5 Replies Latest reply on May 10, 2017 2:33 AM by mchoma

    Wildfly 10 and SPNEGO

    cain

      Hello,

       

      I've been doing to research on how to get Wildfly to use LDAP (active directory in our case).  I was able to create a security domain using the LdapExtLoginModule and log in to the application using that.  However, it would be nice if users didn't have to log in manually.  This lead me to SPNEGO, but I can't seem to get it working.  The first change I made was setting <auth-method>SPNEGO</auth-method> and adding <realm-name>MyRealm</realm-name> to the web.xml.  MyRealm references my newly converted ldap realm via jaas, which I used when using FORM authentication.  That didn't work so I did some research and discovered that I can create an ldap security realm, so I did that and added all the connection info in and updated my web.xml, but it also doesn't work.  Unfortunately I don't seem to get any message in the log file, despite adding logger categories for org.jboss.security and com.sun.jndi.ldap.

       

      <security-realm name="LdapRealm">  
        <authentication>  
        <ldap connection="LocalLdap" base-dn="ou=HQ,dc=domain,dc=com">  
        <username-filter attribute="sAMAccountName={0}"/>  
        </ldap>  
        </authentication>
        <authorization>  
        <ldap connection="LocalLdap">  
          <username-to-dn>  
          <username-is-dn />  
        </username-to-dn>  
        <group-search group-name="SIMPLE" iterative="true" group-dn-attribute="dn" group-name-attribute="uid">  
        <principal-to-group group-attribute="memberOf" />  
        </group-search>  
        </ldap>  
        </authorization>  
      </security-realm>  
      

       

      Is there a guide anywhere that I can follow to get SPNEGO set up?  As I previously mentioned, I did get ldap authentication working fine using FORM authentication, so I know I can connect to the ldap server fine.

        • 1. Re: Wildfly 10 and SPNEGO
          mchoma
          • 2. Re: Wildfly 10 and SPNEGO
            cain

            Ok I followed a couple guides and still can't get this to work.  Here's the guides, and here's what I did:

             

            Section 5: Active directory user creation: Negotiation User Guide

            Rest of the configuration including keytab export: Configuring JBoss Negotiation in an all Windows Domain

             

            I went through and followed the guide exactly and I just can't get past this check sum exception.

             

            standalone.xml

             

            <security-domain name="Kerberos">

              <authentication>

              <login-module code="com.sun.security.auth.module.Krb5LoginModule" module="org.jboss.security.negotiation" flag="sufficient">

              <module-option name="debug" value="true"/>

              <module-option name="storeKey" value="true"/>

              <module-option name="refreshKrb5Config" value="true"/>

              <module-option name="useKeyTab" value="true"/>

              <module-option name="doNotPrompt" value="true"/>

              <module-option name="principal" value="HTTP/wildflyhost@FOO.com"/>

              <module-option name="keyTab" value="C:/keytab/wildfly.keytab"/>

              </login-module>

              </authentication>

            </security-domain>

            <security-domain name="FOODomain" cache-type="default">

              <authentication>

              <login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" module="org.jboss.security.negotiation" flag="requisite">

              <module-option name="password-stacking" value="useFirstPass"/>

              <module-option name="serverSecurityDomain" value="Kerberos"/>

              </login-module>

              </authentication>

            </security-domain>

             

            Here's the exception I keep getting

             

            11:19:57,004 DEBUG [org.jboss.security] (default task-4) PBOX00206: Login failure: javax.security.auth.login.LoginException: Checksum failed

              at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)

              at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)

              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

              at java.lang.reflect.Method.invoke(Method.java:498)

              at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)

              at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)

              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)

              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)

              at java.security.AccessController.doPrivileged(Native Method)

              at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)

              at javax.security.auth.login.LoginContext.login(LoginContext.java:587)

              at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.getServerSubject(SPNEGOLoginModule.java:332)

              at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.spnegoLogin(SPNEGOLoginModule.java:285)

              at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.innerLogin(SPNEGOLoginModule.java:229)

              at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:147)

