-
1. Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
rareddy Dec 1, 2013 12:08 AM (in response to ayip)Andy,
JBoss Kerberos AFAIK uses the com.sun.security.auth.module.Krb5LoginModule, and Teiid just uses the JBoss JAAS for the kerberos. So it uses the same, so there is no difference, they are one and same.
Your issue could be configuration based, if you post your configuration may be we can help.
Ramesh..
-
2. Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
ayip Dec 2, 2013 8:56 AM (in response to rareddy)Hello Ramesh
Thanks for the response. I did a bit of research and yes you are correct about the JBoss Kerberos being the com.sun.security.auth.module.Krb5LoginModules. I'm sure it will be a simple/stupid configuration item I've overlooked.
My configuration: standard-teiid.xml (I've re-typed out my configuration as my testing has been on an offline domain so it's hard for me to post configuration file)
<?xml version='1.0' encoding='UTF-8'?>
<server xmlns="urn:jboss:domain:1.4">
<extensions>
<extension module="org.jboss.as.clustering.infinispan"/>
<extension module="org.jboss.as.connector"/>
<extension module="org.jboss.as.deployment-scanner"/>
<extension module="org.jboss.as.ee"/>
<extension module="org.jboss.as.ejb3"/>
<extension module="org.jboss.as.jaxrs"/>
<extension module="org.jboss.as.jdr"/>
<extension module="org.jboss.as.jmx"/>
<extension module="org.jboss.as.jpa"/>
<extension module="org.jboss.as.jsf"/>
<extension module="org.jboss.as.logging"/>
<extension module="org.jboss.as.mail"/>
<extension module="org.jboss.as.naming"/>
<extension module="org.jboss.as.pojo"/>
<extension module="org.jboss.as.remoting"/>
<extension module="org.jboss.as.sar"/>
<extension module="org.jboss.as.security"/>
<extension module="org.jboss.teiid"/>
<extension module="org.jboss.as.threads"/>
<extension module="org.jboss.as.transactions"/>
<extension module="org.jboss.as.web"/>
<extension module="org.jboss.as.webservices"/>
<extension module="org.jboss.as.weld"/>
</extensions>
<management>
<security-realms>
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
<security-realm name="ApplicationRealm">
<authentication>
<local default-user="$local" allowed-users="*"/>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization>
<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
</security-realms>
<management-interfaces>
<native-interface security-realm="ManagementRealm">
<socket-binding native="management-native"/>
</native-interface>
<http-interface security-realm="ManagementRealm">
<socket-binding http="management-http"/>
</http-interface>
</management-interfaces>
</management>
<profile>
<subsystem xmlns="urn:jboss:domain:logging:1.2">
<console-handler name="CONSOLE">
<level name="INFO"/>
<formatter>
<pattern-formatter pattern="%d{HH:mm:ss,SSS} %-5p [%c] (%t) %X{teiid-session} %s%E%n"/>
</formatter>
</console-handler>
<periodic-rotating-file-handler name="FILE" autoflush="true">
<formatter>
<pattern-formatter pattern="%d{HH:mm:ss,SSS} %-5p [%c] (%t) %X{teiid-session} %s%E%n"/>
</formatter>
<file relative-to="jboss.server.log.dir" path="server.log"/>
<suffix value=".yyyy-MM-dd"/>
<append value="true"/>
</periodic-rotating-file-handler>
<logger category="com.arjuna">
<level name="WARN"/>
</logger>
<logger category="org.apache.tomcat.util.modeler">
<level name="WARN"/>
</logger>
<logger category="org.jboss.as.config">
<level name="DEBUG"/>
</logger>
<logger category="sun.rmi">
<level name="WARN"/>
</logger>
<logger category="jacorb">
<level name="WARN"/>
</logger>
<logger category="jacorb.config">
<level name="ERROR"/>
</logger>
<root-logger>
<level name="INFO"/>
<handlers>
<handler name="CONSOLE"/>
<handler name="FILE"/>
</handlers>
</root-logger>
</subsystem>
