Problems with SPNEGO
I have carefully read the manual (User Guide for JBoss Negotiation) and set up the test network for using SPNEGO:
- 1st host - Windows 2003 Adv Server (Active Directory and DNS)
- 2nd host - Windows 2003 Adv Server (jboss-4.2.2.GA with all needed modules and negotiation toolkit)
- 3rd host Windows XP (just for accessing from browser)
Then I tried to run Negotiation Toolkit. Results:
- Basic Negotiation - passed
- Security Domain Test - passed
- Secured - failed
Could you explain me what is the problem ?
Thanks in advance!
The stack trace on the JBoss was:
2008-08-01 16:41:52,621 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Logged in 'host' Login Context 2008-08-01 16:41:52,621 INFO [STDOUT] [Krb5LoginModule]: Entering logout 2008-08-01 16:41:52,636 INFO [STDOUT] [Krb5LoginModule]: logged out Subject 2008-08-01 16:41:52,636 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[] 2008-08-01 16:41:52,636 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[Ad ministrator@MYDOMAIN.COM] 2008-08-01 16:41:52,636 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOAuthenticator] authenticated princi pal = null 2008-08-01 16:41:52,652 INFO [org.jboss.security.negotiation.spnego.SPNEGOAuthenticator] Header - Negotiate o YIJszCCCa+iggmrBIIJp2CCCaMGCSqGSIb3EgECAgEAboIJkjCCCY6gAwIBBaEDAgEOogcDBQAgAAAAo4IDzWGCA8kwggPFoAMCAQWhDhsMTVl ET01BSU4uQ09NoiowKKADAgECoSEwHxsESFRUUBsXdGVzdHNlcnZlci5teWRvbWFpbi5jb22jggOAMIIDfKADAgEXoQMCAQOiggNuBIIDao5og 2008-08-01 16:41:52,775 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] serverSecurityDomain=h ost 2008-08-01 16:41:52,775 INFO [STDOUT] Debug is true storeKey true useTicketCache false useKeyTab true doNotP rompt true ticketCache is null isInitiator true KeyTab is C:/testserver.host.keytab refreshKrb5Config is false principal is host/testserver@MYDOMAIN.COM tryFirstPass is false useFirstPass is false storePass is false clea rPass is false 2008-08-01 16:41:52,791 INFO [STDOUT] principal's key obtained from the keytab 2008-08-01 16:41:52,806 INFO [STDOUT] Acquire TGT using AS Exchange 2008-08-01 16:41:52,806 INFO [STDOUT] principal is host/testserver@MYDOMAIN.COM 2008-08-01 16:41:52,822 INFO [STDOUT] EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 83 B4 91 86 A1 5A E 7 91 F1 1B B0 29 FB 59 A2 06 .....Z.....).Y.. 2008-08-01 16:41:52,822 INFO [STDOUT] Added server's keyKerberos Principal host/testserver@MYDOMAIN.COMKey Ve rsion 4key EncryptionKey: keyType=23 keyBytes (hex dump)= 0000: 83 B4 91 86 A1 5A E7 91 F1 1B B0 29 FB 59 A2 06 .....Z.....).Y.. 2008-08-01 16:41:52,837 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/testserver@MYDOMAI N.COM to Subject 2008-08-01 16:41:52,837 INFO [STDOUT] Commit Succeeded 2008-08-01 16:41:52,853 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Subject = Subject: Principal: host/testserver@MYDOMAIN.COM Private Credential: Ticket (hex) = 0000: 61 82 01 0B 30 82 01 07 A0 03 02 01 05 A1 0E 1B a...0........... 0010: 0C 4D 59 44 4F 4D 41 49 4E 2E 43 4F 4D A2 21 30 .MYDOMAIN.COM.!0 0020: 1F A0 03 02 01 02 A1 18 30 16 1B 06 6B 72 62 74 ........0...krbt 0030: 67 74 1B 0C 4D 59 44 4F 4D 41 49 4E 2E 43 4F 4D gt..MYDOMAIN.COM 0040: A3 81 CC 30 81 C9 A0 03 02 01 17 A1 03 02 01 02 ...0............ 0050: A2 81 BC 04 81 B9 83 9F 30 17 16 3D 68 C8 99 0D ........0..=h... 0060: 70 5F 7B F4 6A BD 6D 1E B5 F5 2F 44 18 9C 98 1C p_..j.m.../D.... 0070: B5 98 C0 52 60 82 0B 22 67 38 19 CB B9 C4 C6 98 ...R`.."g8...... 0080: 2C D9 E5 3B ED 55 ED 13 AB 45 43 1C D7 D4 1D AC ,..;.U...EC..... 0090: 9D B8 61 7B 97 BD F4 29 0A F5 8E D4 ED BA B2 7C ..a....)........ 00A0: FC 34 36 15 52 19 AE A8 64 7D 91 36 53 0F 93 98 .46.R...d..6S... 00B0: DA 48 18 FA 83 0A 22 15 97 34 37 41 8A F7 6F 47 .H...."