              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

              at java.lang.reflect.Method.invoke(Method.java:498)

              at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)

              at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)

              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)

              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)

              at java.security.AccessController.doPrivileged(Native Method)

              at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)

              at javax.security.auth.login.LoginContext.login(LoginContext.java:587)

              at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406)

              at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)

              at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:323)

              at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)

              at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:123)

              at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:96)

              at org.jboss.security.negotiation.NegotiationMechanism.authenticate(NegotiationMechanism.java:101)

              at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245)

              at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:263)

              at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:231)

              at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125)

              at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:99)

              at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92)

              at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)

              at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)

              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

              at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)

              at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)

              at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)

              at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)

              at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)

              at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)

              at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)

              at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)

              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

              at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)

              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

              at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)

              at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)

              at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)

              at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)

              at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)

              at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)

              at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)

              at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)

              at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)

              at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)

              at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)

              at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)

              at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)

              at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)

              at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)

              at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)

              at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:805)

              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

              at java.lang.Thread.run(Thread.java:745)

            Caused by: KrbException: Checksum failed

              at sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128CtsHmacSha1EType.java:102)

              at sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128CtsHmacSha1EType.java:94)

              at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175)

              at sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:149)

              at sun.security.krb5.KrbAsRep.decryptUsingKeyTab(KrbAsRep.java:121)

              at sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:285)

              at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)

              at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:776)

              ... 75 more

            Caused by: java.security.GeneralSecurityException: Checksum failed

              at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451)

              at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:272)

              at sun.security.krb5.internal.crypto.Aes128.decrypt(Aes128.java:76)

              at sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128CtsHmacSha1EType.java:100)

              ... 82 more

            • 3. Re: Wildfly 10 and SPNEGO
              cain

              It looks like I'm getting closer.  When I try to log in now, I keep getting a PBOX00206: Login failure: javax.security.auth.login.LoginException: Continuation Required. that repeats over and over until IE says the page cannot be displayed.  Chrome gives an error saying there too many redirects.  I also get an entry in the log that says 'Storing username 'user@domain.com' and empty password'.  I think I'm almost there, just need to get over this last hurdle.

               

              EDIT:  For reference here's what I'm doing

               

              1. Create new user called wildfly in Active Directory (Server 2008) with login name wildfly

              2. Open properties for the user, check no pre-authorization

               

              map principal to server

              ktpass -princ HTTP/jb2016.foo.com@FOO.COM -pass * -mapuser FOO_DOMAIN\wildfly -ptype KRB5_NT_PRINCIPAL -crypto ALL

               

              reset password for wildfly (otherwise the ktab command won't generate the correct checksum)

               

              determine KVNO for use with ktab command

              dsquery * -filter sAMAccountName=wildfly -attr msDS-KeyVersionNumber

               

              create keytab file

              ktab -k wildfly.keytab -a HTTP/jb2016.foo.com@FOO.COM -n <KVNO>

               

              verify the appropriate stuff is in the keytab file

              ktab -l -e -k wildfly.keytab

               

              KVNO Principal

              ---- ----------------------------------------------------------------------

                 4 HTTP/jb2016.foo.com@FOO.COM (18:AES256 CTS mode with HMAC SHA1-96)

                 4 HTTP/jb2016.foo.com@FOO.COM (17:AES128 CTS mode with HMAC SHA1-96)

                 4 HTTP/jb2016.foo.com@FOO.COM (16:DES3 CBC mode with SHA1-KD)

                 4 HTTP/jb2016.foo.com@FOO.COM (23:RC4 with HMAC)

               

              set principal in standalone.xml

              <module-option name="principal" value="HTTP/jb2016.foo.com@FOO.COM"/>

              • 4. Re: Wildfly 10 and SPNEGO
                cain

                Another update, so people don't try to help with outdated information.

