6 Replies Latest reply on Mar 18, 2013 10:45 AM by jdurant

    JBoss Negotiation Toolkit : secured test

    jdurant

      Hello,

       

      I'm trying to set up an SSO solution base on Active Directory. I can't get the Negotiation Toolkit secured test working. My configuration :

       

      Servers:

       

      AD Server :

           name : sso-test

           os : Win 2008 R2

           domain : sso.test

       

      WEB Server :

           name : testserver.sso.test

           os :centOS 5.5

           JBoss AS 7.1.1

       

       

      configuration :

       

      standalone.xml:

       

      <system-properties>
          <property name="java.security.krb5.kdc" value="sso-test.sso.test"/>
          <property name="java.security.krb5.realm" value="SSO.TEST"/>
      </system-properties>
      ......
      <security-domain name="host" cache-type="default">
          <authentication>
              <login-module code="Kerberos" flag="required">
                   <module-option name="storeKey" value="true"/>
                   <module-option name="useKeyTab" value="true"/>
                   <module-option name="principal" value="HTTP/testserver@SSO.TEST"/>
                   <module-option name="keyTab" value="/sso/testserver.http.keytab"/>
                   <module-option name="doNotPrompt" value="true"/>
                   <module-option name="debug" value="true"/>
              </login-module>
          </authentication>
      </security-domain>
      <security-domain name="SPNEGO" cache-type="default">
           <authentication>
                <login-module code="SPNEGO" flag="requisite">
                     <module-option name="password-stacking" value="useFirstPass"/>
                     <module-option name="serverSecurityDomain" value="host"/>
                     <module-option name="defaultRole" value="Users"/>
                     <module-option name="debug" value="true"/>
                </login-module>
                <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
                     <module-option name="password-stacking" value="useFirstPass"/>
                     <module-option name="usersProperties" value="/sso/spnego-users.properties"/>
                     <module-option name="rolesProperties" value="/sso/spnego-roles.properties"/>
                </login-module>
           </authentication>
      </security-domain>
      

       

      spnego-users-properties

      testsso@SSO.TEST=Users
      administrateur@SSO.TEST=Users
      administrateur.sso.test=Users
      administrateur.sso.test@SSO.TEST=Users
      testsso.sso.test=Users
      testsso.sso.test@SSO.TEST=Users
      

       

       

      An user "testserver" has been created in Active Directory, and a keytab generated according to the documentation.

       

       

      Issue :

       

      From the Windows Server, both with IE and Firefox, the basic test seems to be good :

       

      basic:

      Negotiation Toolkit 
      Basic Negotiation 
      WWW-Authenticate - Negotiate  
      YIILxAYGKwYBBQUCoII...... 
      NegTokenInit 
      Message Oid - SPNEGO 
      Mech Types - {Kerberos V5 Legacy} {Kerberos V5} {1.3.6.1.4.1.311.2.2.30} {NTLM} 
      Req Flags - 
      Mech Token - 
      YIILdgYJKoZIhvcSAQICA...... 
      Mech List Mic -
      

       

      security domain:

      Negotiation Toolkit 
      Security Domain Test 
      
      Testing security-domain 'host' 
      Authenticated 
      Objet : 
      Principal : HTTP/testserver@SSO.TEST 
      Identité privée : Ticket (hex) = 
      0000: 61 82 01 02 30 81 FF A0 03 02 01 05 A1 0A 1B 08 a...0........... 
      0010: 53 53 4F 2E 54 45 53 54 A2 1D 30 1B A0 03 02 01 SSO.TEST..0..... 
      0020: 02 A1 14 30 12 1B 06 6B 72 62 74 67 74 1B 08 53 ...0...krbtgt..S 
      0030: 53 4F 2E 54 45 53 54 A3 81 CC 30 81 C9 A0 03 02 SO.TEST...0..... 
      0040: 01 12 A1 03 02 01 02 A2 81 BC 04 81 B9 A3 9C 91 ................ 
      0050: C1 F4 2A 60 99 A6 C3 9B 3B 25 EE BE C0 67 76 DE ..*`....;%...gv. 
      0060: FC 9D B1 38 DC 11 BB F5 C2 D8 0B 92 AA 0C 88 CF ...8............ 
      0070: D0 DA 0E BF 00 B9 53 D8 94 8D 10 2F 8C 52 56 47 ......S..../.RVG 
      0080: B7 BA C9 D6 05 56 E2 A0 17 1F 59 DF 90 A2 3E F7 .....V....Y...>. 
      0090: FE BD D4 95 1C C9 81 B1 C3 99 19 E1 C3 0E 17 47 ...............G 
      00A0: 6F FE 29 C6 B1 DE 6A D0 E3 6A 3F 53 CC 0E 68 6F o.)...j..j?S..ho 
      00B0: A8 47 87 43 1D BA 25 7E 73 CC E8 DD 73 6B 71 FE .G.C..%.s...skq. 
      00C0: 6E 1F E7 F0 4C 41 45 84 97 68 E4 79 B1 3D 6C 06 n...LAE..h.y.=l. 
      00D0: 5F 23 8F 29 8D F3 D4 67 C9 14 F9 D0 7D 67 03 9A _#.)...g.....g.. 
      00E0: E6 06 A0 9E 08 1C 96 64 7C 75 15 9F 0E 0A C5 5B .......d.u.....[ 
      00F0: 99 DE 4B FF 85 F4 12 33 A5 A6 36 E3 4E E5 5A 5D ..K....3..6.N.Z] 
      0100: 0D 79 43 97 E0 A4 .yC... 
      