<subsystem xmlns="urn:jboss:domain:datasources:1.1">
<datasources>
<datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true">
<connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1</connection-url>
<driver>h2</driver>
<security>
<user-name>sa</user-name>
<password>sa</password>
</security>
</datasource>
<datasource jndi-name="java:/sqlserverDS" pool-name="sqlserverDS" enabled="true">
<connection-url>jdbc:sqlserver://app1.corp.contoso.com:1433;integratedSecurity=true;authenticationScheme=JavaKerberos</connection-url>
<driver>sqlserver</driver>
<pool>
<prefill>false</prefill>
<use-strict-min>false</use-strict-min>
<flush-strategy>FailingConnectionOnly</flush-strategy>
</pool>
</datasource>
<drivers>
<driver name="h2" module="com.h2database.h2">
<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
</driver>
<driver name="teiid-local" module="org.jboss.teiid">
<driver-class>org.teiid.jdbc.TeiidDriver</driver-class>
<xa-datasource-class>org.teiid.jdbc.TeiidDataSource</xa-datasource-class>
</driver>
<driver name="teiid" module="org.jboss.teiid.client">
<driver-class>org.teiid.jdbc.TeiidDriver</driver-class>
<xa-datasource-class>org.teiid.jdbc.TeiidDataSource</xa-datasource-class>
</driver>
<driver name="sqlserver" module="com.microsoft.sqlserver">
<driver-class>com.microsoft.sqlserver.jdbc.SQLServerDriver</driver-class>
</driver>
</drivers>
</datasources>
</subsystem>
<subsystem xmlns="urn:jboss:domain:deployment-scanner:1.1">
<deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:ee:1.1">
<spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
<jboss-descriptor-property-replacement>true</jboss-descriptor-property-replacement>
</subsystem>
<subsystem xmlns="urn:jboss:domain:ejb3:1.4">
<session-bean>
<stateless>
<bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
</stateless>
<stateful default-access-timeout="5000" cache-ref="simple"/>
<singleton default-access-timeout="5000"/>
</session-bean>
<pools>
<bean-instance-pools>
<strict-max-pool name="slsb-strict-max-pool" max-pool-size="20" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
<strict-max-pool name="mdb-strict-max-pool" max-pool-size="20" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
</bean-instance-pools>
</pools>
<caches>
<cache name="simple" aliases="NoPassivationCache"/>
<cache name="passivating" passivation-store-ref="file" aliases="SimpleStatefulCache"/>
</caches>
<passivation-stores>
<file-passivation-store name="file"/>
</passivation-stores>
<async thread-pool-name="default"/>
<timer-service thread-pool-name="default">
<data-store path="timer-service-data" relative-to="jboss.server.data.dir"/>
</timer-service>
<remote connector-ref="remoting-connector" thread-pool-name="default"/>
<thread-pools>
<thread-pool name="default">
<max-threads count="10"/>
<keepalive-time time="100" unit="milliseconds"/>
</thread-pool>
</thread-pools>
<default-security-domain value="other"/>
<default-missing-method-permissions-deny-access value="true"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:infinispan:1.4">
<cache-container name="web" aliases="standard-session-cache" default-cache="local-web" module="org.jboss.as.clustering.web.infinispan">
<local-cache name="local-web" batching="true">
<file-store passivation="false" purge="false"/>
</local-cache>
</cache-container>
<cache-container name="hibernate" default-cache="local-query" module="org.jboss.as.jpa.hibernate:4">
<local-cache name="entity">
<transaction mode="NON_XA"/>
<eviction strategy="LRU" max-entries="10000"/>
<expiration max-idle="100000"/>
</local-cache>
<local-cache name="local-query">
<transaction mode="NONE"/>
<eviction strategy="LRU" max-entries="10000"/>
<expiration max-idle="100000"/>
</local-cache>