                 

                I'm now at the point where the keytab is set up correctly (i believe) and it tries to authenticate, but then it goes into a loop of exceptions.

                 

                Relevant standalone.xml stuff

                <security-domain name="Kerberos">
                    <authentication>
                  <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="sufficient" module="org.jboss.security.negotiation">
                     <module-option name="debug" value="true"/>
                     <module-option name="storeKey" value="true"/>
                     <module-option name="refreshKrb5Config" value="true"/>
                     <module-option name="useKeyTab" value="true"/>
                     <module-option name="doNotPrompt" value="false"/>
                     <module-option name="principal" value="HTTP/jb2016.domain.com@DOMAIN.COM"/>
                     <module-option name="keyTab" value="C:/temp/wildfly.keytab"/>
                  </login-module>
                    </authentication>
                </security-domain>
                <security-domain name="SPNEGO" cache-type="default">
                    <authentication>
                  <login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="requisite" module="org.jboss.security.negotiation">
                     <module-option name="password-stacking" value="useFirstPass"/>
                     <module-option name="serverSecurityDomain" value="Kerberos"/>
                  </login-module>
                    </authentication>
                </security-domain>
                </security-domains>
                

                 

                 

                kbr5.conf

                [code]
                [libdefaults]
                  default_realm = DOMAIN.COM
                  ticket_lifetime = 600
                  default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
                  default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
                  permitted_enctypes  = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
                
                [realms]
                  DOMAIN.COM = {
                  kdc = dc2.domain.com
                  admin_server = dc2.domain.com
                  default_domain = DOMAIN.COM
                }
                
                
                [domain_realm]
                  .domain.com = .DOMAIN.COM
                  domain.com = DOMAIN.COM
                

                 

                wildfly.keytab

                KVNO Principal
                ---- ----------------------------------------------------------------------
                  4 HTTP/jb2016.domain.com@DOMAIN.COM (18:AES256 CTS mode with HMAC SHA1-96)
                  4 HTTP/jb2016.domain.com@DOMAIN.COM (17:AES128 CTS mode with HMAC SHA1-96)
                  4 HTTP/jb2016.domain.com@DOMAIN.COM (16:DES3 CBC mode with SHA1-KD)
                  4 HTTP/jb2016.domain.com@DOMAIN.COM (23:RC4 with HMAC)
                

                 

                Exception loop

                 

