-
2. Re: Wildfly 10 and SPNEGO
cain May 8, 2017 11:42 AM (in response to mchoma)Ok I followed a couple guides and still can't get this to work. Here's the guides, and here's what I did:
Section 5: Active directory user creation: Negotiation User Guide
Rest of the configuration including keytab export: Configuring JBoss Negotiation in an all Windows Domain
I went through and followed the guide exactly and I just can't get past this check sum exception.
standalone.xml
<security-domain name="Kerberos">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule" module="org.jboss.security.negotiation" flag="sufficient">
<module-option name="debug" value="true"/>
<module-option name="storeKey" value="true"/>
<module-option name="refreshKrb5Config" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="principal" value="HTTP/wildflyhost@FOO.com"/>
<module-option name="keyTab" value="C:/keytab/wildfly.keytab"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="FOODomain" cache-type="default">
<authentication>
<login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" module="org.jboss.security.negotiation" flag="requisite">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="serverSecurityDomain" value="Kerberos"/>
</login-module>
</authentication>
</security-domain>
Here's the exception I keep getting
11:19:57,004 DEBUG [org.jboss.security] (default task-4) PBOX00206: Login failure: javax.security.auth.login.LoginException: Checksum failed
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.getServerSubject(SPNEGOLoginModule.java:332)
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.spnegoLogin(SPNEGOLoginModule.java:285)
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.innerLogin(SPNEGOLoginModule.java:229)
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:147)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406)
at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)
at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:323)
at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)
at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:123)
at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:96)
at org.jboss.security.negotiation.NegotiationMechanism.authenticate(NegotiationMechanism.java:101)
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245)
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:263)
at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:231)
at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125)
at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:99)
at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:805)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: KrbException: Checksum failed
at sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128CtsHmacSha1EType.java:102)
at sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128CtsHmacSha1EType.java:94)
at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175)
at sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:149)
at sun.security.krb5.KrbAsRep.decryptUsingKeyTab(KrbAsRep.java:121)
at sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:285)
at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:776)
... 75 more
Caused by: java.security.GeneralSecurityException: Checksum failed
at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451)
at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:272)
at sun.security.krb5.internal.crypto.Aes128.decrypt(Aes128.java:76)
at sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128CtsHmacSha1EType.java:100)
... 82 more
-
3. Re: Wildfly 10 and SPNEGO
cain May 9, 2017 1:38 PM (in response to cain)It looks like I'm getting closer. When I try to log in now, I keep getting a PBOX00206: Login failure: javax.security.auth.login.LoginException: Continuation Required. that repeats over and over until IE says the page cannot be displayed. Chrome gives an error saying there too many redirects. I also get an entry in the log that says 'Storing username 'user@domain.com' and empty password'. I think I'm almost there, just need to get over this last hurdle.
EDIT: For reference here's what I'm doing
1. Create new user called wildfly in Active Directory (Server 2008) with login name wildfly
2. Open properties for the user, check no pre-authorization
map principal to server
ktpass -princ HTTP/jb2016.foo.com@FOO.COM -pass * -mapuser FOO_DOMAIN\wildfly -ptype KRB5_NT_PRINCIPAL -crypto ALL
reset password for wildfly (otherwise the ktab command won't generate the correct checksum)
determine KVNO for use with ktab command
dsquery * -filter sAMAccountName=wildfly -attr msDS-KeyVersionNumber
create keytab file
ktab -k wildfly.keytab -a HTTP/jb2016.foo.com@FOO.COM -n <KVNO>
verify the appropriate stuff is in the keytab file
ktab -l -e -k wildfly.keytab
KVNO Principal
---- ----------------------------------------------------------------------
4 HTTP/jb2016.foo.com@FOO.COM (18:AES256 CTS mode with HMAC SHA1-96)
4 HTTP/jb2016.foo.com@FOO.COM (17:AES128 CTS mode with HMAC SHA1-96)
4 HTTP/jb2016.foo.com@FOO.COM (16:DES3 CBC mode with SHA1-KD)
4 HTTP/jb2016.foo.com@FOO.COM (23:RC4 with HMAC)
set principal in standalone.xml
<module-option name="principal" value="HTTP/jb2016.foo.com@FOO.COM"/>
-
4. Re: Wildfly 10 and SPNEGO
cain May 9, 2017 4:08 PM (in response to cain)Another update, so people don't try to help with outdated information.