<local-cache name="timestamps">
<transaction mode="NONE"/>
<eviction strategy="NONE"/>
</local-cache>
</cache-container>
<cache-container name="teiid" default-cache="resultset">
<local-cache name="resultset">
<transaction mode="NON_XA"/>
<expiration lifespan="7200000" />
<eviction max-entries="1024" strategy="LIRS"/>
</local-cache>
<local-cache name="resultset-repl">
<transaction mode="NON_XA"/>
<expiration lifespan="7200000" />
<eviction max-entries="1024" strategy="LIRS"/>
</local-cache>
<local-cache name="preparedplan">
<expiration lifespan="28800" />
<eviction max-entries="512" strategy="LIRS"/>
</local-cache>
</cache-container>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jaxrs:1.0"/>
<subsystem xmlns="urn:jboss:domain:jca:1.1">
<archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>
<bean-validation enabled="true"/>
<default-workmanager>
<short-running-threads>
<core-threads count="50"/>
<queue-length count="50"/>
<max-threads count="50"/>
<keepalive-time time="10" unit="seconds"/>
</short-running-threads>
<long-running-threads>
<core-threads count="50"/>
<queue-length count="50"/>
<max-threads count="50"/>
<keepalive-time time="10" unit="seconds"/>
</long-running-threads>
</default-workmanager>
<cached-connection-manager/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jdr:1.0"/>
<subsystem xmlns="urn:jboss:domain:jmx:1.2">
<expose-resolved-model/>
<expose-expression-model/>
<remoting-connector/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jpa:1.1">
<jpa default-datasource="" default-extended-persistence-inheritance="DEEP"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:jsf:1.0"/>
<subsystem xmlns="urn:jboss:domain:mail:1.1">
<mail-session jndi-name="java:jboss/mail/Default">
<smtp-server outbound-socket-binding-ref="mail-smtp"/>
</mail-session>
</subsystem>
<subsystem xmlns="urn:jboss:domain:naming:1.3">
<remote-naming/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:pojo:1.0"/>
<subsystem xmlns="urn:jboss:domain:remoting:1.1">
<connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:resource-adapters:1.1">
<resource-adapters>
<resource-adapter id="file">
<module slot="main" id="org.jboss.teiid.resource-adapter.file"/>
</resource-adapter>
<resource-adapter id="google">
<module slot="main" id="org.jboss.teiid.resource-adapter.google"/>
</resource-adapter>
<resource-adapter id="infinispan">
<module slot="main" id="org.jboss.teiid.resource-adapter.infinispan"/>
</resource-adapter>
<resource-adapter id="ldap">
<module slot="main" id="org.jboss.teiid.resource-adapter.ldap"/>
</resource-adapter>
<resource-adapter id="salesforce">
<module slot="main" id="org.jboss.teiid.resource-adapter.salesforce"/>
</resource-adapter>
<resource-adapter id="webservice">
<module slot="main" id="org.jboss.teiid.resource-adapter.webservice"/>
</resource-adapter>
<resource-adapter id="mongodb">
<module slot="main" id="org.jboss.teiid.resource-adapter.mongodb"/>
</resource-adapter>
<resource-adapter id="cassandra">
<module slot="main" id="org.jboss.teiid.resource-adapter.cassandra"/>
</resource-adapter>
</resource-adapters>
</subsystem>
<subsystem xmlns="urn:jboss:domain:sar:1.0"/>
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmDirect" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="jboss-web-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jboss-ejb-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="krb5-domain" cache-type="default">
<authentication>
<login-module code="Kerberos" flag="required">
<module-option name="storeKey">true</module-option>
<module-option name="useKeyTab">true</module-option>
<module-option name="principal">HTTP/JBOSS.CORP.CONTOSO.COM@CORP.CONTOSO.COM</module-option>