                2017-05-09 15:49:29,847 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) removeRealmFromPrincipal=false
                2017-05-09 15:49:29,847 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) serverSecurityDomain=Kerberos
                2017-05-09 15:49:29,847 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) usernamePasswordDomain=null
                2017-05-09 15:49:29,909 INFO  [stdout] (default task-3) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is C:/temp/wildfly.keytab refreshKrb5Config is true principal is HTTP/jb2016.domain.com@DOMAIN.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
                2017-05-09 15:49:29,909 INFO  [stdout] (default task-3) Refreshing Kerberos configuration
                2017-05-09 15:49:29,909 INFO  [stdout] (default task-3) Java config name: C:/java/tools/wildfly/bin/krb5.conf
                2017-05-09 15:49:29,925 INFO  [stdout] (default task-3) Loaded from Java config
                2017-05-09 15:49:29,925 INFO  [stdout] (default task-3) >>> KdcAccessibility: reset
                2017-05-09 15:49:29,925 INFO  [stdout] (default task-3) >>> KdcAccessibility: reset
                2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): DOMAIN.COM
                2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): HTTP
                2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): jb2016.domain.com
                2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTab: load() entry length: 82; type: 18
                2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): DOMAIN.COM
                2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readNam(): HTTP
                2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): jb2016.domain.com
                2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTab: load() entry length: 66; type: 17
                2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): DOMAIN.COM
                2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): HTTP
                2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): jb2016.domain.com
                2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTab: load() entry length: 74; type: 16
                2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): DOMAIN.COM
                2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): HTTP
                2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): jb2016.domain.com
                2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTab: load() entry length: 66; type: 23
                2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM
                2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) Added key: 23version: 5
                2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Added key: 16version: 5
                2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Added key: 17version: 5
                2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Added key: 18version: 5
                2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM
                2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Added key: 23version: 5
                2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Added key: 16version: 5
                2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Added key: 17version: 5
                2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Added key: 18version: 5
                2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) default etypes for default_tkt_enctypes: 17 23 16.
                2017-05-09 15:49:29,972 INFO  [stdout] (default task-3) >>> KrbAsReq creating message
                2017-05-09 15:49:29,972 INFO  [stdout] (default task-3) >>> KrbKdcReq send: kdc=dc2.domain.com UDP:88, timeout=30000, number of retries =3, #bytes=153
                2017-05-09 15:49:30,003 INFO  [stdout] (default task-3) >>> KDCCommunication: kdc=dc2.domain.com UDP:88, timeout=30000,Attempt =1, #bytes=153
                2017-05-09 15:49:30,003 INFO  [stdout] (default task-3) >>> KrbKdcReq send: #bytes read=654
                2017-05-09 15:49:30,003 INFO  [stdout] (default task-3) >>> KdcAccessibility: remove dc2.domain.com
                2017-05-09 15:49:30,019 INFO  [stdout] (default task-3) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM
                2017-05-09 15:49:30,019 INFO  [stdout] (default task-3) Added key: 23version: 5
                2017-05-09 15:49:30,019 INFO  [stdout] (default task-3) Added key: 16version: 5
                2017-05-09 15:49:30,019 INFO  [stdout] (default task-3) Added key: 17version: 5
                2017-05-09 15:49:30,019 INFO  [stdout] (default task-3) Added key: 18version: 5
                2017-05-09 15:49:30,019 INFO  [stdout] (default task-3) >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
                2017-05-09 15:49:30,034 INFO  [stdout] (default task-3) >>> KrbAsRep cons in KrbAsReq.getReply HTTP/jb2016.domain.com
                2017-05-09 15:49:30,034 INFO  [stdout] (default task-3) principal is HTTP/jb2016.domain.com@DOMAIN.COM
                2017-05-09 15:49:30,034 INFO  [stdout] (default task-3) Will use keytab
                2017-05-09 15:49:30,034 INFO  [stdout] (default task-3) Commit Succeeded
                2017-05-09 15:49:30,034 INFO  [stdout] (default task-3)
                2017-05-09 15:49:30,034 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) Subject = Subject:
                  Principal: HTTP/jb2016.domain.com@DOMAIN.COM
                  Private Credential: Ticket (hex) =
                0000: 61 82 01 0C 30 82 01 08  A0 03 02 01 05 A1 0B 1B  a...0...........
                0010: 09 54 41 53 4B 45 2E 43  4F 4D A2 1E 30 1C A0 03  .DOMAIN.COM..0...
                0020: 02 01 02 A1 15 30 13 1B  06 6B 72 62 74 67 74 1B  .....0...krbtgt.
                0030: 09 54 41 53 4B 45 2E 43  4F 4D A3 81 D3 30 81 D0  .DOMAIN.COM...0..
                0040: A0 03 02 01 12 A1 03 02  01 03 A2 81 C3 04 81 C0  ................
                0050: 41 9B E9 A5 66 55 42 90  BD 32 8E D4 A1 82 68 40  A...fUB..2....h@
                0060: DE 57 CA 94 DC E1 1B C7  9E F0 A9 A5 B3 33 49 95  .W...........3I.
                0070: 8A A6 55 76 66 DB 43 4E  29 97 62 EF 57 74 FC C8  ..Uvf.CN).b.Wt..
                0080: 5D D0 70 62 AE EE BA C0  D1 BC D1 85 82 2A B6 4B  ].pb.........*.K
                0090: DA A9 4A 06 28 41 1F 7C  6F D6 9D 96 2E C6 9E 41  ..J.(A..o......A
                00A0: D0 0F BF BE 36 3E BC AD  03 CD D3 65 EE 16 DF 56  ....6>.....e...V
                00B0: 6A 69 8F F5 56 42 7E E4  40 6F 8E 26 C1 94 24 20  ji..VB..@o.&..$
                00C0: 18 44 40 0D 83 FD 97 B6  8D D9 E5 28 9F 34 16 BF  .D@........(.4..
                00D0: 94 79 66 42 28 18 DF 02  37 D3 65 EF D5 A6 0E 81  .yfB(...7.e.....
                00E0: 03 8E 5F C0 F4 1C 25 06  90 9A 83 E5 7F 78 45 6C  .._...%......xEl
                00F0: CE 45 64 6C D6 F7 82 CC  52 10 94 7B B3 69 5E FC  .Edl....R....i^.
                0100: 51 80 56 BD DE 48 78 05  3E D4 75 A6 A9 B2 35 6A  Q.V..Hx.>.u...5j
                
