can't get jboss-negotiation-toolkit 'secured' test working
I have been trying to get the jboss-negiation-toolkit to work for a few weeks now and I think I've tried everything that other people have run into. I'm now stuck at the point where I can't get the 'secured' version of the servlet working. The 'security domain test' as well as the 'basic negotation' tests work fine but JBoss continues to throw 'LoginException's when trying to open the secured link. I'm pretty certain that it's got something to do with some AD/Kerberos setup but I haven't been able to make any more progress.
11:49:43,514 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Login failure: javax.security.auth.login.LoginException: Continuation Required.
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:174) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_33]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [rt.jar:1.6.0_33]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_33]
at java.lang.reflect.Method.invoke(Method.java:597) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [rt.jar:1.6.0_33]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [rt.jar:1.6.0_33]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
...
Has anyone run into the same issue or does anyone have any suggestions of where the problem could be? Sorry for the huge post but below are all the details of the setup and how I've configured things this far, trying to provide as much detail as possible.
Here's our setup:
- Windows 2008 AD (QAAD)
- DNS name: qaad.dev.company.com
- Domain: QUALITY (QUALITY.COMPANY.COM)
- CentOS 6.2 running JBoss AS 7.1.1.Final (BARDEV1)
- Deployed: jboss-negotiation-toolkit-2.2.2.Final
- DNS name: bardev1.dev.company.com
- Test clients are WinXP and Win7 joined to QUALITY domain
BARDEV1 is currently joined to the quality domain (is this necessary or should it work without being joined to the domain?).
JBoss SPNEGO config is:
<security-domain name="qaad_kerberos" cache-type="default">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="storeKey" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="principal" value="HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM"/>
<module-option name="keyTab" value="/opt/jboss-as-7.1.1.final/standalone/configuration/bardev1_qaad_rc4.keytab"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="debug" value="true"/>
<module-option name="refreshKrb5Config" value="false"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="SPNEGO" cache-type="default">
<authentication>
<login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="serverSecurityDomain" value="qaad_kerberos"/>
</login-module>
</authentication>
</security-domain>
/etc/krb5.conf is set to:
------------------------------------------------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = QUALITY.COMPANY.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac
[realms]
QUALITY.COMPANY.COM = {
kdc = qaad.dev.company.com
admin_server = qaad.dev.company.com
default_domain = quality.company.com
}
[domain_realm]
.quality.company.com = QUALITY.COMPANY.COM
quality.company.com = QUALITY.COMPANY.COM
------------------------------------------------------------
QAAD box has 'computer' account for 'bardev1'. This account has delegation set to 'Trust this computer for delgation to any service (Kerberos only)'.
keytab was generated on QAAD box and SPN was set with the following commands:
setspn -S HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM bardev1
ktpass /out bardev1_qaad_rc4.keytab /princ HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM /mapuser quality\administrator -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL /pass * /kvno 0
(Note: had to set /kvno 0 because otherwise I got: KrbException: Specified version of key is not available (44))
setspn -L bardev1
--> output:
Registered ServicePrincipalNames for CN=bardev1,CN=Computers,DC=quality,DC=company,DC=com:
HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM
HOST/bardev1.dev.company.com
HOST/BARDEV1
setspn -L administrator
--> output:
Registered ServicePrincipalNames for CN=Administrator,CN=Users,DC=quality,DC=company,DC=com:
HTTP/bardev1.dev.company.com
Used the 'Administrator' account for initial tests so I wouldn't have to deal with new user accounts. That account has delegation set to 'Trust this computer for delgation to any service (Kerberos only)' and has no other account options set like 'use kerberos DES encryption...', 'account supports AES 128/256...' or 'do not require kerberos preauth'. Are any of them needed?
From the client machines, in order to get the browsers to use the logged in user's credentials, I have to set the URL to:
http://bardev1:8080/jboss-negotiation-toolkit-2.2.2.Final
If I put it as:
http://bardev1.dev.company.com:8080/jboss-negotiation-toolkit-2.2.2.Final
then I get the username and password pop up.
I did try to run the setspn and ktpass with 'HTTP/bardev1@QUALITY.COMPANY.COM' with the same results, i.e. basic and domain tests work, secured doesn't.
Output from 'SecurityDomainTest':
JBoss log:
----------
12:01:33,229 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /opt/jboss-as-7.1.1.final/standalone/configuration/bardev1_qaad_rc4_domain.keytab refreshKrb5Config is false principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
12:01:33,238 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal's key obtained from the keytab
12:01:33,241 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Acquire TGT using AS Exchange
12:01:33,259 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM
12:01:33,269 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 30 89 05 17 EB 07 89 AE 06 E2 B1 5D 58 B6 6E A4 0..........]X.n.
12:01:33,273 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:01:33,276 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Added server's keyKerberos Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COMKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
12:01:33,283 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) 0000: 30 89 05 17 EB 07 89 AE 06 E2 B1 5D 58 B6 6E A4 0..........]X.n.
