Wildfly and SPNEGO
scsynergy Jul 1, 2016 7:53 AMI have been trying for two weeks now to get SPNEGO SSO authentication working by following this article SPNego Authentication with JBoss - DZone Integration but I keep getting this error which I know not how to solve. For testing purposes I use jboss-negotiation/jboss-negotiation-toolkit at master · wildfly-security/jboss-negotiation · GitHub
Wildfly Server log file:
Options:
name=principal, value=HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID
name=debug, value=true
name=doNotPrompt, value=true
name=storeKey, value=true
name=keyTab, value=/opt/elementary/wildfly-10.0.0.Final/standalone/configuration/spnego.keytab
name=useKeyTab, value=true
name=refreshKrb5Config, value=true
2016-07-01 10:34:41,303 TRACE [org.jboss.security.negotiation.KerberosLoginModule] (default task-7) Wrapped Krb5LoginModule is 'com.sun.security.auth.module.Krb5LoginModule'
2016-07-01 10:34:41,303 TRACE [org.jboss.security.negotiation.KerberosLoginModule] (default task-7) delegationCredential=IGNORE
2016-07-01 10:34:41,323 INFO [stdout] (default task-7) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /opt/elementary/wildfly-10.0.0.Final/standalone/configuration/spnego.keytab refreshKrb5Config is true principal is HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID tryFirstPass is false useFirstPass is false storePass is false clearPass is false
2016-07-01 10:34:41,324 TRACE [org.jboss.security.negotiation.KerberosLoginModule] (default task-7) Initialised wrapped login module.
2016-07-01 10:34:41,324 TRACE [org.jboss.security.negotiation.KerberosLoginModule] (default task-7) addGssCredential=false
2016-07-01 10:34:41,325 TRACE [org.jboss.security.negotiation.KerberosLoginModule] (default task-7) wrapGssCredential=false
2016-07-01 10:34:41,326 INFO [stdout] (default task-7) Refreshing Kerberos configuration
2016-07-01 10:34:41,336 INFO [stdout] (default task-7) Java config name: /etc/krb5.conf
2016-07-01 10:34:41,338 INFO [stdout] (default task-7) Loaded from Java config
2016-07-01 10:34:41,340 INFO [stdout] (default task-7) >>> KdcAccessibility: reset
2016-07-01 10:34:41,341 INFO [stdout] (default task-7) >>> KdcAccessibility: reset
2016-07-01 10:34:41,357 INFO [stdout] (default task-7) >>> KeyTabInputStream, readName(): SCSYNERGY.INVALID
2016-07-01 10:34:41,358 INFO [stdout] (default task-7) >>> KeyTabInputStream, readName(): HTTP
2016-07-01 10:34:41,358 INFO [stdout] (default task-7) >>> KeyTabInputStream, readName(): spnego.scsynergy.invalid
2016-07-01 10:34:41,362 INFO [stdout] (default task-7) >>> KeyTab: load() entry length: 82; type: 1
2016-07-01 10:34:41,363 INFO [stdout] (default task-7) >>> KeyTabInputStream, readName(): SCSYNERGY.INVALID
2016-07-01 10:34:41,363 INFO [stdout] (default task-7) >>> KeyTabInputStream, readName(): HTTP
2016-07-01 10:34:41,365 INFO [stdout] (default task-7) >>> KeyTabInputStream, readName(): spnego.scsynergy.invalid
2016-07-01 10:34:41,366 INFO [stdout] (default task-7) >>> KeyTab: load() entry length: 82; type: 3
2016-07-01 10:34:41,371 INFO [stdout] (default task-7) >>> KeyTabInputStream, readName(): SCSYNERGY.INVALID
2016-07-01 10:34:41,373 INFO [stdout] (default task-7) >>> KeyTabInputStream, readName(): HTTP
2016-07-01 10:34:41,374 INFO [stdout] (default task-7) >>> KeyTabInputStream, readName(): spnego.scsynergy.invalid
2016-07-01 10:34:41,374 INFO [stdout] (default task-7) >>> KeyTab: load() entry length: 90; type: 17
2016-07-01 10:34:41,375 INFO [stdout] (default task-7) >>> KeyTabInputStream, readName(): SCSYNERGY.INVALID
2016-07-01 10:34:41,375 INFO [stdout] (default task-7) >>> KeyTabInputStream, readName(): HTTP
2016-07-01 10:34:41,381 INFO [stdout] (default task-7) >>> KeyTabInputStream, readName(): spnego.scsynergy.invalid