                
                Client Principal = HTTP/jb2016.domain.com@DOMAIN.COM
                Server Principal = krbtgt/DOMAIN.COM@DOMAIN.COM
                Session Key = EncryptionKey: keyType=17 keyBytes (hex dump)=
                0000: 00 B6 10 D3 DD 1A 8E 82  A7 5C 7C 90 3B DD 1D A3  .........\..;...
                
                
                
                
                Forwardable Ticket false
                Forwarded Ticket false
                Proxiable Ticket false
                Proxy Ticket false
                Postdated Ticket false
                Renewable Ticket false
                Initial Ticket false
                Auth Time = Tue May 09 19:49:29 UTC 2017
                Start Time = Tue May 09 19:49:29 UTC 2017
                End Time = Wed May 10 05:49:29 UTC 2017
                Renew Till = null
                Client Addresses  Null
                  Private Credential: C:\temp\wildfly.keytab for HTTP/jb2016.domain.com@DOMAIN.COM
                
                
                2017-05-09 15:49:30,034 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) Logged in 'Kerberos' LoginContext
                2017-05-09 15:49:30,050 INFO  [stdout] (default task-3) [Krb5LoginModule]: Entering logout
                
                
                2017-05-09 15:49:30,050 INFO  [stdout] (default task-3) [Krb5LoginModule]: logged out Subject
                
                
                2017-05-09 15:49:30,050 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) NegotiationContext.setContinuationRequired(true)
                2017-05-09 15:49:30,050 DEBUG [org.jboss.security] (default task-3) PBOX00206: Login failure: javax.security.auth.login.LoginException: Continuation Required.
                  at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:192)
                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                  at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
                  at java.lang.reflect.Method.invoke(Unknown Source)
                  at javax.security.auth.login.LoginContext.invoke(Unknown Source)
                  at javax.security.auth.login.LoginContext.access$000(Unknown Source)
                  at javax.security.auth.login.LoginContext$4.run(Unknown Source)
                  at javax.security.auth.login.LoginContext$4.run(Unknown Source)
                  at java.security.AccessController.doPrivileged(Native Method)
                  at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
                  at javax.security.auth.login.LoginContext.login(Unknown Source)
                  at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406)
                  at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)
                  at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:323)
                  at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)
                  at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:123)
                  at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:96)
                  at org.jboss.security.negotiation.NegotiationMechanism.authenticate(NegotiationMechanism.java:101)
                  at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245)
                  at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:263)
                  at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:231)
                  at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125)
                  at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:99)
                  at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92)
                  at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
                  at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
                  at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
                  at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
                  at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
                  at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
                  at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
                  at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
                  at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
                  at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
                  at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
                  at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
                  at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
                  at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
                  at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
                  at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
                  at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
                  at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
                  at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
                  at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
                  at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
                  at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
                  at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
                  at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
                  at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
                  at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
                  at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
                  at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
                  at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
                  at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
                  at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
                  at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:805)
                  at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
                  at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
                  at java.lang.Thread.run(Unknown Source)
                