<module-option name="keyTab">C:\jboss\keyTab\jboss.keytab</module-option>
<module-option name="doNotPrompt">true</module-option>
<module-option name="debug">true</module-option>
</login-module>
</authentication>
</security-domain>
<security-domain name="teiid-security" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<module-option name="usersProperties" value="${jboss.server.config.dir}/teiid-security-users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/teiid-security-roles.properties"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
<subsystem xmlns="urn:jboss:domain:teiid:1.0">
<async-thread-pool>teiid-async</async-thread-pool>
<resultset-cache infinispan-container="teiid" name="resultset"/>
<preparedplan-cache infinispan-container="teiid" name="preparedplan"/>
<transport name="embedded"/>
<transport name="odata">
<authentication security-domain="teiid-security"/>
</transport>
<transport name="jdbc" protocol="teiid" socket-binding="teiid-jdbc">
<authentication security-domain="teiid-security" krb5-domain="krb5-domain"/>
</transport>
<transport name="odbc" protocol="pg" socket-binding="teiid-odbc">
<authentication security-domain="teiid-security"/>
</transport>
<policy-decider-module>org.jboss.teiid</policy-decider-module>
<translator name="jdbc-simple" module="org.jboss.teiid.translator.jdbc"/>
<translator name="jdbc-ansi" module="org.jboss.teiid.translator.jdbc"/>
<translator name="access" module="org.jboss.teiid.translator.jdbc"/>
<translator name="db2" module="org.jboss.teiid.translator.jdbc"/>
<translator name="derby" module="org.jboss.teiid.translator.jdbc"/>
<translator name="h2" module="org.jboss.teiid.translator.jdbc"/>
<translator name="hsql" module="org.jboss.teiid.translator.jdbc"/>
<translator name="informix" module="org.jboss.teiid.translator.jdbc"/>
<translator name="metamatrix" module="org.jboss.teiid.translator.jdbc"/>
<translator name="mysql" module="org.jboss.teiid.translator.jdbc"/>
<translator name="mysql5" module="org.jboss.teiid.translator.jdbc"/>
<translator name="oracle" module="org.jboss.teiid.translator.jdbc"/>
<translator name="postgresql" module="org.jboss.teiid.translator.jdbc"/>
<translator name="sqlserver" module="org.jboss.teiid.translator.jdbc"/>
<translator name="sybase" module="org.jboss.teiid.translator.jdbc"/>
<translator name="teiid" module="org.jboss.teiid.translator.jdbc"/>
<translator name="teradata" module="org.jboss.teiid.translator.jdbc"/>
<translator name="modeshape" module="org.jboss.teiid.translator.jdbc"/>
<translator name="ingres" module="org.jboss.teiid.translator.jdbc"/>
<translator name="ingres93" module="org.jboss.teiid.translator.jdbc"/>
<translator name="intersystems-cache" module="org.jboss.teiid.translator.jdbc"/>
<translator name="netezza" module="org.jboss.teiid.translator.jdbc"/>
<translator name="file" module="org.jboss.teiid.translator.file"/>
<translator name="ldap" module="org.jboss.teiid.translator.ldap"/>
<translator name="loopback" module="org.jboss.teiid.translator.loopback"/>
<translator name="olap" module="org.jboss.teiid.translator.olap"/>
<translator name="ws" module="org.jboss.teiid.translator.ws"/>
<translator name="salesforce" module="org.jboss.teiid.translator.salesforce"/>
<translator name="hive" module="org.jboss.teiid.translator.hive"/>
<translator name="jpa2" module="org.jboss.teiid.translator.jpa"/>
<translator name="infinispan-cache" module="org.jboss.teiid.translator.object"/>
<translator name="map-cache" module="org.jboss.teiid.translator.object"/>
<translator name="odata" module="org.jboss.teiid.translator.odata"/>
<translator name="sap-nw-gateway" module="org.jboss.teiid.translator.odata"/>
<translator name="mongodb" module="org.jboss.teiid.translator.mongodb"/>