      Client Principal = HTTP/testserver@SSO.TEST 
      Server Principal = krbtgt/SSO.TEST@SSO.TEST 
      Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)= 
      0000: 35 7C FD F8 F2 80 C3 0B 5D E9 06 BB 69 1F 8D BE 5.......]...i... 
      
      Forwardable Ticket false 
      Forwarded Ticket false 
      Proxiable Ticket false 
      Proxy Ticket false 
      Postdated Ticket false 
      Renewable Ticket false 
      Initial Ticket false 
      Auth Time = Thu Mar 14 15:42:36 CET 2013 
      Start Time = Thu Mar 14 15:42:36 CET 2013 
      End Time = Fri Mar 15 01:42:36 CET 2013 
      Renew Till = null 
      Client Addresses Null 
      Identité privée : Kerberos Principal HTTP/testserver@SSO.TESTKey Version 5key EncryptionKey: keyType=23 keyBytes (hex dump)= 
      0000: E8 46 D4 07 41 39 79 AD D6 2F 91 9D 05 CA 1A 93 .F..A9y../......
      

       

      When I launch the secured test, I get an HTTP 403 page.

      server.log :

       

      16:17:51,521 INFO  [stdout] (http--0.0.0.0-8080-1) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /sso/testserver.http.keytab refreshKrb5Config is false principal is HTTP/testserver@SSO.TEST tryFirstPass is false useFirstPass is false storePass is false clearPass is false
      16:17:51,523 INFO  [stdout] (http--0.0.0.0-8080-1) principal's key obtained from the keytab
      16:17:51,523 INFO  [stdout] (http--0.0.0.0-8080-1) Acquire TGT using AS Exchange
      16:17:51,528 INFO  [stdout] (http--0.0.0.0-8080-1) principal is HTTP/testserver@SSO.TEST
      16:17:51,529 INFO  [stdout] (http--0.0.0.0-8080-1) EncryptionKey: keyType=23 keyBytes (hex dump)=0000: E8 46 D4 07 41 39 79 AD   D6 2F 91 9D 05 CA 1A 93  .F..A9y../......
      16:17:51,530 INFO  [stdout] (http--0.0.0.0-8080-1) 
      16:17:51,530 INFO  [stdout] (http--0.0.0.0-8080-1) Added server's keyKerberos Principal HTTP/testserver@SSO.TESTKey Version 5key EncryptionKey: keyType=23 keyBytes (hex dump)=
      16:17:51,531 INFO  [stdout] (http--0.0.0.0-8080-1) 0000: E8 46 D4 07 41 39 79 AD   D6 2F 91 9D 05 CA 1A 93  .F..A9y../......
      16:17:51,532 INFO  [stdout] (http--0.0.0.0-8080-1) 
      16:17:51,532 INFO  [stdout] (http--0.0.0.0-8080-1) 
      16:17:51,533 INFO  [stdout] (http--0.0.0.0-8080-1)         [Krb5LoginModule] added Krb5Principal  HTTP/testserver@SSO.TEST to Subject
      16:17:51,533 INFO  [stdout] (http--0.0.0.0-8080-1) Commit Succeeded 
      16:17:51,533 INFO  [stdout] (http--0.0.0.0-8080-1) 
      16:17:51,534 INFO  [stdout] (http--0.0.0.0-8080-1)         [Krb5LoginModule]: Entering logout
      16:17:51,534 INFO  [stdout] (http--0.0.0.0-8080-1)         [Krb5LoginModule]: logged out Subject
      16:17:51,535 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--0.0.0.0-8080-1) Login failure: javax.security.auth.login.LoginException: Continuation Required.
          at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:174) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_24]
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.6.0_24]
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.6.0_24]
          at java.lang.reflect.Method.invoke(Method.java:616) [rt.jar:1.6.0_24]
          at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784) [rt.jar:1.6.0_24]
          at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.6.0_24]
          at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698) [rt.jar:1.6.0_24]
          at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696) [rt.jar:1.6.0_24]
          at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_24]
          at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695) [rt.jar:1.6.0_24]
          at javax.security.auth.login.LoginContext.login(LoginContext.java:594) [rt.jar:1.6.0_24]
          at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
          at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
          at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
          at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
          at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
          at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:187) [jboss-negotiation-common-2.2.0.SP1.jar:2.2.0.SP1]
          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.13.Final.jar:]
          at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
          at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
          at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
          at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
          at java.lang.Thread.run(Thread.java:679) [rt.jar:1.6.0_24]
      