12:01:33,285 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:01:33,285 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:01:33,286 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule] added Krb5Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM to Subject
12:01:33,288 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Commit Succeeded
12:01:33,290 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:01:33,295 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule]: Entering logout
12:01:33,296 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule]: logged out Subject
Browser:
--------
Negotiation Toolkit
Security Domain Test
Testing security-domain 'qaad_kerberos'
Authenticated
Subject:
Principal: HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM
Private Credential: Ticket (hex) =
0000: 61 82 04 A6 30 82 04 A2 A0 03 02 01 05 A1 16 1B a...0...........
0010: 14 51 55 41 4C 49 54 59 2E 53 59 4D 50 48 4F 4E .QUALITY.COMPANY
0020: 4F 2E 43 4F 4D A2 29 30 27 A0 03 02 01 02 A1 20 O.COM.)0'......
0030: 30 1E 1B 06 6B 72 62 74 67 74 1B 14 51 55 41 4C 0...krbtgt..QUAL
...
04A0: 1C 85 74 1A 9B EF B9 EE D2 A8 ..t.......
Client Principal = HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM
Server Principal = krbtgt/QUALITY.COMPANY.COM@QUALITY.COMPANY.COM
Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 67 2B 5A 9B FE 97 00 2B 68 0B D2 0F 35 FA D1 CB g+Z....+h...5...
Forwardable Ticket true
Forwarded Ticket false
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket false
Initial Ticket false
Auth Time = Tue Feb 05 12:01:33 CST 2013
Start Time = Tue Feb 05 12:01:33 CST 2013
End Time = Tue Feb 05 22:01:33 CST 2013
Renew Till = null
Client Addresses Null
Private Credential: Kerberos Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COMKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: 30 89 05 17 EB 07 89 AE 06 E2 B1 5D 58 B6 6E A4 0..........]X.n.
Output from 'Basic Negotiation':
JBoss log:
----------
12:48:01,226 INFO [org.jboss.security.negotiation.toolkit.BasicNegotiationServlet] (http-bardev1.dev.company.com-10.10.5.232-8080-1) No Authorization Header, sending 401
12:48:01,243 INFO [org.jboss.security.negotiation.toolkit.BasicNegotiationServlet] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Authorization header received - decoding token.
Browser:
--------
Negotiation Toolkit
Basic Negotiation
WWW-Authenticate - Negotiate YIILwgYGKwYBBQUCoIILtjCCC7KgJDAiBgkqhkiC9xIBAgIGCSq ... i4=
NegTokenInit
Message Oid - SPNEGO
Mech Types - {Kerberos V5 Legacy} {Kerberos V5} {NTLM}
Req Flags -
Mech Token -YIILgAYJKoZIhvcSAQICAQBuggtvMIILa6A ... Gi4=
Mech List Mic -
Output from 'Secured':
JBoss log:
----------
12:51:52,877 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /opt/jboss-as-7.1.1.final/standalone/configuration/bardev1_qaad_rc4_domain.keytab refreshKrb5Config is false principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
12:51:52,894 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal's key obtained from the keytab
12:51:52,895 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Acquire TGT using AS Exchange
12:51:52,929 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM
12:51:52,933 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 30 89 05 17 EB 07 89 AE 06 E2 B1 5D 58 B6 6E A4 0..........]X.n.
12:51:52,937 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:52,939 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Added server's keyKerberos Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COMKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
12:51:52,944 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) 0000: 30 89 05 17 EB 07 89 AE 06 E2 B1 5D 58 B6 6E A4 0..........]X.n.
12:51:52,945 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:52,946 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:52,947 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule] added Krb5Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM to Subject
12:51:52,949 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Commit Succeeded
12:51:52,950 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:52,950 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule]: Entering logout
12:51:52,952 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule]: logged out Subject
12:51:52,953 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Login failure: javax.security.auth.login.LoginException: Continuation Required.
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:174) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_33]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [rt.jar:1.6.0_33]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_33]
at java.lang.reflect.Method.invoke(Method.java:597) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [rt.jar:1.6.0_33]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.6.0_33]
at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [rt.jar:1.6.0_33]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:187) [jboss-negotiation-common-2.2.0.SP1.jar:2.2.0.SP1]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.13.Final.jar:]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_33]
12:51:52,985 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /opt/jboss-as-7.1.1.final/standalone/configuration/bardev1_qaad_rc4_domain.keytab refreshKrb5Config is false principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
12:51:52,989 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal's key obtained from the keytab
12:51:52,990 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Acquire TGT using AS Exchange
12:51:53,015 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM
12:51:53,058 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 30 89 05 17 EB 07 89 AE 06 E2 B1 5D 58 B6 6E A4 0..........]X.n.
12:51:53,060 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:53,061 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Added server's keyKerberos Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COMKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=
12:51:53,063 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) 0000: 30 89 05 17 EB 07 89 AE 06 E2 B1 5D 58 B6 6E A4 0..........]X.n.
12:51:53,065 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:53,065 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:53,066 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule] added Krb5Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM to Subject
12:51:53,068 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Commit Succeeded
12:51:53,068 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)
12:51:53,081 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule]: Entering logout
12:51:53,082 INFO [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) [Krb5LoginModule]: logged out Subject
Browser:
--------
HTTP Status 403 - Access to the requested resource has been denied