<translator name="cassandra" module="org.jboss.teiid.translator.cassandra"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:threads:1.1">
<bounded-queue-thread-pool name="teiid-async">
<max-threads count="4"/>
<queue-length count="100"/>
</bounded-queue-thread-pool>
</subsystem>
<subsystem xmlns="urn:jboss:domain:transactions:1.2">
<core-environment>
<process-id>
<uuid/>
</process-id>
</core-environment>
<recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>
<coordinator-environment default-timeout="300"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:web:1.4" default-virtual-server="default-host" native="false">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
<subsystem xmlns="urn:jboss:domain:webservices:1.2">
<modify-wsdl-address>true</modify-wsdl-address>
<wsdl-host>${jboss.bind.address:127.0.0.1}</wsdl-host>
<endpoint-config name="Standard-Endpoint-Config"/>
<endpoint-config name="Recording-Endpoint-Config">
<pre-handler-chain name="recording-handlers" protocol-bindings="##SOAP11_HTTP ##SOAP11_HTTP_MTOM ##SOAP12_HTTP ##SOAP12_HTTP_MTOM">
<handler name="RecordingHandler" class="org.jboss.ws.common.invocation.RecordingServerHandler"/>
</pre-handler-chain>
</endpoint-config>
<client-config name="Standard-Client-Config"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:weld:1.0"/>
</profile>
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
</interface>
<interface name="public">
<inet-address value="${jboss.bind.address:0.0.0.0}"/>
</interface>
<interface name="unsecure">
<inet-address value="${jboss.bind.address.unsecure:127.0.0.1}"/>
</interface>
</interfaces>
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"/>
<socket-binding name="ajp" port="8009"/>
<socket-binding name="http" port="8080"/>
<socket-binding name="https" port="8443"/>
<socket-binding name="remoting" port="4447"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<socket-binding name="teiid-jdbc" interface="public" port="31000"/>
<socket-binding name="teiid-odbc" interface="public" port="35432"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
</server>
In the standalone.conf.bat I've added:
set "JAVA_OPTS=%JAVA_HOME% -Djava.security.krb5.realm=CORP.CONTOSO.COM"
set "JAVA_OPTS=%JAVA_HOME% -Djava.security.krb5.kd=DC1.CORP.CONTOSO.COM"
set "JAVA_OPTS=%JAVA_HOME% -Djava.security.useSubjectCredsOnly=false"
My test vdb
<vdb name="testSQL" version="1">
<description>test sql server</description>
<property name="importer.useFullSchemaName" value="true"/>
<source name="sql-connector" translator-name="sqlserver" connection-jndi-name="java:/sqlserverDS"/>
</vdb>
I've installed the JBoss Negotiation Toolkit. I've passed the basic negotiation test. For the Security Domain test, it failed. I used JBOSS.CORP.CONTOSO.COM as my host. I got back a java exception: java.security.auth.login.LoginException - PBOX000053: No CallbackHandler available to collect authentication information. This is the same error I get when I start my Jboss server with the vdb deployed.
I did a bit of searching on the internet it could be my keytab file location that's incorrect. i tried file:///C:/jboss/keyTab/jboss.keytab and C:/jboss/keyTab/jboss.keytab as thevalue but still no success.
My test domain setup (followed technet article: Steps for Configuring the Corpnet Subnet)
DC1.CORP.CONTOSO.COM - Win2008 R2 (Domain Controller, DNS, DHCP, CA)
APP1.CORP.CONTOSO.COM - Win2008 R2 (SQL Server, IIS)
APP2.CORP.CONTOSO.COM - Win2008 R2 (JBoss, also known as JBOSS.CORP.CONTOSO,COM)
A couple Clients (Windows 7,8.1)
-
3. Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
ayip Dec 2, 2013 3:06 PM (in response to ayip)Some update. I deleted my Jboss Teiid directory and started fresh with a freshly extracted JBoss files.
