javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed when in a domain and cluster
jmsjr Jan 28, 2014 10:49 PMI have a managed domain where the domain controller is on master ( on Window7 ) and a host controller running on slave ( called ubuntu1, running as a guest inside Oracle VirtualBox )
I created an ApplicationRealm user called onlineuser from the domain controller ( Yes, I re-added / recreated the user as I initially said No to the last question ):
C:\jboss-eap-6.2\bin>add-user.bat
What type of user do you wish to add?
a) Management User (mgmt-users.properties)
b) Application User (application-users.properties)
(a): b
Enter the details of the new user to add.
Using realm 'ApplicationRealm' as discovered from the existing property files.
Username : onlineuser
User 'onlineuser' already exits, would you like to update the existing user password and roles
Is this correct yes/no? yes
Password :
Re-enter Password :
What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[ ]:
Updated user 'onlineuser' to file 'C:\jboss-eap-6.2\standalone\configuration\application-users.properties'
Updated user 'onlineuser' to file 'C:\jboss-eap-6.2\domain\configuration\application-users.properties'
Updated user 'onlineuser' with groups to file 'C:\jboss-eap-6.2\standalone\configuration\application-roles.properties'
Updated user 'onlineuser' with groups to file 'C:\jboss-eap-6.2\domain\configuration\application-roles.properties'
Is this new user going to be used for one AS process to connect to another AS process?
e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls.
yes/no? yes
To represent the user add the following to the server-identities definition <secret value="MG5sIW4zNDU=" />
Press any key to continue . . .
In the host.xml of *BOTH* the master and ubuntu1 host, I have the following in the security-realm:
<security-realms>
<security-realm name="ManagementRealm">
<server-identities>
<!-- Replace this with either a base64 password of your own, or use a vault with a vault expression -->
<secret value="ZDBtNDFuNGRtMW5e"/>
</server-identities>
<authentication>
<local default-user="$local" />
<properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.domain.config.dir"/>
</authorization>
</security-realm>
<security-realm name="ApplicationRealm">
<server-identities>
<!-- Replace this with either a base64 password of your own, or use a vault with a vault expression -->
<secret value="MG5sIW4zNDU="/>
</server-identities>
<authentication>
<local default-user="$local" allowed-users="*" />
<properties path="application-users.properties" relative-to="jboss.domain.config.dir" />
</authentication>
<authorization>
<properties path="application-roles.properties" relative-to="jboss.domain.config.dir"/>
</authorization>
</security-realm>
</security-realms>
3. Only the domain controller has the user onlineuser in domain/configuration/application-users.properties:
#$REALM_NAME=ApplicationRealm$ This line is used by the add-user utility to identify the realm name already used in this file.
#
# The following illustrates how an admin user could be defined, this
# is for illustration only and does not correspond to a usable password.
#
#admin=2a0923285184943425d1f53ddd58ec7a
onlineuser=1cf9385dd0c9b957e157af627a2444cb
4. Only the domain controller has the onlineuser in domain/configuration/application-roles.properties:
#admin=PowerUser,BillingAdmin,
#guest=guest
onlineuser=
5. Now from my EJB client code, I have the following jboss-ejb-client.properties:
remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false
remote.connections=ejb
remote.connection.ejb.host=172.21.17.142
remote.connection.ejb.port=4447
remote.connection.ejb.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false
remote.connection.ejb.username=onlineuser
remote.connection.ejb.password=0nl!n345
The host 172.21.17.142 is the master / domain controller
When I do a JNDI lookup of a SFSB, I get the following output from the console:
XNIO Version 3.0.7.GA-redhat-1
XNIO NIO Implementation Version 3.0.7.GA-redhat-1
JBoss Remoting version 3.2.18.GA-redhat-1
EJBCLIENT000017: Received server version 2 and marshalling strategies [river]
EJBCLIENT000013: Successful version handshake completed for receiver context EJBReceiverContext{clientContext=org.jboss.ejb.client.EJBClientContext@f5a07b6, receiver=Remoting connection EJB receiver [connection=org.jboss.ejb.client.remoting.ConnectionPool$PooledConnection@5fb04599,channel=jboss.ejb,nodename=master:server-one]} on channel Channel ID c617229a (outbound) of Remoting connection 7e93107f to /172.21.17.142:4447
JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
