO [STDOUT] Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true Key
Tab is P:/JBoss/jboss-5.0.1.GA/server/default/conf/keytabs/javauser.host.keytab refreshKrb5Config is true principal is HOST/javauser@MY.DOMAIN tryFirs
tPass is false useFirstPass is false storePass is false clearPass is false
15:32:18,283 INFO [STDOUT] Refreshing Kerberos configuration
15:32:18,298 INFO [STDOUT] Refreshing Keytab
15:32:18,298 INFO [STDOUT] >>> KeyTabInputStream, readName(): MY.DOMAIN
15:32:18,298 INFO [STDOUT] >>> KeyTabInputStream, readName(): HOST
15:32:18,298 INFO [STDOUT] >>> KeyTabInputStream, readName(): javauser
15:32:18,298 INFO [STDOUT] >>> KeyTab: load() entry length: 58; type: 23
15:32:18,298 INFO [STDOUT] Added key: 23version: 16
15:32:18,298 INFO [STDOUT] Ordering keys wrt default_tkt_enctypes list
15:32:18,298 INFO [STDOUT] default etypes for default_tkt_enctypes:
15:32:18,314 INFO [STDOUT] 23
15:32:18,314 INFO [STDOUT] .
15:32:18,314 INFO [STDOUT] 0: EncryptionKey: keyType=23 kvno=16 keyValue (hex dump)=
0000: 91 FF 0F B9 48 16 7E B4 D0 80 B5 33 06 86 C0 2F ....H......3.../
15:32:18,314 INFO [STDOUT] principal's key obtained from the keytab
15:32:18,314 INFO [STDOUT] Acquire TGT using AS Exchange
15:32:18,314 INFO [STDOUT] default etypes for default_tkt_enctypes:
15:32:18,314 INFO [STDOUT] 23
15:32:18,329 INFO [STDOUT] .
15:32:18,329 INFO [STDOUT] >>> KrbAsReq calling createMessage
15:32:18,329 INFO [STDOUT] >>> KrbAsReq in createMessage
15:32:18,329 INFO [STDOUT] >>> KrbKdcReq send: kdc=cmbdc UDP:88, timeout=30000, number of retries =3, #bytes=137
15:32:18,329 INFO [STDOUT] >>> KDCCommunication: kdc=cmbdc UDP:88, timeout=30000,Attempt =1, #bytes=137
15:32:18,329 INFO [STDOUT] >>> KrbKdcReq send: #bytes read=144
15:32:18,329 INFO [STDOUT] >>> KrbKdcReq send: #bytes read=144
15:32:18,345 INFO [STDOUT] >>> KDCRep: init() encoding tag is 126 req type is 11
15:32:18,345 INFO [STDOUT] >>>KRBError:
15:32:18,345 INFO [STDOUT] sTime is Tue Aug 04 15:32:18 IST 2009 1249380138000
15:32:18,345 INFO [STDOUT] suSec is 505426
15:32:18,345 INFO [STDOUT] error code is 25
15:32:18,345 INFO [STDOUT] error Message is Additional pre-authentication required
15:32:18,345 INFO [STDOUT] realm is MY.DOMAIN
15:32:18,345 INFO [STDOUT] sname is krbtgt/MY.DOMAIN
15:32:18,361 INFO [STDOUT] eData provided.
15:32:18,361 INFO [STDOUT] msgType is 30
15:32:18,361 INFO [STDOUT] >>>Pre-Authentication Data:
15:32:18,361 INFO [STDOUT] PA-DATA type = 11
15:32:18,361 INFO [STDOUT] PA-ETYPE-INFO etype = 23
15:32:18,361 INFO [STDOUT] >>>Pre-Authentication Data:
15:32:18,361 INFO [STDOUT] PA-DATA type = 2
15:32:18,361 INFO [STDOUT] PA-ENC-TIMESTAMP
15:32:18,376 INFO [STDOUT] >>>Pre-Authentication Data:
15:32:18,376 INFO [STDOUT] PA-DATA type = 15
15:32:18,376 INFO [STDOUT] AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
15:32:18,376 INFO [STDOUT] >>>KrbAsReq salt is MY.DOMAINHOSTjavauser
15:32:18,376 INFO [STDOUT] Pre-Authenticaton: find key for etype = 23
15:32:18,376 INFO [STDOUT] AS-REQ: Add PA_ENC_TIMESTAMP now
15:32:18,376 INFO [STDOUT] >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
15:32:18,392 INFO [STDOUT] >>> KrbAsReq calling createMessage
15:32:18,392 INFO [STDOUT] >>> KrbAsReq in createMessage
15:32:18,392 INFO [STDOUT] >>> KrbKdcReq send: kdc=cmbdc UDP:88, timeout=30000, number of retries =3, #bytes=220
15:32:18,392 INFO [STDOUT] >>> KDCCommunication: kdc=cmbdc UDP:88, timeout=30000,Attempt =1, #bytes=220
15:32:18,392 INFO [STDOUT] >>> KrbKdcReq send: #bytes read=1218
15:32:18,392 INFO [STDOUT] >>> KrbKdcReq send: #bytes read=1218
15:32:18,408 INFO [STDOUT] >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
15:32:18,408 INFO [STDOUT] >>> KrbAsRep cons in KrbAsReq.getReply HOST/javauser
15:32:18,408 INFO [STDOUT] principal is HOST/javauser@MY.DOMAIN
15:32:18,408 INFO [STDOUT] EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 91 FF 0F B9 48 16 7E B4 D0 80 B5 33 06 86 C0 2F ....H......3.../
15:32:18,408 INFO [STDOUT] Added server's keyKerberos Principal HOST/javauser@MY.DOMAINKey Version 16key EncryptionKey: keyType=23 keyBytes (hex dump
)=
0000: 91 FF 0F B9 48 16 7E B4 D0 80 B5 33 06 86 C0 2F ....H......3.../
15:32:18,423 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal HOST/javauser@TTCMB.LAN to Subject
15:32:18,423 INFO [STDOUT] Commit Succeeded
15:32:18,439 DEBUG [SPNEGOLoginModule] Subject = Subject:
Principal: HOST/javauser@TTCMB.LAN
Private Credential: Ticket (hex) =
0000: 61 82 03 85 30 82 03 81 A0 03 02 01 05 A1 0B 1B a...0...........
..
..
0380: 3A 7B CE F3 79 66 2B 1C 1D :...yf+..