I've added back the configuration in standard.xml
- <system-properties>
- <property name="java.security.krb5.kdc" value="DC1.CORP.CONTOSO.COM"/>
- <property name="java.security.krb5.realm" value="CORP.CONTOSO.COM"/>
- </system-properties>
- ......
- <security-domain name="host" cache-type="default">
- <authentication>
- <login-module code="Kerberos" flag="required">
- <module-option name="storeKey" value="true"/>
- <module-option name="useKeyTab" value="true"/>
- <module-option name="principal" value="HTTP/JBOSS.CORP.CONTOSO.COM@CORP.CONTOSO.COM"/>
- <module-option name="keyTab" value="${jboss.home.dir}\jboss.keytab"/>
- <module-option name="doNotPrompt" value="true"/>
- <module-option name="debug" value="true"/>
- </login-module>
- </authentication>
- </security-domain>
- <security-domain name="SPNEGO" cache-type="default">
- <authentication>
- <login-module code="SPNEGO" flag="requisite">
- <module-option name="password-stacking" value="useFirstPass"/>
- <module-option name="serverSecurityDomain" value="host"/>
- <module-option name="defaultRole" value="Users"/>
- <module-option name="debug" value="true"/>
- </login-module>
- <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
- <module-option name="password-stacking" value="useFirstPass"/>
- <module-option name="usersProperties" value="${jboss.home.dir}\spnego-users.properties"/>
- <module-option name="rolesProperties" value="${jboss.home.dir}\spnego-roles.properties"/>
- </login-module>
- </authentication>
- </security-domain>
I am now getting Client not found in Kerberos database (6) in the Security Domain Test
If I change the Kerberos module to include the option renewTGT=true and useTicketCache=true and remove the storeKey, useKeyTab principal, keyTab option. I will pass the Security Domain Test. However I still fail the Secured test.
-
4. Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
rareddy Dec 2, 2013 3:22 PM (in response to ayip)Can you try a normal account rather than the service account to see it that an issue?
-
5. Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
graeme.gillies Dec 2, 2013 8:04 PM (in response to ayip)Hi,
I think you might want to take a closer look at
- <login-module code="Kerberos" flag="required">
- <module-option name="storeKey" value="true"/>
- <module-option name="useKeyTab" value="true"/>
- <module-option name="principal" value="HTTP/JBOSS.CORP.CONTOSO.COM@CORP.CONTOSO.COM"/>
- <module-option name="keyTab" value="${jboss.home.dir}\jboss.keytab"/>
- <module-option name="doNotPrompt" value="true"/>
- <module-option name="debug" value="true"/>
- </login-module>
If you are not using a keytab, then you want to remove the keytab value, and change useKeyTab to false. You will want to change the principal to be the principal of the logged in user of the service (I'm assuming something like servicename@CORP.CONTOSO.COM). There might be some other options on the kerberos login module you will need to tweak as well
https://docs.jboss.org/author/display/AS71/Security+subsystem+configuration
Regards,
Graeme -
6. Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
ayip Dec 3, 2013 10:42 AM (in response to rareddy)Hello Ramesh
I figured out why the keytab file wasn't working. The Principal was associated with too many account (I believe it was because I forgot to clean it up when I was testing). Now both methods are working. Using the keytab and using the service account's session ticket.
Now I'm faced with a small ...or odd error: I am getting Filed to open properties file from URL: java.net.MalformedURLException
I've tried changing the module options for usersProperties and rolesProperties to:
file://C:/jboss/spnego-users.properties, file://C:\jboss\spnego-users.properties
file://C:/jboss/spnego-roles.properties, file://C:\jboss\spnego-roles.properties
But no dice, still the same error. It's probably something small I've over looked.
-
7. Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
ayip Dec 3, 2013 10:44 AM (in response to graeme.gillies)Hello Graeme
Thanks for the links. When using the service account I'm using the module-option renewTGT=true, useTicketCache=true while removing (commenting out) the storeKey, useKeyTab, principal, and keyTab module-option.
