jboss-negotiation-toolkit test SecurityDomainTest does not work
Hi,
I need help finding out the solution to make the SecurityDomainTest and Secured test to work.
Below is my configuration:
Machines:
AD
----------
Windows 2008 R2 : (domain : ssodomain.com)
Users : ASUser (SPN user)
: john (client machine domain user)
Application Server:
--------------
Windows 7 (domain : ssodomain)
JBoss 5.1.0 GA
Client Machine:
---------------
Windows 7 (domain : ssodomain)
Logged In user: john
IE 8.
I created a spn on AD:
C:\Keytab>ktpass -out ASUser_keytab -princ ASUser@SSODOMAIN.COM -mapUser ASUser -kvno 0 -crypto AES128-SHA1 -pass Password@123 -ptype KRB5_NT_PRINCIPAL
Targeting domain controller: SSOAD.ssodomain.com
Using legacy password setting method
Failed to set property 'servicePrincipalName' to 'ASUser' on Dn 'CN=ASUser,CN=Us
ers,DC=ssodomain,DC=com': 0x13.
WARNING: Unable to set SPN mapping data.
If ASUser already has an SPN mapping installed for ASUser, this is no cause for
concern.
Key created.
Output keytab to ASUser_keytab:
Keytab version: 0x502
keysize 54 ASUser@SSODOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype 0x11 (AE
S128-SHA1) keylength 16 (0x6b8614aad1ac1e482b769fd5b91d6e1b)
Later configured login-config.xml file of the default profile :
<application-policy name="host">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
<module-option name="storeKey">true</module-option>
<module-option name="useKeyTab">true</module-option>
<module-option name="principal">HTTP/ASUser@SSODOMAIN.COM</module-option>
<module-option name="keyTab">ASUser_keytab</module-option>
<module-option name="doNotPrompt">true</module-option>
<module-option name="debug">true</module-option>
</login-module>
</authentication>
</application-policy>
<application-policy name="SPNEGO">
<authentication>
<login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="required">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="serverSecurityDomain">host</module-option>
</login-module>
<login-module code="org.jboss.security.negotiation.AdvancedLdapLoginModule" flag="required">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="bindAuthentication">GSSAPI</module-option>
<module-option name="jaasSecurityDomain">host</module-option>
<module-option name="java.naming.provider.url">ldap://SSODOMAIN.COM:3268</moduleoption>
<module-option name="baseCtxDN">CN=Users,DC=ssodomain,DC=com</moduleoption>
<module-option name="baseFilter">(userPrincipalname={0})</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="rolenameAttributeID">cn</module-option>
<module-option name="recurseRoles">true</module-option>
</login-module>
</authentication>
</application-policy>
Configured my IE 8 on client machine for SPNEGO.
when I hit the jboss-negotiation-toolkit from the client browser IE 8,
1. Basic negotiation is successful.
2. But SecurityDomainTest gives the below error:
Negotiation Toolkit
Security Domain Test
Testing security-domain 'host'
Failed!
javax.security.auth.login.LoginException - No LoginModules configured for host
On JBoss console I can see the following error:
19:38:40,714 INFO [BasicNegotiationServlet] Authorization header received - decoding token.
19:39:27,187 ERROR [SecurityDomainTestServlet] testDomain Failed
javax.security.auth.login.LoginException: No LoginModules configured for host
at javax.security.auth.login.LoginContext.init(LoginContext.java:273)
at javax.security.auth.login.LoginContext.<init>(LoginContext.java:349)
at org.jboss.security.negotiation.toolkit.SecurityDomainTestServlet.testDomain(SecurityDomai
nTestServlet.java:105)
at org.jboss.security.negotiation.toolkit.SecurityDomainTestServlet.doGet(SecurityDomainTest
Servlet.java:77)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j
ava:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j
ava:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.ja
va:190)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEs
tablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEst
ablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:
158)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.ja
va:598)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:722)
3. and the Secured test gives me a blank page.
Please share any workaround or solution , it would be a great help.
Thanks,
Minal