3 Replies Latest reply on Jan 30, 2013 6:26 AM by akshy_harale

JBoss Spnego | Unsupported negotiation mechanism 'NTLM'

mohtisham Jul 12, 2012 1:17 AM

Dear All,

We have JBoss on a separate machine from AD. After following the JBoss Negotiation Guide the provided Negotiation Testing Toolkit was able to test the domain successfully. But basic & secured test was unsuccessful. Following exception is thrown:

2012-07-12 08:39:41,742 TRACE [org.jboss.security.negotiation.NegotiationAuthenticator] (ajp-0.0.0.0-8409-3) Authenticating user
2012-07-12 08:39:41,742 TRACE [org.jboss.security.negotiation.NegotiationAuthenticator] (ajp-0.0.0.0-8409-3) Authenticating user
2012-07-12 08:39:41,742 DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator] (ajp-0.0.0.0-8409-3) Header - Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
2012-07-12 08:39:41,742 DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator] (ajp-0.0.0.0-8409-3) Header - Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
2012-07-12 08:39:41,761 TRACE [org.jboss.security.negotiation.common.MessageTrace.Request.Base64] (ajp-0.0.0.0-8409-3) TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
2012-07-12 08:39:41,761 TRACE [org.jboss.security.negotiation.common.MessageTrace.Request.Base64] (ajp-0.0.0.0-8409-3) TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
2012-07-12 08:39:41,767 TRACE [org.jboss.security.negotiation.common.MessageTrace.Request.Hex] (ajp-0.0.0.0-8409-3)  0x4e 0x54 0x4c 0x4d 0x53 0x53 0x50 0x00 0x01 0x00 0x00 0x00 0x97 0x82 0x08 0xe2 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x06 0x01 0xb1 0x1d 0x00 0x00 0x00 0x0f
2012-07-12 08:39:41,767 TRACE [org.jboss.security.negotiation.common.MessageTrace.Request.Hex] (ajp-0.0.0.0-8409-3)  0x4e 0x54 0x4c 0x4d 0x53 0x53 0x50 0x00 0x01 0x00 0x00 0x00 0x97 0x82 0x08 0xe2 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x06 0x01 0xb1 0x1d 0x00 0x00 0x00 0x0f
2012-07-12 08:39:42,035 DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator] (ajp-0.0.0.0-8409-3) Creating new NegotiationContext
2012-07-12 08:39:42,035 DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator] (ajp-0.0.0.0-8409-3) Creating new NegotiationContext
2012-07-12 08:39:42,039 TRACE [org.jboss.security.negotiation.common.NegotiationContext] (ajp-0.0.0.0-8409-3) associate 1211161939
2012-07-12 08:39:42,039 TRACE [org.jboss.security.negotiation.common.NegotiationContext] (ajp-0.0.0.0-8409-3) associate 1211161939
2012-07-12 08:39:42,044 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (ajp-0.0.0.0-8409-3) Begin isValid, principal:F241A484D094B7243A72A31089B782F6.trkssit, cache info: null
2012-07-12 08:39:42,044 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (ajp-0.0.0.0-8409-3) Begin isValid, principal:F241A484D094B7243A72A31089B782F6.trkssit, cache info: null
2012-07-12 08:39:42,044 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (ajp-0.0.0.0-8409-3) defaultLogin, principal=F241A484D094B7243A72A31089B782F6.trkssit
2012-07-12 08:39:42,044 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (ajp-0.0.0.0-8409-3) defaultLogin, principal=F241A484D094B7243A72A31089B782F6.trkssit
2012-07-12 08:39:42,045 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (ajp-0.0.0.0-8409-3) Begin getAppConfigurationEntry(SPNEGO), size=14
2012-07-12 08:39:42,045 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (ajp-0.0.0.0-8409-3) Begin getAppConfigurationEntry(SPNEGO), size=14
2012-07-12 08:39:42,045 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (ajp-0.0.0.0-8409-3) End getAppConfigurationEntry(SPNEGO), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.negotiation.spnego.SPNEGOLoginModule
ControlFlag: LoginModuleControlFlag: requisite
Options:
name=serverSecurityDomain, value=host
name=password-stacking, value=useFirstPass

2012-07-12 08:39:42,045 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (ajp-0.0.0.0-8409-3) End getAppConfigurationEntry(SPNEGO), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.negotiation.spnego.SPNEGOLoginModule
ControlFlag: LoginModuleControlFlag: requisite
Options:
name=serverSecurityDomain, value=host
name=password-stacking, value=useFirstPass