I can't say which method is better but both options seems to be working.
Cheers,
-
8. Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
rareddy Dec 3, 2013 11:19 AM (in response to ayip)Andy,
great!
${jboss.home.dir}/spnego-users.properties
Did not work?
Is there anyway you can write up your setup in detail? Both using the keytab and service account in a Blog or in Teiid documents or WIKI? I feel Teiid needs more documentation around this topic than what we have(my knowledge on this topic is limited). I would really appreciate it.
Thanks
Ramesh..
-
9. Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
ayip Dec 3, 2013 11:46 AM (in response to rareddy)Hello Ramesh
I'm documenting on my side as I go along. Once I get everything to work (including Teiid), I will definitely post here for the result. Thanks for your help.
Combination
<module-option name="usersProperties" value="${jboss.home.dir}\spnego-users.properties"/>
<module-option name="rolesProperties" value="${jboss.home.dir}\spnego-roles.properties"/>
server.log
Failed to open properties file from URL: java.net.MalformedURLException: no protocol: defaultRoles.properties
Failed to open properties file from URL: java.net.MalformedURLException: unknown protocol: c
Combination
<module-option name="usersProperties" value="file://${jboss.home.dir}\spnego-users.properties"/>
<module-option name="rolesProperties" value="file://${jboss.home.dir}\spnego-roles.properties"/>
server.log
Failed to open properties file from URL: java.net.MalformedURLException: no protocol: defaultUsers.properties
Login failure: javax.security.auth.login.LoginException: Missing properties file: file://C:\jboss\spnego-users.properties
-
10. Re: Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
rareddy Dec 3, 2013 12:49 PM (in response to ayip)URL does not like back slashes, so in your case the ${jboss.home.dir} is set to "c:\jboss" which is resulting in the "file://C:\jboss\spnego-users.properties", which should have been
file://C:/jboss/spnego-users.properties
so try below, no pre-pedning "file://", or appending backslash "\"
${jboss.home.dir}/spnego-roles.properties
Or simply copy them into the config directory as teiid-securuty-users.properties" file, and use the similar path pattern defined there.
Ramesh..
-
11. Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
ayip Dec 3, 2013 2:44 PM (in response to rareddy)Hello Ramesh
Still no dice.
The closest I've gotten is ...
<module-option name="defaultUsersProperties" value="file://C:/jboss/standalone/configurtion/spnego-users.properties"/>
<module-option name="defaultRolesProperties" value="file://C:/jboss/standalone/configurtion/spnego-roles.properties"/>
I get a java.net.UnknownHostException: C
I tried adding the third / after the protocol but that got me an unknown protocol.
-
12. Re: Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
rareddy Dec 3, 2013 2:59 PM (in response to ayip)Andy,
When the code does not find the property files you defined, then it looks for the defaultUsersProperties and defaultRolesProperties. So, if we fix the first issue, then the code will not look for the "default" properties files.
so I want to make sure you tried
<module-option name="usersProperties" value="${jboss.home.dir}/spnego-users.propertie"/> <module-option name="rolesProperties" value="${jboss.home.dir}/spnego-roles.properties"/>
where the property files are in root jboss installation directory. or alternatively
<module-option name="usersProperties" value="${jboss.server.config.dir}/spnego-users.propertie"/> <module-option name="rolesProperties" value="${jboss.server.config.dir}/spnego-roles.properties"/>
where the property files are in "<jboss-eap>/standalone/configuration" directory.
Ramesh..
-
13. Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
ayip Dec 3, 2013 3:09 PM (in response to rareddy)Hello Ramesh
I tried both and the users/rolesProperties does not seem to use the value ... but with defaultUsers/RolesProperties option, it picks up my value...
-
14. Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
rareddy Dec 3, 2013 3:23 PM (in response to ayip)Andy,
Here is the code reference if you want to debug against.
Ramesh..