JBoss Negotation SPNEGO / Kerberos
jkueck92 Sep 15, 2016 8:33 AMHey guys,
we have a problem with kerberos / active directory and jboss. We try to find a solution last week but we dont know.
Our try is to build a SSO with our web application against the ad. I found many example to do this and i try a lot.
Wo did the following steps.
Domain Controller:
- Domain: test.local
Server machine:
- Name: serverMachine
- Domain: test.local
- User: tuser
- Download and install fresh JBoss AS 7.1.1.Final
- call on ad machine: setspn -a HTTP/serverMachine tuser
- call on ad machine: ktpass /princ HTTP/serverMachine@TEST.LOCAL /pass ** /mapuser tuser@TEST.LOCAL /out ** /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1
- configure JBoss:
<system-properties>
<property name="sun.security.krb5.debug" value="true"/>
<property name="java.security.krb5.kdc" value="**"/>
<property name="java.security.krb5.realm" value="TEST.LOCAL"/>
<property name="java.security.krb5.conf" value="krb5.conf"/>
</system-properties>
<security-domain name="host" cache-type="default">
<authentication>
<login-module code="Kerberos" flag="required">
<module-option name="debug" value="true" />
<module-option name="storeKey" value="true" />
<module-option name="refreshKrb5Config" value="true" />
<module-option name="useKeyTab" value="true" />
<module-option name="doNotPrompt" value="true" />
<module-option name="keyTab" value="key.keytab" />
<module-option name="principal" value="HTTP/serverMachine@TEST.LOCAL" />
</login-module>
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="optional">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
<module-option name="java.naming.provider.url" value="ldap://**" />
<module-option name="java.naming.security.authentication" value="simple" />
<module-option name="principalDNPrefix" value="" />
<module-option name="principalDNSuffix" value="@test.local" />
<module-option name="rolesCtxDN" value="OU=CS,DC=test,DC=local" />
<module-option name="matchOnUserDN" value="false" />
<module-option name="uidAttributeID" value="sAMAccountName" />
<module-option name="roleAttributeID" value="memberOf" />
<module-option name="roleNameAttributeID" value="name" />
<module-option name="roleAttributeIsDN" value="true" />
<module-option name="allowEmptyPasswords" value="false" />
</login-module>
</authentication>
</security-domain>
<security-domain name="SPNEGO" cache-type="default">
<authentication>
<login-module code="SPNEGO" flag="required">
<module-option name="serverSecurityDomain" value="host" />
</login-module>
</authentication>
</security-domain>
We test the configuration with the JBoss negotation toolkit and get when we call the secured page following error:
GSSException: Failure unspecified at GSS-API level (Mechanism level: Specified version of key is not available (44))
If we test the security domain test it looks like we are authenticated, we get no error and i think we get an ticket.
We investigate and understand that the error might be occour when the kvno in the keytab file and in ad not the same.
We check that with wireshark from ad: in enc-part section under kvno stand 9.
In the keytab file i search with ktab -l -k key.keytab and there is only one entry with knvo 9.
Can anyone help us we have no idea why the problem occours.
Thanks for replys and help!