3 Replies Latest reply on May 3, 2011 5:50 AM by soverbosch

Windows 7 and IE8 negotiation toolkit problem

soverbosch Apr 29, 2011 10:03 AM

Hi All,

I've got a working negotiation toolkit setup, at least it is working when using a IE from Windows XP. When I started using IE8 from Windows 7 the application failed when calling the http://jbossserver:8888/jboss-negotiation-toolkit/Secured. The symptom is that I end up with an empty page, fiddler shows me that two times a 401 is returned by the server and the third time a 200 is returned. But I expect an unauthorized message (because the setup is not having the roles needed for the secured page to be showed).

When I use the seam application in which I implemented the filter then I get the message:

java.io.IOException: Unexpected message type

at org.jboss.security.negotiation.spnego.encoding.NegTokenTargDecoder.decodeNegTokenTargSequence(NegTokenTargDecoder.java:111)

at org.jboss.security.negotiation.spnego.encoding.NegTokenTargDecoder.decode(NegTokenTargDecoder.java:126)

at org.jboss.security.negotiation.spnego.SPNEGOMessageFactory.createMessage(SPNEGOMessageFactory.java:73)

at org.jboss.security.negotiation.DelegatingMessageFactory.createMessage(DelegatingMessageFactory.java:61)

at com.company.web.framework.SpnegoFilter.doSPNEGOAuthorization(SpnegoFilter.java:130)

So my question to you is, does somebody have this setup Windows 7 and IE8 setup and is able to do all toolkit steps succesfully, for me the third is failing. (and according to my application it is failing because the received message is incorrect, for the toolkit I don't get any error messages so you would think it is working but when stepping in debug mode through the code it also fails at the same location but probably the exception is swallowed somewhere) Any help would be appriciated.

1. Windows 7 and IE8 negotiation toolkit problem

goc May 2, 2011 8:03 AM (in response to soverbosch)

It seems you can't decrypt the Kerberos tickets.
Did you create the server's keytab-file correctly?

setspn.exe -a host/yourserver youruser
setspn.exe -a HTTP/yourserver youruser
ktpass -princ HTTP/yourserver@REALM -pass * -mapuser DOMAIN\youruser -out c:\jboss.keytab
...
Actions
2. Windows 7 and IE8 negotiation toolkit problem

soverbosch May 2, 2011 8:13 AM (in response to goc)

Yes I did, I say this because it is working in a Windows XP with IE8 environment without any problems. When starting to use Windows 7 with IE8 then suddenly the problem arose. First the complete negotiation didn't work but after defining the ecnryption types which can be used by Kerberos in the local security setting then this problem occurs. Secondly it is the last message which fails so there has been already some encryption/decryption done before this message is received. After this message the user would be given access rights to the application.
Actions
3. Windows 7 and IE8 negotiation toolkit problem

soverbosch May 3, 2011 5:50 AM (in response to soverbosch)

When someone else is having the same problem then this is what I did to solve it:

The problem with kerberos and windows 7 in combination with IE8 is    solved. The problem consisted of two problems (at least for the    Windows 7 pc I got to test):

    1) There where no encryption types defined for Kerberos. To define    the encryption type open "Local Security Policy" program    (secpol.msc) and navigate to the following place:
            Security Setting -> Local Policies -> Security Options
        then double click the entry "Network Security: Configure    encryption types allowed for Kerberos" and select RC4_HMAC_MD5
    2) There was a change in the message structure when Windows    Vista/Windows 7 was released which caused the negotiation to fail.    For this I had to place a newer version of jboss-negotiation.jar    (SP3) in the common library directory of the jboss server    (5.1.0.GA) installation.
Actions

Go to original post