Hi All
I am stuck with this problem for last many days and am finding it increasingly difficult to solve it.
I am trying to configure SSO on my application deployed on JBoss (4.2.2) for windows 2000 ADS using Kerberos. I have done all the configurations given in the Negotiation_User_Guide_(en-US).pdf and now trying to test my configuration using the Negotiation Toolkit. Following are the issues I am seeing-
1) When I access the negotiation toolkit application from the JBoss server machine itself, the Basic Negotiation test fails with the message given below. However, note that the test succeeds when I access the toolkit application from some other machine
Warning, this is NTLM, only SPNEGO is supported!
2) I am unable to get the Secured test passed from any machine (including the JBoss server). It gives me HTTP 401 error with the description-
This request requires HTTP authentication ().
The log that I see in JBoss server log is different when I access the toolkit test servlet from JBoss server machine and from any other machine. Here's the exception I am seeing in the JBoss server log when I access the test servlet from JBoss server machine-
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
2010-07-01 20:47:01,819 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] abort 2010-07-01 20:47:01,835 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize, instance=@14297215 2010-07-01 20:47:01,835 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Security domain: SPNEGO 2010-07-01 20:47:01,835 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null 2010-07-01 20:47:01,835 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/E:/JBOSS_ROHIT/jboss-4.2.2.GA/server/tdemand/conf/props/spnego-users.properties, defaults=null 2010-07-01 20:47:01,851 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[neelesh_korade@PERSISTENT.CO.IN] 2010-07-01 20:47:01,851 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null 2010-07-01 20:47:01,851 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/E:/JBOSS_ROHIT/jboss-4.2.2.GA/server/tdemand/conf/props/spnego-roles.properties, defaults=null 2010-07-01 20:47:01,851 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[neelesh_korade@PERSISTENT.CO.IN] 2010-07-01 20:47:01,851 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] abort 2010-07-01 20:47:01,866 TRACE [org.jboss.security.plugins.JaasSecurityManager.SPNEGO] Login failure javax.security.auth.login.LoginException: Unsupported negotiation mechanism 'NTLM'. at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:111) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:579) at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603) at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537) at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344) at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491) at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446) at java.lang.Thread.run(Thread.java:595) 2010-07-01 20:47:01,882 TRACE [org.jboss.security.plugins.JaasSecurityManager.SPNEGO] End isValid, false 2010-07-01 20:47:01,882 TRACE [org.jboss.security.negotiation.common.NegotiationContext] clear 14238537 2010-07-01 20:47:01,882 TRACE [org.jboss.security.SecurityAssociation] clear, server=true ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- And following is the log that I see when I access the test servlet from any other machine-
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
2010-07-01 20:51:35,571 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Logged in 'host' LoginContext 2010-07-01 20:51:35,571 INFO [STDOUT] Entered Krb5Context.acceptSecContext with state=STATE_IN_PROCESS 2010-07-01 20:51:35,571 INFO [STDOUT] 2 2010-07-01 20:51:35,571 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Result - java.lang.NullPointerException 2010-07-01 20:51:35,571 ERROR [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Unable to authenticate java.lang.NullPointerException at sun.security.jgss.GSSNameImpl.<init>(GSSNameImpl.java:95) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:312) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246) at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:294) at javax.security.auth.Subject.doAs(Subject.java:337) at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:118) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:579) at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603) at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537) at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344) at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491) at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262) 2010-07-01 20:51:35,587 INFO [STDOUT] [Krb5LoginModule]: Entering logout 2010-07-01 20:51:35,587 INFO [STDOUT] [Krb5LoginModule]: logged out Subject 2010-07-01 20:51:35,587 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] abort 2010-07-01 20:51:35,587 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize, instance=@16410353 2010-07-01 20:51:35,587 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Security domain: SPNEGO 2010-07-01 20:51:35,587 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null 2010-07-01 20:51:35,587 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/E:/JBOSS_ROHIT/jboss-4.2.2.GA/server/tdemand/conf/props/spnego-users.properties, defaults=null 2010-07-01 20:51:35,587 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[neelesh_korade@PERSISTENT.CO.IN] 2010-07-01 20:51:35,587 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null 2010-07-01 20:51:35,587 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/E:/JBOSS_ROHIT/jboss-4.2.2.GA/server/tdemand/conf/props/spnego-roles.properties, defaults=null 2010-07-01 20:51:35,587 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[neelesh_korade@PERSISTENT.CO.IN] 2010-07-01 20:51:35,587 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] abort 2010-07-01 20:51:35,587 TRACE [org.jboss.security.plugins.JaasSecurityManager.SPNEGO] Login failure javax.security.auth.login.LoginException: Unable to authenticate - null at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:141) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:579) at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603) at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537) at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344) at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491) at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446) at java.lang.Thread.run(Thread.java:595) 2010-07-01 20:51:35,587 TRACE [org.jboss.security.plugins.JaasSecurityManager.SPNEGO] End isValid, false 2010-07-01 20:51:35,587 TRACE [org.jboss.security.negotiation.common.NegotiationContext] clear 15040729 2010-07-01 20:51:35,587 TRACE [org.jboss.security.SecurityAssociation] clear, server=true -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
I am really at a loss in figuring out the issue and a fix. Could anyone help me with this? Let me know if you need any additional details to help me identify the problem.
Thanks much
-Neelesh