I'm now at the point where the keytab is set up correctly (i believe) and it tries to authenticate, but then it goes into a loop of exceptions.
Relevant standalone.xml stuff
<security-domain name="Kerberos"> <authentication> <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="sufficient" module="org.jboss.security.negotiation"> <module-option name="debug" value="true"/> <module-option name="storeKey" value="true"/> <module-option name="refreshKrb5Config" value="true"/> <module-option name="useKeyTab" value="true"/> <module-option name="doNotPrompt" value="false"/> <module-option name="principal" value="HTTP/jb2016.domain.com@DOMAIN.COM"/> <module-option name="keyTab" value="C:/temp/wildfly.keytab"/> </login-module> </authentication> </security-domain> <security-domain name="SPNEGO" cache-type="default"> <authentication> <login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="requisite" module="org.jboss.security.negotiation"> <module-option name="password-stacking" value="useFirstPass"/> <module-option name="serverSecurityDomain" value="Kerberos"/> </login-module> </authentication> </security-domain> </security-domains>
kbr5.conf
[code] [libdefaults] default_realm = DOMAIN.COM ticket_lifetime = 600 default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc permitted_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc [realms] DOMAIN.COM = { kdc = dc2.domain.com admin_server = dc2.domain.com default_domain = DOMAIN.COM } [domain_realm] .domain.com = .DOMAIN.COM domain.com = DOMAIN.COM
wildfly.keytab
KVNO Principal ---- ---------------------------------------------------------------------- 4 HTTP/jb2016.domain.com@DOMAIN.COM (18:AES256 CTS mode with HMAC SHA1-96) 4 HTTP/jb2016.domain.com@DOMAIN.COM (17:AES128 CTS mode with HMAC SHA1-96) 4 HTTP/jb2016.domain.com@DOMAIN.COM (16:DES3 CBC mode with SHA1-KD) 4 HTTP/jb2016.domain.com@DOMAIN.COM (23:RC4 with HMAC)
Exception loop
2017-05-09 15:49:29,847 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) removeRealmFromPrincipal=false 2017-05-09 15:49:29,847 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) serverSecurityDomain=Kerberos 2017-05-09 15:49:29,847 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) usernamePasswordDomain=null 2017-05-09 15:49:29,909 INFO [stdout] (default task-3) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is C:/temp/wildfly.keytab refreshKrb5Config is true principal is HTTP/jb2016.domain.com@DOMAIN.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false 2017-05-09 15:49:29,909 INFO [stdout] (default task-3) Refreshing Kerberos configuration 2017-05-09 15:49:29,909 INFO [stdout] (default task-3) Java config name: C:/java/tools/wildfly/bin/krb5.conf 2017-05-09 15:49:29,925 INFO [stdout] (default task-3) Loaded from Java config 2017-05-09 15:49:29,925 INFO [stdout] (default task-3) >>> KdcAccessibility: reset 2017-05-09 15:49:29,925 INFO [stdout] (default task-3) >>> KdcAccessibility: reset 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTabInputStream, readName(): DOMAIN.COM 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTabInputStream, readName(): HTTP 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTabInputStream, readName(): jb2016.domain.com 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTab: load() entry length: 82; type: 18 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTabInputStream, readName(): DOMAIN.COM 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTabInputStream, readNam(): HTTP 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTabInputStream, readName(): jb2016.domain.com 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTab: load() entry length: 66; type: 17 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTabInputStream, readName(): DOMAIN.COM 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTabInputStream, readName(): HTTP 