-
1. Re: Configure AS7 to authenticate users with kerberos
dlofthouse Sep 29, 2011 7:08 AM (in response to fremak)1 of 1 people found this helpfulAre you familiar with the KDC side of the configuration to obtain a valid keytab for you AS installation?
The AS specific configuration is in this aritcle: -
-
2. Re: Configure AS7 to authenticate users with kerberos
fremak Sep 29, 2011 9:51 AM (in response to dlofthouse)Thanks for your answer Darran,
I started studying how kerberos works so I read this document http://www.kerberos.org/software/tutorial.html
If I understood correctly, in order to have an instance of jboss authenticating with kerberos, we should register the AS as a service
handled by KDC. It's the only way kerberos work, right?
thanks again
fil
-
3. Re: Configure AS7 to authenticate users with kerberos
dlofthouse Sep 30, 2011 7:59 AM (in response to fremak)Is your Kerberos server Windows or something else like a MIT KDC? If I know which one you are looking at I can point you to some docs that cover it further.
You are correct in that the AS7 server needs to have a prinicpal assigned to it, this needs to mapped to a service principal for it to be able to handle request. As part of the negotiation as the connection is made the client retrieved a ticket from the KDC for the expected identity of the server so as the negotiation messages are exhanged both the client and the server verify each other.
-
4. Re: Configure AS7 to authenticate users with kerberos
anikolaev71 Jan 4, 2012 4:48 PM (in response to dlofthouse)I think JBOSS will be better if there is a comprehensive documentation on the Kerberos setup. From A-Z.... I've been working on this for couple of days and must tell you it is not a picnic. The hardest part in my case is to get the linux box to get connected to the KDC. I've got that done and now am stuck on the SPNEGO piece.
I'll be happy to contribute if anyone helps resolve the issue.
Do you have any idea what Mechanis Level: Checksum failed means?
13:14:57,898 ERROR [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-0.0.0.0-8082-1) Unable to authenticate: GSSException: F
ailure unspecified at GSS-API level (Mechanism level: Checksum failed)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741) [:1.6.0_10]
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323) [:1.6.0_10]
at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267) [:1.6.0_10]
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:396) [jboss-negotiation-2.2.0.Beta3
.jar:2.2.0.Beta3]
at java.security.AccessController.doPrivileged(Native Method) [:1.6.0_10]
at javax.security.auth.Subject.doAs(Subject.java:337) [:1.6.0_10]
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.spnegoLogin(SPNEGOLoginModule.java:237) [jboss-negotiation-2.2.0.Beta3.jar:2.2.
0.Beta3]
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.innerLogin(SPNEGOLoginModule.java:194) [jboss-negotiation-2.2.0.Beta3.jar:2.2.0
.Beta3]
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:137) [jboss-negotiation-2.2.0.Beta3.jar:2.2.0.Beta
3]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [:1.6.0_10]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [:1.6.0_10]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [:1.6.0_10]
at java.lang.reflect.Method.invoke(Method.java:597) [:1.6.0_10]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) [:1.6.0_10]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [:1.6.0_10]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [:1.6.0_10]
at java.security.AccessController.doPrivileged(Native Method) [:1.6.0_10]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [:1.6.0_10]
at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [:1.6.0_10]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:411) [picketbox-i
nfinispan-4.0.1.jar:4.0.1] -
5. Re: Configure AS7 to authenticate users with kerberos
raoulpetitpied Nov 29, 2012 11:07 AM (in response to anikolaev71)Hi Antoan,
I faced the same problem (e.g. 'Checksum failed'), and, in my case, I solve this error by changing the 'host' security-domain configuration.
According to https://community.jboss.org/wiki/DRAFTUsingJBossNegotiationOnAS7, the 'host' security-domain should be configured like that :
<security-domain name="host" cache-type="default">
<authentication>
<login-module code="Kerberos" flag="required">
<module-option name="storeKey" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="principal" value="host/testserver@MY_REALM"/>
<module-option name="keyTab" value="/home/username/service.keytab"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="debug" value="false"/>
</login-module>
</authentication>
</security-domain>
In my case, the solution was to configure it like that :
<security-domain name="host" cache-type="default">
<authentication>
<login-module code="Kerberos" flag="required">
<module-option name="storeKey" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="principal" value="HTTP/{testserver}"/>
<module-option name="keyTab" value="/home/username/service.keytab"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="debug" value="false"/>
</login-module>
</authentication>
</security-domain>
where {testserver} is the FQDN of the machine.
Cheers