                
                2017-05-09 15:49:30,081 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) removeRealmFromPrincipal=false
                2017-05-09 15:49:30,081 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) serverSecurityDomain=Kerberos
                2017-05-09 15:49:30,081 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) usernamePasswordDomain=null
                2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is C:/temp/wildfly.keytab refreshKrb5Config is true principal is HTTP/jb2016.domain.com@DOMAIN.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
                2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Refreshing Kerberos configuration
                2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Java config name: C:/java/tools/wildfly/bin/krb5.conf
                2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Loaded from Java config
                2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) >>> KdcAccessibility: reset
                2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM
                2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 23version: 5
                2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 16version: 5
                2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 17version: 5
                2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 18version: 5
                2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM
                2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 23version: 5
                2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 16version: 5
                2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 17version: 5
                2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 18version: 5
                2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) default etypes for default_tkt_enctypes: 17 23 16.
                2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) >>> KrbAsReq creating message
                2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) >>> KrbKdcReq send: kdc=dc2.domain.com UDP:88, timeout=30000, number of retries =3, #bytes=153
                2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) >>> KDCCommunication: kdc=dc2.domain.com UDP:88, timeout=30000,Attempt =1, #bytes=153
                2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) >>> KrbKdcReq send: #bytes read=654
                2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) >>> KdcAccessibility: remove dc2.domain.com
                2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM
                2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) Added key: 23version: 5
                2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) Added key: 16version: 5
                2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) Added key: 17version: 5
                2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) Added key: 18version: 5
                2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
                2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) >>> KrbAsRep cons in KrbAsReq.getReply HTTP/jb2016.domain.com
                2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) principal is HTTP/jb2016.domain.com@DOMAIN.COM
                2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) Will use keytab
                2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) Commit Succeeded
                2017-05-09 15:49:30,097 INFO  [stdout] (default task-4)
                2017-05-09 15:49:30,097 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) Subject = Subject:
                  Principal: HTTP/jb2016.domain.com@DOMAIN.COM
                  Private Credential: Ticket (hex) =
                0000: 61 82 01 0C 30 82 01 08  A0 03 02 01 05 A1 0B 1B  a...0...........
                0010: 09 54 41 53 4B 45 2E 43  4F 4D A2 1E 30 1C A0 03  .DOMAIN.COM..0...
                0020: 02 01 02 A1 15 30 13 1B  06 6B 72 62 74 67 74 1B  .....0...krbtgt.
                0030: 09 54 41 53 4B 45 2E 43  4F 4D A3 81 D3 30 81 D0  .DOMAIN.COM...0..
                0040: A0 03 02 01 12 A1 03 02  01 03 A2 81 C3 04 81 C0  ................
                0050: 00 50 D5 73 D8 70 D7 2E  AD 43 74 D9 A1 6A 74 2C  .P.s.p...Ct..jt,
                0060: 70 CB 23 3A 3A 58 A6 05  F4 31 5C 24 60 64 BD 9C  p.#::X...1\$`d..
                0070: B5 DB E5 63 A3 49 AF 2B  DC 8A 2E 43 39 03 59 BA  ...c.I.+...C9.Y.
                0080: A0 A7 A7 90 E5 8D A1 35  C5 E7 C6 79 83 A1 94 E2  .......5...y....
                0090: 54 77 AD A6 73 A2 8D 98  06 BD 0A 96 4A 0D D3 8C  Tw..s.......J...
                00A0: 08 21 D7 50 B0 C6 1B 2C  B3 13 F2 D7 5E 32 3D 24  .!.P...,....^2=$
                00B0: A0 18 51 82 6C E9 10 92  F7 DF 0A 6F 52 D7 72 53  ..Q.l......oR.rS
                00C0: 70 73 71 82 19 E3 56 73  CE 38 B7 6A CE 65 AF F6  psq...Vs.8.j.e..
                00D0: FC 05 01 50 82 50 82 5A  E9 DC F1 9B 18 9A 0B E3  ...P.P.Z........
                00E0: FF 55 31 EE 21 E7 1B 1A  A9 58 8A B3 50 F1 E7 1B  .U1.!....X..P...
                00F0: AB 96 F1 37 BC A8 1F EE  C8 54 FD 27 5E A7 4B CD  ...7.....T.'^.K.
                0100: 47 A6 B4 97 C9 EC 3C 3F  2B 2D 61 B7 05 1E D2 56  G.....<?+-a....V
                