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTabInputStream, readName(): jb2016.domain.com 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTab: load() entry length: 74; type: 16 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTabInputStream, readName(): DOMAIN.COM 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTabInputStream, readName(): HTTP 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTabInputStream, readName(): jb2016.domain.com 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTab: load() entry length: 66; type: 23 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) Added key: 23version: 5 2017-05-09 15:49:29,956 INFO [stdout] (default task-3) Added key: 16version: 5 2017-05-09 15:49:29,956 INFO [stdout] (default task-3) Added key: 17version: 5 2017-05-09 15:49:29,956 INFO [stdout] (default task-3) Added key: 18version: 5 2017-05-09 15:49:29,956 INFO [stdout] (default task-3) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM 2017-05-09 15:49:29,956 INFO [stdout] (default task-3) Added key: 23version: 5 2017-05-09 15:49:29,956 INFO [stdout] (default task-3) Added key: 16version: 5 2017-05-09 15:49:29,956 INFO [stdout] (default task-3) Added key: 17version: 5 2017-05-09 15:49:29,956 INFO [stdout] (default task-3) Added key: 18version: 5 2017-05-09 15:49:29,956 INFO [stdout] (default task-3) default etypes for default_tkt_enctypes: 17 23 16. 2017-05-09 15:49:29,972 INFO [stdout] (default task-3) >>> KrbAsReq creating message 2017-05-09 15:49:29,972 INFO [stdout] (default task-3) >>> KrbKdcReq send: kdc=dc2.domain.com UDP:88, timeout=30000, number of retries =3, #bytes=153 2017-05-09 15:49:30,003 INFO [stdout] (default task-3) >>> KDCCommunication: kdc=dc2.domain.com UDP:88, timeout=30000,Attempt =1, #bytes=153 2017-05-09 15:49:30,003 INFO [stdout] (default task-3) >>> KrbKdcReq send: #bytes read=654 2017-05-09 15:49:30,003 INFO [stdout] (default task-3) >>> KdcAccessibility: remove dc2.domain.com 2017-05-09 15:49:30,019 INFO [stdout] (default task-3) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM 2017-05-09 15:49:30,019 INFO [stdout] (default task-3) Added key: 23version: 5 2017-05-09 15:49:30,019 INFO [stdout] (default task-3) Added key: 16version: 5 2017-05-09 15:49:30,019 INFO [stdout] (default task-3) Added key: 17version: 5 2017-05-09 15:49:30,019 INFO [stdout] (default task-3) Added key: 18version: 5 2017-05-09 15:49:30,019 INFO [stdout] (default task-3) >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType 2017-05-09 15:49:30,034 INFO [stdout] (default task-3) >>> KrbAsRep cons in KrbAsReq.getReply HTTP/jb2016.domain.com 2017-05-09 15:49:30,034 INFO [stdout] (default task-3) principal is HTTP/jb2016.domain.com@DOMAIN.COM 2017-05-09 15:49:30,034 INFO [stdout] (default task-3) Will use keytab 2017-05-09 15:49:30,034 INFO [stdout] (default task-3) Commit Succeeded 2017-05-09 15:49:30,034 INFO [stdout] (default task-3) 2017-05-09 15:49:30,034 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) Subject = Subject: Principal: HTTP/jb2016.domain.com@DOMAIN.COM Private Credential: Ticket (hex) = 0000: 61 82 01 0C 30 82 01 08 A0 03 02 01 05 A1 0B 1B a...0........... 0010: 09 54 41 53 4B 45 2E 43 4F 4D A2 1E 30 1C A0 03 .DOMAIN.COM..0... 0020: 02 01 02 A1 15 30 13 1B 06 6B 72 62 74 67 74 1B .....0...krbtgt. 0030: 09 54 41 53 4B 45 2E 43 4F 4D A3 81 D3 30 81 D0 .DOMAIN.COM...0.. 0040: A0 03 02 01 12 A1 03 02 01 03 A2 81 C3 04 81 C0 ................ 0050: 41 9B E9 A5 66 55 42 90 BD 32 8E D4 A1 82 68 40 A...fUB..2....h@ 0060: DE 57 CA 94 DC E1 1B C7 9E F0 A9 A5 B3 33 49 95 .W...........3I. 0070: 8A A6 55 76 66 DB 43 4E 29 97 62 EF 57 74 FC C8 ..Uvf.CN).b.Wt.. 0080: 5D D0 70 62 AE EE BA C0 D1 BC D1 85 82 2A B6 4B ].pb.........*.K 0090: DA A9 4A 06 28 41 1F 7C 6F D6 9D 96 2E C6 9E 41 ..J.(A..o......A 00A0: D0 0F BF BE 36 3E BC AD 03 CD D3 65 EE 16 DF 56 ....6>.....e...V 00B0: 6A 69 8F F5 56 42 7E E4 40 6F 8E 26 C1 94 24 20 ji..VB..