JBoss Negotiation Toolkit : secured test
jdurant Mar 14, 2013 11:28 AMHello,
I'm trying to set up an SSO solution base on Active Directory. I can't get the Negotiation Toolkit secured test working. My configuration :
Servers:
AD Server :
name : sso-test
os : Win 2008 R2
domain : sso.test
WEB Server :
name : testserver.sso.test
os :centOS 5.5
JBoss AS 7.1.1
configuration :
standalone.xml:
<system-properties> <property name="java.security.krb5.kdc" value="sso-test.sso.test"/> <property name="java.security.krb5.realm" value="SSO.TEST"/> </system-properties> ...... <security-domain name="host" cache-type="default"> <authentication> <login-module code="Kerberos" flag="required"> <module-option name="storeKey" value="true"/> <module-option name="useKeyTab" value="true"/> <module-option name="principal" value="HTTP/testserver@SSO.TEST"/> <module-option name="keyTab" value="/sso/testserver.http.keytab"/> <module-option name="doNotPrompt" value="true"/> <module-option name="debug" value="true"/> </login-module> </authentication> </security-domain> <security-domain name="SPNEGO" cache-type="default"> <authentication> <login-module code="SPNEGO" flag="requisite"> <module-option name="password-stacking" value="useFirstPass"/> <module-option name="serverSecurityDomain" value="host"/> <module-option name="defaultRole" value="Users"/> <module-option name="debug" value="true"/> </login-module> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"> <module-option name="password-stacking" value="useFirstPass"/> <module-option name="usersProperties" value="/sso/spnego-users.properties"/> <module-option name="rolesProperties" value="/sso/spnego-roles.properties"/> </login-module> </authentication> </security-domain>
spnego-users-properties
testsso@SSO.TEST=Users administrateur@SSO.TEST=Users administrateur.sso.test=Users administrateur.sso.test@SSO.TEST=Users testsso.sso.test=Users testsso.sso.test@SSO.TEST=Users
An user "testserver" has been created in Active Directory, and a keytab generated according to the documentation.
Issue :
From the Windows Server, both with IE and Firefox, the basic test seems to be good :
basic:
Negotiation Toolkit Basic Negotiation WWW-Authenticate - Negotiate YIILxAYGKwYBBQUCoII...... NegTokenInit Message Oid - SPNEGO Mech Types - {Kerberos V5 Legacy} {Kerberos V5} {1.3.6.1.4.1.311.2.2.30} {NTLM} Req Flags - Mech Token - YIILdgYJKoZIhvcSAQICA...... Mech List Mic -
security domain:
Negotiation Toolkit Security Domain Test Testing security-domain 'host' Authenticated Objet : Principal : HTTP/testserver@SSO.TEST Identité privée : Ticket (hex) = 0000: 61 82 01 02 30 81 FF A0 03 02 01 05 A1 0A 1B 08 a...0........... 0010: 53 53 4F 2E 54 45 53 54 A2 1D 30 1B A0 03 02 01 SSO.TEST..0..... 0020: 02 A1 14 30 12 1B 06 6B 72 62 74 67 74 1B 08 53 ...0...krbtgt..S 0030: 53 4F 2E 54 45 53 54 A3 81 CC 30 81 C9 A0 03 02 SO.TEST...0..... 0040: 01 12 A1 03 02 01 02 A2 81 BC 04 81 B9 A3 9C 91 ................ 0050: C1 F4 2A 60 99 A6 C3 9B 3B 25 EE BE C0 67 76 DE ..*`....;%...gv. 0060: FC 9D B1 38 DC 11 BB F5 C2 D8 0B 92 AA 0C 88 CF ...8............ 0070: D0 DA 0E BF 00 B9 53 D8 94 8D 10 2F 8C 52 56 47 ......S..../.RVG 0080: B7 BA C9 D6 05 56 E2 A0 17 1F 59 DF 90 A2 3E F7 .....V....Y...>. 0090: FE BD D4 95 1C C9 81 B1 C3 99 19 E1 C3 0E 17 47 ...............G 00A0: 6F FE 29 C6 B1 DE 6A D0 E3 6A 3F 53 CC 0E 68 6F o.)...j..j?S..ho 00B0: A8 47 87 43 1D BA 25 7E 73 CC E8 DD 73 6B 71 FE .G.C..%.s...skq. 00C0: 6E 1F E7 F0 4C 41 45 84 97 68 E4 79 B1 3D 6C 06 n...LAE..h.y.=l. 00D0: 5F 23 8F 29 8D F3 D4 67 C9 14 F9 D0 7D 67 03 9A _#.)