      16:17:51,544 INFO  [stdout] (http--0.0.0.0-8080-1) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /sso/testserver.http.keytab refreshKrb5Config is false principal is HTTP/testserver@SSO.TEST tryFirstPass is false useFirstPass is false storePass is false clearPass is false
      16:17:51,545 INFO  [stdout] (http--0.0.0.0-8080-1) principal's key obtained from the keytab
      16:17:51,545 INFO  [stdout] (http--0.0.0.0-8080-1) Acquire TGT using AS Exchange
      16:17:51,548 INFO  [stdout] (http--0.0.0.0-8080-1) principal is HTTP/testserver@SSO.TEST
      16:17:51,548 INFO  [stdout] (http--0.0.0.0-8080-1) EncryptionKey: keyType=23 keyBytes (hex dump)=0000: E8 46 D4 07 41 39 79 AD   D6 2F 91 9D 05 CA 1A 93  .F..A9y../......
      16:17:51,548 INFO  [stdout] (http--0.0.0.0-8080-1) 
      16:17:51,549 INFO  [stdout] (http--0.0.0.0-8080-1) Added server's keyKerberos Principal HTTP/testserver@SSO.TESTKey Version 5key EncryptionKey: keyType=23 keyBytes (hex dump)=
      16:17:51,549 INFO  [stdout] (http--0.0.0.0-8080-1) 0000: E8 46 D4 07 41 39 79 AD   D6 2F 91 9D 05 CA 1A 93  .F..A9y../......
      16:17:51,549 INFO  [stdout] (http--0.0.0.0-8080-1) 
      16:17:51,549 INFO  [stdout] (http--0.0.0.0-8080-1) 
      16:17:51,549 INFO  [stdout] (http--0.0.0.0-8080-1)         [Krb5LoginModule] added Krb5Principal  HTTP/testserver@SSO.TEST to Subject
      16:17:51,550 INFO  [stdout] (http--0.0.0.0-8080-1) Commit Succeeded 
      16:17:51,550 INFO  [stdout] (http--0.0.0.0-8080-1) 
      16:17:51,553 INFO  [stdout] (http--0.0.0.0-8080-1)         [Krb5LoginModule]: Entering logout
      16:17:51,553 INFO  [stdout] (http--0.0.0.0-8080-1)         [Krb5LoginModule]: logged out Subject
      

       

      When I try to acess the page from the web server, I get a login form and after submit I get an Username/Password Failure.

      Log :

       

      16:26:14,389 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--0.0.0.0-8080-1) Login failure: javax.security.auth.login.LoginException: No NegotiationContext and no usernamePasswordDomain defined.
          at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.innerLogin(SPNEGOLoginModule.java:187) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]
          at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:137) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_24]
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.6.0_24]
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.6.0_24]
          at java.lang.reflect.Method.invoke(Method.java:616) [rt.jar:1.6.0_24]
          at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784) [rt.jar:1.6.0_24]
          at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.6.0_24]
          at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698) [rt.jar:1.6.0_24]
          at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696) [rt.jar:1.6.0_24]
          at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_24]
          at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695) [rt.jar:1.6.0_24]
          at javax.security.auth.login.LoginContext.login(LoginContext.java:594) [rt.jar:1.6.0_24]
          at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
          at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
          at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
          at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
          at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
          at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:101) [jboss-negotiation-common-2.2.0.SP1.jar:2.2.0.SP1]
          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:381) [jbossweb-7.0.13.Final.jar:]
          at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
          at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
          at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
          at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
          at java.lang.Thread.run(Thread.java:679) [rt.jar:1.6.0_24]
      

       

      I'll appreciate any help !

       

      Jonathan