..47A..oG 00C0: 1E D0 22 F2 B4 5F 0D 79 51 93 DD 42 33 96 0E 67 ..".._.yQ..B3..g 00D0: 5F 8B B2 6E 87 0E 6A 9F 50 42 A1 4E 7F 85 3B 9C _..n..j.PB.N..;. 00E0: 4D 01 94 A5 10 34 D8 1B A4 53 9A 5A 46 6A 85 91 M....4...S.ZFj.. 00F0: 97 81 E6 F5 1B 62 C2 8D 8B 38 60 00 17 47 D9 00 .....b...8`..G.. 0100: 4D AD D5 D4 48 95 A4 93 C0 3E DB 7D 6A 9B 4E M...H....>..j.N Client Principal = host/testserver@MYDOMAIN.COM Server Principal = krbtgt/MYDOMAIN.COM@MYDOMAIN.COM Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)= 0000: 92 C3 CB F8 67 D8 31 B9 FE E8 68 7A 0C E7 67 74 ....g.1...hz..gt Forwardable Ticket false Forwarded Ticket false Proxiable Ticket false Proxy Ticket false Postdated Ticket false Renewable Ticket false Initial Ticket false Auth Time = Fri Aug 01 16:42:01 EEST 2008 Start Time = Fri Aug 01 16:42:01 EEST 2008 End Time = Sat Aug 02 02:42:01 EEST 2008 Renew Till = null Client Addresses Null Private Credential: Kerberos Principal host/testserver@MYDOMAIN.COMKey Version 4key EncryptionKey: key Type=23 keyBytes (hex dump)= 0000: 83 B4 91 86 A1 5A E7 91 F1 1B B0 29 FB 59 A2 06 .....Z.....).Y.. 2008-08-01 16:41:52,853 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Logged in 'host' Login Context 2008-08-01 16:41:52,853 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Creating new GSSContex t. 2008-08-01 16:41:52,868 ERROR [STDERR] Checksum failed ! 2008-08-01 16:41:52,868 ERROR [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Unable to authenticate GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed) at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267) at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java :295) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:337) at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:113) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:579) at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603) at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537) at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344) at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491) at org.jboss.security.negotiation.spnego.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:103 ) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446) at java.lang.Thread.run(Thread.java:619) Caused by: KrbException: Checksum failed at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:85) at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:77) at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168) at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267) at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134) at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79) at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724) ... 32 more Caused by: java.security.GeneralSecurityException: Checksum failed at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:388) at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:74) at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:83) ... 38 more 2008-08-01 16:41:53,038 INFO [STDOUT] [Krb5LoginModule]: Entering logout 2008-08-01 16:41:53,038 INFO [STDOUT] [Krb5LoginModule]: logged out Subject 2008-08-01 16:41:53,038 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[] 2008-08-01 16:41:53,053 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[Ad ministrator@MYDOMAIN.COM] 2008-08-01 16:41:53,053 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOAuthenticator] authenticated princi pal = null 2008-08-01 16:42:48,778 DEBUG [com.arjuna.ats.arjuna.logging.arjLogger] Periodic recovery - first pass <Fri, 1 Aug 2008 16:42:48> 2008-08-01 16:42:48,778 DEBUG [com.arjuna.ats.arjuna.logging.arjLogger] StatusModule: first pass 2008-08-01 16:42:48,778 DEBUG [com.arjuna.ats.txoj.logging.txojLoggerI18N] [com.arjuna.ats.internal.txoj.recov ery.TORecoveryModule_3] - TORecoveryModule - first pass