Could not create a connection for cluster node ClusterNode{clusterName='ejb', nodeName='ubuntu1:server-one', clientMappings=[ClientMapping{sourceNetworkAddress=/0:0:0:0:0:0:0:0, sourceNetworkMaskBits=0, destinationAddress='172.21.17.126', destinationPort=4447}], resolvedDestination=[Destination address=172.21.17.126, destination port=4447]} in cluster ejb
java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
at org.jboss.ejb.client.remoting.IoFutureHelper.get(IoFutureHelper.java:92)
at org.jboss.ejb.client.remoting.ConnectionPool.getConnection(ConnectionPool.java:77)
at org.jboss.ejb.client.remoting.RemotingConnectionManager.getConnection(RemotingConnectionManager.java:51)
at org.jboss.ejb.client.remoting.RemotingConnectionClusterNodeManager.getEJBReceiver(RemotingConnectionClusterNodeManager.java:77)
at org.jboss.ejb.client.ClusterContext$EJBReceiverAssociationTask.call(ClusterContext.java:416)
at org.jboss.ejb.client.ClusterContext$EJBReceiverAssociationTask.call(ClusterContext.java:390)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:367)
at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:229)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)
at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189)
at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)
at org.xnio.nio.NioHandle.run(NioHandle.java:90)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:187)
at ...asynchronous invocation...(Unknown Source)
at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:270)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:386)
at org.jboss.ejb.client.remoting.NetworkUtil.connect(NetworkUtil.java:152)
at org.jboss.ejb.client.remoting.NetworkUtil.connect(NetworkUtil.java:133)
at org.jboss.ejb.client.remoting.ConnectionPool.getConnection(ConnectionPool.java:75)
... 8 more
JBoss EJB Client version 1.0.24.Final-redhat-1
6. You can see from the above that it appears that:
* The EJB client was able to connect and authenticate to the host master running on the domain controller
* The EJB client appeared to have received the cluster topology ( both master and ubuntu1 are in the same cluster )
* However, the EJB client could not authenticate to ubuntu1 ( 172.21.17.126 )
* The EJB client was still able to invoke the method on the SFSB but one that is a proxy for the SFSB in master
7. If I change jboss-ejb-client.properties so that the host is property points to the slave ( non-domain controller )
remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false
remote.connections=ejb
remote.connection.ejb.host=172.21.17.126
remote.connection.ejb.port=4447
remote.connection.ejb.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false
remote.connection.ejb.username=onlineuser
remote.connection.ejb.password=0nl!n345
I get a similar, but different console output:
XNIO Version 3.0.7.GA-redhat-1
XNIO NIO Implementation Version 3.0.7.GA-redhat-1
JBoss Remoting version 3.2.18.GA-redhat-1
EJBCLIENT000017: Received server version 2 and marshalling strategies [river]
EJBCLIENT000013: Successful version handshake completed for receiver context EJBReceiverContext{clientContext=org.jboss.ejb.client.EJBClientContext@3389e485, receiver=Remoting connection EJB receiver [connection=org.jboss.ejb.client.remoting.ConnectionPool$PooledConnection@21f9f232,channel=jboss.ejb,nodename=ubuntu1:server-one]} on channel Channel ID ca13cd64 (outbound) of Remoting connection 7651eaa2 to /172.21.17.126:4447
EJBCLIENT000017: Received server version 2 and marshalling strategies [river]
EJBCLIENT000013: Successful version handshake completed for receiver context EJBReceiverContext{clientContext=org.jboss.ejb.client.EJBClientContext@3389e485, receiver=Remoting connection EJB receiver [connection=org.jboss.ejb.client.remoting.ConnectionPool$PooledConnection@41f0d692,channel=jboss.ejb,nodename=master:server-one]} on channel Channel ID a4d334c4 (outbound) of Remoting connection 22c2e2dd to /172.21.17.142:4447
JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
Could not create a connection for cluster node ClusterNode{clusterName='ejb', nodeName='ubuntu1:server-one', clientMappings=[ClientMapping{sourceNetworkAddress=/0:0:0:0:0:0:0:0, sourceNetworkMaskBits=0, destinationAddress='172.21.17.126', destinationPort=4447}], resolvedDestination=[Destination address=172.21.17.126, destination port=4447]} in cluster ejb
java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
at org.jboss.ejb.client.remoting.IoFutureHelper.get(IoFutureHelper.java:92)
at org.jboss.ejb.client.remoting.ConnectionPool.getConnection(ConnectionPool.java:77)
at org.jboss.ejb.client.remoting.RemotingConnectionManager.getConnection(RemotingConnectionManager.java:51)