@o.&..$ 00C0: 18 44 40 0D 83 FD 97 B6 8D D9 E5 28 9F 34 16 BF .D@........(.4.. 00D0: 94 79 66 42 28 18 DF 02 37 D3 65 EF D5 A6 0E 81 .yfB(...7.e..... 00E0: 03 8E 5F C0 F4 1C 25 06 90 9A 83 E5 7F 78 45 6C .._...%......xEl 00F0: CE 45 64 6C D6 F7 82 CC 52 10 94 7B B3 69 5E FC .Edl....R....i^. 0100: 51 80 56 BD DE 48 78 05 3E D4 75 A6 A9 B2 35 6A Q.V..Hx.>.u...5j Client Principal = HTTP/jb2016.domain.com@DOMAIN.COM Server Principal = krbtgt/DOMAIN.COM@DOMAIN.COM Session Key = EncryptionKey: keyType=17 keyBytes (hex dump)= 0000: 00 B6 10 D3 DD 1A 8E 82 A7 5C 7C 90 3B DD 1D A3 .........\..;... Forwardable Ticket false Forwarded Ticket false Proxiable Ticket false Proxy Ticket false Postdated Ticket false Renewable Ticket false Initial Ticket false Auth Time = Tue May 09 19:49:29 UTC 2017 Start Time = Tue May 09 19:49:29 UTC 2017 End Time = Wed May 10 05:49:29 UTC 2017 Renew Till = null Client Addresses Null Private Credential: C:\temp\wildfly.keytab for HTTP/jb2016.domain.com@DOMAIN.COM 2017-05-09 15:49:30,034 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) Logged in 'Kerberos' LoginContext 2017-05-09 15:49:30,050 INFO [stdout] (default task-3) [Krb5LoginModule]: Entering logout 2017-05-09 15:49:30,050 INFO [stdout] (default task-3) [Krb5LoginModule]: logged out Subject 2017-05-09 15:49:30,050 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) NegotiationContext.setContinuationRequired(true) 2017-05-09 15:49:30,050 DEBUG [org.jboss.security] (default task-3) PBOX00206: Login failure: javax.security.auth.login.LoginException: Continuation Required. at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:192) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at javax.security.auth.login.LoginContext.invoke(Unknown Source) at javax.security.auth.login.LoginContext.access$000(Unknown Source) at javax.security.auth.login.LoginContext$4.run(Unknown Source) at javax.security.auth.login.LoginContext$4.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(Unknown Source) at javax.security.auth.login.LoginContext.login(Unknown Source) at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406) at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345) at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:323) at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146) at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:123) at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:96) at org.jboss.security.negotiation.NegotiationMechanism.authenticate(NegotiationMechanism.java:101) at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245) at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:263) at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:231) at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125) at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:99) at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55) at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44) at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44) at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44) at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44) at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44) at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:805) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) 2017-05-09 15:49:30,081 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) removeRealmFromPrincipal=false 2017-05-09 15:49:30,081 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) serverSecurityDomain=Kerberos 2017-05-09 15:49:30,081 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) usernamePasswordDomain=null 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is C:/temp/wildfly.keytab refreshKrb5Config is true principal is HTTP/jb2016.domain.com@DOMAIN.