2012-07-12 08:39:42,062 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (ajp-0.0.0.0-8409-3) initialize
2012-07-12 08:39:42,062 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (ajp-0.0.0.0-8409-3) initialize
2012-07-12 08:39:42,062 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (ajp-0.0.0.0-8409-3) Security domain: SPNEGO
2012-07-12 08:39:42,062 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (ajp-0.0.0.0-8409-3) Security domain: SPNEGO
2012-07-12 08:39:42,062 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (ajp-0.0.0.0-8409-3) serverSecurityDomain=host
2012-07-12 08:39:42,062 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (ajp-0.0.0.0-8409-3) serverSecurityDomain=host
2012-07-12 08:39:42,063 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (ajp-0.0.0.0-8409-3) login
2012-07-12 08:39:42,063 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (ajp-0.0.0.0-8409-3) login
2012-07-12 08:39:42,067 WARN  [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (ajp-0.0.0.0-8409-3) Unsupported negotiation mechanism 'NTLM'.
2012-07-12 08:39:42,067 WARN  [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (ajp-0.0.0.0-8409-3) Unsupported negotiation mechanism 'NTLM'.
2012-07-12 08:39:42,067 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (ajp-0.0.0.0-8409-3) abort
2012-07-12 08:39:42,067 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (ajp-0.0.0.0-8409-3) abort
2012-07-12 08:39:42,067 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (ajp-0.0.0.0-8409-3) Login failure
javax.security.auth.login.LoginException: Unsupported negotiation mechanism 'NTLM'.
    at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:122)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:616)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
    at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:553)
    at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:487)
    at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
    at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
    at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:399)
    at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
    at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:95)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
    at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:383)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
    at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:436)
    at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:384)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:451)
    at java.lang.Thread.run(Thread.java:636)
2012-07-12 08:39:42,067 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (ajp-0.0.0.0-8409-3) Login failure
javax.security.auth.login.LoginException: Unsupported negotiation mechanism 'NTLM'.
    at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:122)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:616)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
    at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:553)
    at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:487)
    at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
    at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
    at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:399)
    at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
    at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:95)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
    at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:383)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
    at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:436)
    at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:384)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:451)
    at java.lang.Thread.run(Thread.java:636)
2012-07-12 08:39:42,072 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (ajp-0.0.0.0-8409-3) End isValid, false
2012-07-12 08:39:42,072 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (ajp-0.0.0.0-8409-3) End isValid, false
2012-07-12 08:39:42,072 TRACE [org.jboss.security.negotiation.common.NegotiationContext] (ajp-0.0.0.0-8409-3) clear 1211161939
2012-07-12 08:39:42,072 TRACE [org.jboss.security.negotiation.common.NegotiationContext] (ajp-0.0.0.0-8409-3) clear 1211161939
2012-07-12 08:39:42,072 TRACE [org.jboss.security.SecurityAssociation] (ajp-0.0.0.0-8409-3) clear, server=true
2012-07-12 08:39:42,072 TRACE [org.jboss.security.SecurityAssociation] (ajp-0.0.0.0-8409-3) clear, server=true
2012-07-12 08:39:42,075 TRACE [org.jboss.security.SecurityRolesAssociation] (ajp-0.0.0.0-8409-3) Setting threadlocal:null
2012-07-12 08:39:42,075 TRACE [org.jboss.security.SecurityRolesAssociation] (ajp-0.0.0.0-8409-3) Setting threadlocal:null
2012-07-12 08:39:42,075 TRACE [org.jboss.security.SecurityRolesAssociation] (ajp-0.0.0.0-8409-3) Setting threadlocal:null
2012-07-12 08:39:42,075 TRACE [org.jboss.security.SecurityRolesAssociation] (ajp-0.0.0.0-8409-3) Setting threadlocal:null

1. Re: JBoss Spnego | Unsupported negotiation mechanism 'NTLM'

mohtisham Jul 22, 2012 2:10 AM (in response to mohtisham)

Resolved by myself
Actions
2. Re: JBoss Spnego | Unsupported negotiation mechanism 'NTLM'

niznikb Aug 30, 2012 11:33 AM (in response to mohtisham)

Could you post the solution? I've come across what seems to be identical problem and tried a few approaches I found on the web (including this very forum) but to no avail. I've tried to swap the jboss-negotiation lib to version 2.1.0 as I found somewhere that versions prior to 2.0.3.SP3 where incompatible with Windows Vista and higher (which is exactly where the problem manifested - for clients using WinXP everything worked just fine) but that only caused the SPNEGO mechanism to (silently) stop working alltogether and fallback to form authentication.
Actions
3. Re: JBoss Spnego | Unsupported negotiation mechanism 'NTLM'

akshy_harale Jan 30, 2013 6:26 AM (in response to mohtisham)

Hello Mohtisham Anwar,

Can you please explain that how to solve this problem, because I am facing same issue while setting SPNEGO and LDAP.
Actions

Go to original post