2016-07-01 10:34:41,381 INFO [stdout] (default task-7) >>> KeyTab: load() entry length: 106; type: 18
2016-07-01 10:34:41,381 INFO [stdout] (default task-7) >>> KeyTabInputStream, readName(): SCSYNERGY.INVALID
2016-07-01 10:34:41,382 INFO [stdout] (default task-7) >>> KeyTabInputStream, readName(): HTTP
2016-07-01 10:34:41,382 INFO [stdout] (default task-7) >>> KeyTabInputStream, readName(): spnego.scsynergy.invalid
2016-07-01 10:34:41,382 INFO [stdout] (default task-7) >>> KeyTab: load() entry length: 90; type: 23
2016-07-01 10:34:41,382 INFO [stdout] (default task-7) Looking for keys for: HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID
2016-07-01 10:34:41,384 INFO [stdout] (default task-7) Added key: 23version: 1
2016-07-01 10:34:41,384 INFO [stdout] (default task-7) Added key: 18version: 1
2016-07-01 10:34:41,385 INFO [stdout] (default task-7) Added key: 17version: 1
2016-07-01 10:34:41,385 INFO [stdout] (default task-7) Found unsupported keytype (3) for HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID
2016-07-01 10:34:41,387 INFO [stdout] (default task-7) Found unsupported keytype (1) for HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID
2016-07-01 10:34:41,399 INFO [stdout] (default task-7) Looking for keys for: HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID
2016-07-01 10:34:41,399 INFO [stdout] (default task-7) Added key: 23version: 1
2016-07-01 10:34:41,399 INFO [stdout] (default task-7) Added key: 18version: 1
2016-07-01 10:34:41,401 INFO [stdout] (default task-7) Added key: 17version: 1
2016-07-01 10:34:41,401 INFO [stdout] (default task-7) Found unsupported keytype (3) for HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID
2016-07-01 10:34:41,401 INFO [stdout] (default task-7) Found unsupported keytype (1) for HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID
2016-07-01 10:34:41,402 INFO [stdout] (default task-7) Using builtin default etypes for default_tkt_enctypes
2016-07-01 10:34:41,402 INFO [stdout] (default task-7) default etypes for default_tkt_enctypes: 18 17 16 23.
2016-07-01 10:34:41,407 INFO [stdout] (default task-7) >>> KrbAsReq creating message
2016-07-01 10:34:41,410 INFO [stdout] (default task-7) >>> KrbKdcReq send: kdc=192.168.17.2 UDP:88, timeout=30000, number of retries =3, #bytes=177
2016-07-01 10:34:41,414 INFO [stdout] (default task-7) >>> KDCCommunication: kdc=192.168.17.2 UDP:88, timeout=30000,Attempt =1, #bytes=177
2016-07-01 10:34:41,417 INFO [stdout] (default task-7) >>> KrbKdcReq send: #bytes read=174
2016-07-01 10:34:41,418 INFO [stdout] (default task-7) >>> KdcAccessibility: remove 192.168.17.2:88
2016-07-01 10:34:41,419 INFO [stdout] (default task-7) >>> KDCRep: init() encoding tag is 126 req type is 11
2016-07-01 10:34:41,420 INFO [stdout] (default task-7) >>>KRBError:
2016-07-01 10:34:41,421 INFO [stdout] (default task-7) sTime is Fri Jul 01 10:34:41 CEST 2016 1467362081000
2016-07-01 10:34:41,422 INFO [stdout] (default task-7) suSec is 419369
2016-07-01 10:34:41,424 INFO [stdout] (default task-7) error code is 6
2016-07-01 10:34:41,425 INFO [stdout] (default task-7) error Message is Client not found in Kerberos database
2016-07-01 10:34:41,428 INFO [stdout] (default task-7) cname is HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID
2016-07-01 10:34:41,428 INFO [stdout] (default task-7) sname is krbtgt/SCSYNERGY.INVALID@SCSYNERGY.INVALID
2016-07-01 10:34:41,428 INFO [stdout] (default task-7) msgType is 30
2016-07-01 10:34:41,428 INFO [stdout] (default task-7) [Krb5LoginModule] authentication failed
2016-07-01 10:34:41,428 INFO [stdout] (default task-7) Client not found in Kerberos database (6)
2016-07-01 10:34:41,429 TRACE [org.jboss.security.negotiation.KerberosLoginModule] (default task-7) Calling wrapped login module to abort.