                
                Client Principal = HTTP/jb2016.domain.com@DOMAIN.COM
                Server Principal = krbtgt/DOMAIN.COM@DOMAIN.COM
                Session Key = EncryptionKey: keyType=17 keyBytes (hex dump)=
                0000: 5D 63 BA 79 64 01 1D 8C  66 F4 6B 6F A9 80 85 BF  ]c.yd...f.ko....
                
                
                
                
                Forwardable Ticket false
                Forwarded Ticket false
                Proxiable Ticket false
                Proxy Ticket false
                Postdated Ticket false
                Renewable Ticket false
                Initial Ticket false
                Auth Time = Tue May 09 19:49:29 UTC 2017
                Start Time = Tue May 09 19:49:29 UTC 2017
                End Time = Wed May 10 05:49:29 UTC 2017
                Renew Till = null
                Client Addresses  Null
                  Private Credential: C:\temp\wildfly.keytab for HTTP/jb2016.domain.com@DOMAIN.COM
                
                
                2017-05-09 15:49:30,112 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) Logged in 'Kerberos' LoginContext
                2017-05-09 15:49:30,112 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) Creating new GSSContext.
                2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Found KeyTab C:\temp\wildfly.keytab for HTTP/jb2016.domain.com@DOMAIN.COM
                2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Found KeyTab C:\temp\wildfly.keytab for HTTP/jb2016.domain.com@DOMAIN.COM
                2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Found ticket for HTTP/jb2016.domain.com@DOMAIN.COM to go to krbtgt/DOMAIN.COM@DOMAIN.COM expiring on Wed May 10 05:49:29 UTC 2017
                2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Entered Krb5Context.acceptSecContext with state=STATE_NEW
                2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM
                2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Added key: 23version: 5
                2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Added key: 16version: 5
                2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Added key: 17version: 5
                2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Added key: 18version: 5
                2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
                2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) default etypes for permitted_enctypes: 17 23 16.
                2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
                2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) MemoryCache: add 1494359370/000065/5D08B107F11CA334A023AAABC7B198BB/user@DOMAIN.COM to user@DOMAIN.COM|HTTP/jb2016.domain.com@DOMAIN.COM
                2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) >>> KrbApReq: authenticate succeed.
                2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) Krb5Context setting peerSeqNumber to: 1582590877
                2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
                2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) Krb5Context setting mySeqNumber to: 528134496
                2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) >>> Constrained deleg from GSSCaller{UNKNOWN}
                2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) Found ticket for HTTP/jb2016.domain.com@DOMAIN.COM to go to krbtgt/DOMAIN.COM@DOMAIN.COM expiring on Wed May 10 05:49:29 UTC 2017
                2017-05-09 15:49:30,206 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) context.getCredDelegState() = true
                2017-05-09 15:49:30,206 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) context.getMutualAuthState() = true
                2017-05-09 15:49:30,206 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) context.getSrcName() = user@DOMAIN.COM
                2017-05-09 15:49:30,222 INFO  [stdout] (default task-4) [Krb5LoginModule]: Entering logout
                2017-05-09 15:49:30,222 INFO  [stdout] (default task-4) [Krb5LoginModule]: logged out Subject
                2017-05-09 15:49:30,222 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) Storing username 'user@DOMAIN.COM' and empty password