...g.....g.. 00E0: E6 06 A0 9E 08 1C 96 64 7C 75 15 9F 0E 0A C5 5B .......d.u.....[ 00F0: 99 DE 4B FF 85 F4 12 33 A5 A6 36 E3 4E E5 5A 5D ..K....3..6.N.Z] 0100: 0D 79 43 97 E0 A4 .yC... Client Principal = HTTP/testserver@SSO.TEST Server Principal = krbtgt/SSO.TEST@SSO.TEST Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)= 0000: 35 7C FD F8 F2 80 C3 0B 5D E9 06 BB 69 1F 8D BE 5.......]...i... Forwardable Ticket false Forwarded Ticket false Proxiable Ticket false Proxy Ticket false Postdated Ticket false Renewable Ticket false Initial Ticket false Auth Time = Thu Mar 14 15:42:36 CET 2013 Start Time = Thu Mar 14 15:42:36 CET 2013 End Time = Fri Mar 15 01:42:36 CET 2013 Renew Till = null Client Addresses Null Identité privée : Kerberos Principal HTTP/testserver@SSO.TESTKey Version 5key EncryptionKey: keyType=23 keyBytes (hex dump)= 0000: E8 46 D4 07 41 39 79 AD D6 2F 91 9D 05 CA 1A 93 .F..A9y../......
When I launch the secured test, I get an HTTP 403 page.
server.log :
16:17:51,521 INFO [stdout] (http--0.0.0.0-8080-1) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /sso/testserver.http.keytab refreshKrb5Config is false principal is HTTP/testserver@SSO.TEST tryFirstPass is false useFirstPass is false storePass is false clearPass is false 16:17:51,523 INFO [stdout] (http--0.0.0.0-8080-1) principal's key obtained from the keytab 16:17:51,523 INFO [stdout] (http--0.0.0.0-8080-1) Acquire TGT using AS Exchange 16:17:51,528 INFO [stdout] (http--0.0.0.0-8080-1) principal is HTTP/testserver@SSO.TEST 16:17:51,529 INFO [stdout] (http--0.0.0.0-8080-1) EncryptionKey: keyType=23 keyBytes (hex dump)=0000: E8 46 D4 07 41 39 79 AD D6 2F 91 9D 05 CA 1A 93 .F..A9y../...... 16:17:51,530 INFO [stdout] (http--0.0.0.0-8080-1) 16:17:51,530 INFO [stdout] (http--0.0.0.0-8080-1) Added server's keyKerberos Principal HTTP/testserver@SSO.TESTKey Version 5key EncryptionKey: keyType=23 keyBytes (hex dump)= 16:17:51,531 INFO [stdout] (http--0.0.0.0-8080-1) 0000: E8 46 D4 07 41 39 79 AD D6 2F 91 9D 05 CA 1A 93 .F..A9y../...... 16:17:51,532 INFO [stdout] (http--0.0.0.0-8080-1) 16:17:51,532 INFO [stdout] (http--0.0.0.0-8080-1) 16:17:51,533 INFO [stdout] (http--0.0.0.0-8080-1) [Krb5LoginModule] added Krb5Principal HTTP/testserver@SSO.TEST to Subject 16:17:51,533 INFO [stdout] (http--0.0.0.0-8080-1) Commit Succeeded 16:17:51,533 INFO [stdout] (http--0.0.0.0-8080-1) 16:17:51,534 INFO [stdout] (http--0.0.0.0-8080-1) [Krb5LoginModule]: Entering logout 16:17:51,534 INFO [stdout] (http--0.0.0.0-8080-1) [Krb5LoginModule]: logged out Subject 16:17:51,535 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--0.0.0.0-8080-1) Login failure: javax.security.auth.login.LoginException: Continuation Required. at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:174) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_24] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.6.0_24] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.6.0_24] at java.lang.reflect.Method.invoke(Method.java:616) [rt.jar:1.6.0_24] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784) [rt.jar:1.6.0_24] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.6.0_24] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698) [rt.jar:1.6.0_24] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696) [rt.jar:1.6.0_24] at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_24] at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695) [rt.jar:1.6.0_24] at