2016-07-01 10:34:41,431 TRACE [org.jboss.security] (default task-7) PBOX00244: Begin abort method, overall result: false
2016-07-01 10:34:41,432 DEBUG [org.jboss.security] (default task-7) PBOX00206: Login failure: javax.security.auth.login.LoginException: Client not found in Kerberos database (6)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
at org.jboss.security.negotiation.KerberosLoginModule.login(KerberosLoginModule.java:190)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.getServerSubject(SPNEGOLoginModule.java:332)
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.spnegoLogin(SPNEGOLoginModule.java:285)
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.innerLogin(SPNEGOLoginModule.java:229)
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:147)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406)
at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)
at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333)
at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)
at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:123)
at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:96)
at org.jboss.security.negotiation.NegotiationMechanism.authenticate(NegotiationMechanism.java:99)
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: KrbException: Client not found in Kerberos database (6)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)
at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:776)
... 64 more
Caused by: KrbException: Identifier doesn't match expected value (906)
at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)
at sun.security.krb5.internal.ASRep.init(ASRep.java:64)
at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)
... 67 more
standalone.xml (just the relevant parts):
<system-properties>
<property name="grape.root" value="${jboss.server.base.dir}"/>
<property name="java.security.krb5.conf" value="/etc/krb5.conf"/>
<property name="java.security.krb5.debug" value="true"/>
<property name="jboss.security.disable.secdomain.option" value="true"/>
</system-properties>
<security-domain name="SPNEGO" cache-type="default">
<authentication>
<login-module code="SPNEGO" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="serverSecurityDomain" value="host"/>
</login-module>
</authentication>
<mapping>
<mapping-module code="SimpleRoles" type="role">
<module-option name="Administrator@SCSYNERGY.INVALID" value="Admin"/>
</mapping-module>
</mapping>
</security-domain>
<security-domain name="host" cache-type="default">
<authentication>
<login-module code="Kerberos" flag="required" module="org.jboss.security.negotiation">
<module-option name="refreshKrb5Config" value="true"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="keyTab" value="${jboss.server.config.dir}/spnego.keytab"/>
<module-option name="storeKey" value="true"/>
<module-option name="principal" value="HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID"/>
<module-option name="debug" value="true"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
/etc/krb5.conf:
[libdefaults]
default_realm = SCSYNERGY.INVALID
dns_lookup_realm = false
dns_lookup_kdc = false
forwardable = true
[realms]
SCSYNERGY.INVALID = {
kdc = 192.168.17.2:88
admin_server = 192.168.17.2
}
[domain_realm]
.scsynergy.invalid = SCSYNERGY.INVALID
scsynergy.invalid = SCSYNERGY.INVALID
I use Samba for Active Directory according to this article https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller
I created a keytab file with the following commands:
samba-tool user add --use-username-as-cn spnego
samba-tool spn add HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID spnego
samba-tool domain exportkeytab spnego.keytab --principal=HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID
I had to add Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for JDK/JRE 8 Download to my JRE or otherwise Java was not able to handle the encryption types (Found unsupported keytype (3) for HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID)
I can kinit as any user without problems, the browser does the SPNEGO negotiation but then fails when trying to authenticate to the 'host' security domain with the above error. I have tried putting Wildfly and Samba on the same machine, different machines, tried using the webpage from a separate third PC or the same PC as Wildfly is running on, tried changing user names, domains configuration values ... all to no avail - though by playing around I did notice that anything except the current values would brake it more than it is now..
I attached some files which show what computers, SPNs and users Samba 'Active Directory' has.
Any help in solving this issue would be greatly appreciated!
-
ldapsearch-all.txt.zip 23.2 KB
-
ldapsearch-computer.txt.zip 1.2 KB
-
ldapsearch-spn-http.txt.zip 822 bytes
-
ldapsearch-user.txt.zip 1.3 KB