at org.jboss.ejb.client.remoting.RemotingConnectionClusterNodeManager.getEJBReceiver(RemotingConnectionClusterNodeManager.java:77)
at org.jboss.ejb.client.ClusterContext$EJBReceiverAssociationTask.call(ClusterContext.java:416)
at org.jboss.ejb.client.ClusterContext$EJBReceiverAssociationTask.call(ClusterContext.java:390)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:367)
at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:229)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)
at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189)
at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)
at org.xnio.nio.NioHandle.run(NioHandle.java:90)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:187)
at ...asynchronous invocation...(Unknown Source)
at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:270)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:386)
at org.jboss.ejb.client.remoting.NetworkUtil.connect(NetworkUtil.java:152)
at org.jboss.ejb.client.remoting.NetworkUtil.connect(NetworkUtil.java:133)
at org.jboss.ejb.client.remoting.ConnectionPool.getConnection(ConnectionPool.java:75)
... 8 more
JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
Could not create a connection for cluster node ClusterNode{clusterName='ejb', nodeName='ubuntu1:server-one', clientMappings=[ClientMapping{sourceNetworkAddress=/0:0:0:0:0:0:0:0, sourceNetworkMaskBits=0, destinationAddress='172.21.17.126', destinationPort=4447}], resolvedDestination=[Destination address=172.21.17.126, destination port=4447]} in cluster ejb
java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
at org.jboss.ejb.client.remoting.IoFutureHelper.get(IoFutureHelper.java:92)
at org.jboss.ejb.client.remoting.ConnectionPool.getConnection(ConnectionPool.java:77)
at org.jboss.ejb.client.remoting.RemotingConnectionManager.getConnection(RemotingConnectionManager.java:51)
at org.jboss.ejb.client.remoting.RemotingConnectionClusterNodeManager.getEJBReceiver(RemotingConnectionClusterNodeManager.java:77)
at org.jboss.ejb.client.ClusterContext$EJBReceiverAssociationTask.call(ClusterContext.java:416)
at org.jboss.ejb.client.ClusterContext$EJBReceiverAssociationTask.call(ClusterContext.java:390)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:367)
at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:229)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)
at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189)
at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)
at org.xnio.nio.NioHandle.run(NioHandle.java:90)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:187)
at ...asynchronous invocation...(Unknown Source)
at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:270)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:386)
at org.jboss.ejb.client.remoting.NetworkUtil.connect(NetworkUtil.java:152)
at org.jboss.ejb.client.remoting.NetworkUtil.connect(NetworkUtil.java:133)
at org.jboss.ejb.client.remoting.ConnectionPool.getConnection(ConnectionPool.java:75)
... 8 more
JBoss EJB Client version 1.0.24.Final-redhat-1
8. If I shutdown master, and only leave the slave running and run the EJB client as per properties file in step [7] ( host property points to ubuntu1 ), the console output is:
XNIO Version 3.0.7.GA-redhat-1
XNIO NIO Implementation Version 3.0.7.GA-redhat-1
JBoss Remoting version 3.2.18.GA-redhat-1
JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
9. If I shutdown the slave / ubuntu1 and only leave the master running, the EJB client connects successfully:
XNIO Version 3.0.7.GA-redhat-1
XNIO NIO Implementation Version 3.0.7.GA-redhat-1
JBoss Remoting version 3.2.18.GA-redhat-1
EJBCLIENT000017: Received server version 2 and marshalling strategies [river]
EJBCLIENT000013: Successful version handshake completed for receiver context EJBReceiverContext{clientContext=org.jboss.ejb.client.EJBClientContext@51133572, receiver=Remoting connection EJB receiver [connection=org.jboss.ejb.client.remoting.ConnectionPool$PooledConnection@4419f8f3,channel=jboss.ejb,nodename=master:server-one]} on channel Channel ID 8712cef6 (outbound) of Remoting connection 629ca8b8 to /172.21.17.142:4447
JBoss EJB Client version 1.0.24.Final-redhat-1
10. So it appears that the host.xml in the slave / ubuntu1 has something wrong.
But I tried copying the domain/configuration/application-users.properties and domain/configuration/application-roles.properties
from the domain controller master to the slave ubuntu1 and restarted the whole domain ( even the host controllers on both just to be sure ) ... but I still have this "javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed" error message.
FWIW ... I'm trying this out on JBossEAP 6.2 / JBoss7.3