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) Refreshing Kerberos configuration 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) Java config name: C:/java/tools/wildfly/bin/krb5.conf 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) Loaded from Java config 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) >>> KdcAccessibility: reset 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) Added key: 23version: 5 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) Added key: 16version: 5 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) Added key: 17version: 5 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) Added key: 18version: 5 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) Added key: 23version: 5 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) Added key: 16version: 5 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) Added key: 17version: 5 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) Added key: 18version: 5 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) default etypes for default_tkt_enctypes: 17 23 16. 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) >>> KrbAsReq creating message 2017-05-09 15:49:30,097 INFO [stdout] (default task-4) >>> KrbKdcReq send: kdc=dc2.domain.com UDP:88, timeout=30000, number of retries =3, #bytes=153 2017-05-09 15:49:30,097 INFO [stdout] (default task-4) >>> KDCCommunication: kdc=dc2.domain.com UDP:88, timeout=30000,Attempt =1, #bytes=153 2017-05-09 15:49:30,097 INFO [stdout] (default task-4) >>> KrbKdcReq send: #bytes read=654 2017-05-09 15:49:30,097 INFO [stdout] (default task-4) >>> KdcAccessibility: remove dc2.domain.com 2017-05-09 15:49:30,097 INFO [stdout] (default task-4) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM 2017-05-09 15:49:30,097 INFO [stdout] (default task-4) Added key: 23version: 5 2017-05-09 15:49:30,097 INFO [stdout] (default task-4) Added key: 16version: 5 2017-05-09 15:49:30,097 INFO [stdout] (default task-4) Added key: 17version: 5 2017-05-09 15:49:30,097 INFO [stdout] (default task-4) Added key: 18version: 5 2017-05-09 15:49:30,097 INFO [stdout] (default task-4) >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType 2017-05-09 15:49:30,097 INFO [stdout] (default task-4) >>> KrbAsRep cons in KrbAsReq.getReply HTTP/jb2016.domain.com 2017-05-09 15:49:30,097 INFO [stdout] (default task-4) principal is HTTP/jb2016.domain.com@DOMAIN.COM 2017-05-09 15:49:30,097 INFO [stdout] (default task-4) Will use keytab 2017-05-09 15:49:30,097 INFO [stdout] (default task-4) Commit Succeeded 2017-05-09 15:49:30,097 INFO [stdout] (default task-4) 2017-05-09 15:49:30,097 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) Subject = Subject: Principal: HTTP/jb2016.domain.com@DOMAIN.COM Private Credential: Ticket (hex) = 0000: 61 82 01 0C 30 82 01 08 A0 03 02 01 05 A1 0B 1B a...0........... 0010: 09 54 41 53 4B 45 2E 43 4F 4D A2 1E 30 1C A0 03 .DOMAIN.COM..0... 0020: 02 01 02 A1 15 30 13 1B 06 6B 72 62 74 67 74 1B .....0...krbtgt. 0030: 09 54 41 53 4B 45 2E 43 4F 4D A3 81 D3 30 81 D0 .DOMAIN.COM...0.. 0040: A0 03 02 01 12 A1 03 02 01 03 A2 81 C3 04 81 C0 ................ 0050: 00 50 D5 73 D8 70 D7 2E AD 43 74 D9 A1 6A 74 2C .P.s.p...Ct..jt, 0060: 70 CB 23 3A 3A 58 A6 05 F4 31 5C 24 60 64 BD 9C p.#::X...1\$`d.. 0070: B5 DB E5 63 A3 49 AF 2B DC 8A 2E 43 39 03 59 BA ...c.I.+...C9.Y. 0080: A0 A7 A7 90 E5 8D A1 35 C5 E7 C6 79 83 A1 94 E2 .......5...y.... 0090: 54 77 AD A6 73 A2 8D 98 06 BD 0A 96 4A 0D D3 8C Tw..s.......J... 00A0: 08 21 D7 50 B0 C6 1B 2C B3 13 F2 D7 5E 32 3D 24 .!.P...,....^2=$ 00B0: A0 18 51 82 6C E9 10 92 F7 DF 0A 6F 52 D7 72 53 ..Q.l......oR.rS 00C0: 70 73 71 82 19 E3 56 73 CE 38 B7 6A CE 65 AF F6 psq...Vs.8.j.e.. 00D0: FC 05 01 50 82 50 82 5A E9 DC F1 9B 18 9A 0B E3 ...P.P.Z........ 00E0: FF 55 31 EE 21 E7 1B 1A A9 58 8A B3 50 F1 E7 1B .U1.!....X..P... 00F0: AB 96 F1 37 BC A8 1F EE C8 54 FD 27 5E A7 4B CD ...7.....T.'^.K. 0100: 47 A6 B4 97 C9 EC 3C 3F 2B 2D 61 B7 05 1E D2 56 G.....<?