javax.security.auth.login.LoginContext.login(LoginContext.java:594) [rt.jar:1.6.0_24] at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final] at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:187) [jboss-negotiation-common-2.2.0.SP1.jar:2.2.0.SP1] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.13.Final.jar:] at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:] at java.lang.Thread.run(Thread.java:679) [rt.jar:1.6.0_24] 16:17:51,544 INFO [stdout] (http--0.0.0.0-8080-1) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /sso/testserver.http.keytab refreshKrb5Config is false principal is HTTP/testserver@SSO.TEST tryFirstPass is false useFirstPass is false storePass is false clearPass is false 16:17:51,545 INFO [stdout] (http--0.0.0.0-8080-1) principal's key obtained from the keytab 16:17:51,545 INFO [stdout] (http--0.0.0.0-8080-1) Acquire TGT using AS Exchange 16:17:51,548 INFO [stdout] (http--0.0.0.0-8080-1) principal is HTTP/testserver@SSO.TEST 16:17:51,548 INFO [stdout] (http--0.0.0.0-8080-1) EncryptionKey: keyType=23 keyBytes (hex dump)=0000: E8 46 D4 07 41 39 79 AD D6 2F 91 9D 05 CA 1A 93 .F..A9y../...... 16:17:51,548 INFO [stdout] (http--0.0.0.0-8080-1) 16:17:51,549 INFO [stdout] (http--0.0.0.0-8080-1) Added server's keyKerberos Principal HTTP/testserver@SSO.TESTKey Version 5key EncryptionKey: keyType=23 keyBytes (hex dump)= 16:17:51,549 INFO [stdout] (http--0.0.0.0-8080-1) 0000: E8 46 D4 07 41 39 79 AD D6 2F 91 9D 05 CA 1A 93 .F..A9y../...... 16:17:51,549 INFO [stdout] (http--0.0.0.0-8080-1) 16:17:51,549 INFO [stdout] (http--0.0.0.0-8080-1) 16:17:51,549 INFO [stdout] (http--0.0.0.0-8080-1) [Krb5LoginModule] added Krb5Principal HTTP/testserver@SSO.TEST to Subject 16:17:51,550 INFO [stdout] (http--0.0.0.0-8080-1) Commit Succeeded 16:17:51,550 INFO [stdout] (http--0.0.0.0-8080-1) 16:17:51,553 INFO [stdout] (http--0.0.0.0-8080-1) [Krb5LoginModule]: Entering logout 16:17:51,553 INFO [stdout] (http--0.0.0.0-8080-1) [Krb5LoginModule]: logged out Subject
When I try to acess the page from the web server, I get a login form and after submit I get an Username/Password Failure.
Log :
16:26:14,389 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--0.0.0.0-8080-1) Login failure: javax.security.auth.login.LoginException: No NegotiationContext and no usernamePasswordDomain defined. at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.innerLogin(SPNEGOLoginModule.java:187) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1] at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:137) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_24] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.6.0_24] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.6.0_24] at java.lang.reflect.Method.invoke(Method.java:616) [rt.jar:1.6.0_24] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784) [rt.jar:1.6.0_24] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.6.0_24] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698) [rt.jar:1.6.0_24] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696) [rt.jar:1.6.0_24] at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_24] at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695) [rt.jar:1.6.0_24] at javax.security.auth.login.LoginContext.login(LoginContext.java:594) [rt.jar:1.6.0_24] at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final] at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final] at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:101) [jboss-negotiation-common-2.2.0.SP1.jar:2.2.0.SP1] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:381) [jbossweb-7.0.13.Final.jar:] at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:] at java.lang.Thread.run(Thread.java:679) [rt.jar:1.6.0_24]
I'll appreciate any help !
Jonathan