Client Principal = HOST/javauser@TTCMB.LAN
Server Principal = krbtgt/TTCMB.LAN@TTCMB.LAN
Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 84 31 AF 24 FC D9 16 D0 E5 4D 88 1B 70 C4 8A DD .1.$.....M..p...

Forwardable Ticket false
Forwarded Ticket false
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket false
Initial Ticket false
Auth Time = Tue Aug 04 15:32:18 IST 2009
Start Time = Tue Aug 04 15:32:18 IST 2009
End Time = Wed Aug 05 01:32:18 IST 2009
Renew Till = null
Client Addresses Null
Private Credential: Kerberos Principal HOST/javauser@TTCMB.LANKey Version 16key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 91 FF 0F B9 48 16 7E B4 D0 80 B5 33 06 86 C0 2F ....H......3.../

15:32:18,579 DEBUG [SPNEGOLoginModule] Logged in 'host' LoginContext
15:32:18,579 DEBUG [SPNEGOLoginModule] Creating new GSSContext.
15:32:18,579 INFO [STDOUT] Found key for HOST/javauser@TTCMB.LAN(23)
15:32:18,579 INFO [STDOUT] Entered Krb5Context.acceptSecContext with state=STATE_NEW
15:32:18,579 INFO [STDOUT] >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
15:32:18,579 ERROR [STDERR] Checksum failed !
15:32:18,595 TRACE [SPNEGOLoginModule] Result - GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
15:32:18,595 ERROR [SPNEGOLoginModule] Unable to authenticate
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:294)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:337)
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:118)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)
at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
Caused by: KrbException: Checksum failed
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:85)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:77)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
at sun.security.krb5.KrbApReq.(KrbApReq.java:134)
at sun.security.jgss.krb5.InitSecContextToken.(InitSecContextToken.java:79)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
... 35 more
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:388)
at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:74)
at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:83)
... 41 more
15:32:18,673 INFO [STDOUT] [Krb5LoginModule]: Entering logout
15:32:18,673 INFO [STDOUT] [Krb5LoginModule]: logged out Subject
15:32:18,673 TRACE [SPNEGOLoginModule] abort
15:32:18,673 TRACE [SPNEGO] Login failure
javax.security.auth.login.LoginException: Unable to authenticate - Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:141)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)
at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
15:32:18,736 TRACE [SPNEGO] End isValid, false
15:32:18,736 TRACE [NegotiationContext] clear 4801672
15:32:18,736 TRACE [SecurityRolesAssociation] Setting threadlocal:null
15:32:18,736 TRACE [SecurityRolesAssociation] Setting threadlocal:null

1. Jboss negotiation - GSSException: Failure unspecified at GSS

soverbosch Mar 22, 2011 9:09 AM (in response to asa951)

Did you ever found the solution for this problem, as I am facing the same problem and are at the point of exploding :S
Actions