+-a....V Client Principal = HTTP/jb2016.domain.com@DOMAIN.COM Server Principal = krbtgt/DOMAIN.COM@DOMAIN.COM Session Key = EncryptionKey: keyType=17 keyBytes (hex dump)= 0000: 5D 63 BA 79 64 01 1D 8C 66 F4 6B 6F A9 80 85 BF ]c.yd...f.ko.... Forwardable Ticket false Forwarded Ticket false Proxiable Ticket false Proxy Ticket false Postdated Ticket false Renewable Ticket false Initial Ticket false Auth Time = Tue May 09 19:49:29 UTC 2017 Start Time = Tue May 09 19:49:29 UTC 2017 End Time = Wed May 10 05:49:29 UTC 2017 Renew Till = null Client Addresses Null Private Credential: C:\temp\wildfly.keytab for HTTP/jb2016.domain.com@DOMAIN.COM 2017-05-09 15:49:30,112 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) Logged in 'Kerberos' LoginContext 2017-05-09 15:49:30,112 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) Creating new GSSContext. 2017-05-09 15:49:30,190 INFO [stdout] (default task-4) Found KeyTab C:\temp\wildfly.keytab for HTTP/jb2016.domain.com@DOMAIN.COM 2017-05-09 15:49:30,190 INFO [stdout] (default task-4) Found KeyTab C:\temp\wildfly.keytab for HTTP/jb2016.domain.com@DOMAIN.COM 2017-05-09 15:49:30,190 INFO [stdout] (default task-4) Found ticket for HTTP/jb2016.domain.com@DOMAIN.COM to go to krbtgt/DOMAIN.COM@DOMAIN.COM expiring on Wed May 10 05:49:29 UTC 2017 2017-05-09 15:49:30,190 INFO [stdout] (default task-4) Entered Krb5Context.acceptSecContext with state=STATE_NEW 2017-05-09 15:49:30,190 INFO [stdout] (default task-4) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM 2017-05-09 15:49:30,190 INFO [stdout] (default task-4) Added key: 23version: 5 2017-05-09 15:49:30,190 INFO [stdout] (default task-4) Added key: 16version: 5 2017-05-09 15:49:30,190 INFO [stdout] (default task-4) Added key: 17version: 5 2017-05-09 15:49:30,190 INFO [stdout] (default task-4) Added key: 18version: 5 2017-05-09 15:49:30,190 INFO [stdout] (default task-4) >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType 2017-05-09 15:49:30,206 INFO [stdout] (default task-4) default etypes for permitted_enctypes: 17 23 16. 2017-05-09 15:49:30,206 INFO [stdout] (default task-4) >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType 2017-05-09 15:49:30,206 INFO [stdout] (default task-4) MemoryCache: add 1494359370/000065/5D08B107F11CA334A023AAABC7B198BB/user@DOMAIN.COM to user@DOMAIN.COM|HTTP/jb2016.domain.com@DOMAIN.COM 2017-05-09 15:49:30,206 INFO [stdout] (default task-4) >>> KrbApReq: authenticate succeed. 2017-05-09 15:49:30,206 INFO [stdout] (default task-4) Krb5Context setting peerSeqNumber to: 1582590877 2017-05-09 15:49:30,206 INFO [stdout] (default task-4) >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType 2017-05-09 15:49:30,206 INFO [stdout] (default task-4) Krb5Context setting mySeqNumber to: 528134496 2017-05-09 15:49:30,206 INFO [stdout] (default task-4) >>> Constrained deleg from GSSCaller{UNKNOWN} 2017-05-09 15:49:30,206 INFO [stdout] (default task-4) Found ticket for HTTP/jb2016.domain.com@DOMAIN.COM to go to krbtgt/DOMAIN.COM@DOMAIN.COM expiring on Wed May 10 05:49:29 UTC 2017 2017-05-09 15:49:30,206 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) context.getCredDelegState() = true 2017-05-09 15:49:30,206 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) context.getMutualAuthState() = true 2017-05-09 15:49:30,206 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) context.getSrcName() = user@DOMAIN.COM 2017-05-09 15:49:30,222 INFO [stdout] (default task-4) [Krb5LoginModule]: Entering logout 2017-05-09 15:49:30,222 INFO [stdout] (default task-4) [Krb5LoginModule]: logged out Subject 2017-05-09 15:49:30,222 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) Storing username 'user@DOMAIN.COM' and empty password
-
5. Re: Wildfly 10 and SPNEGO
mchoma May 10, 2017 2:33 AM (in response to cain)As a solution you can upgrade jboss negotiation [1].
[1] spnego - WildFly 10 running on Windows with kerberos authentication - Stack Overflow