5 Replies Latest reply on May 11, 2017 11:31 AM by cain

[WildFly 10] SSO and SPNEGO Problems

cain May 9, 2017 4:17 PM

I've been trying to get SSO working in WildFly, but I'm having many problems. I have it to the point now that I think it's almost working, but it seems to get stuck in a loop when I try to access the application from a web browser. I have follow the instructions at the these links

Negotiation User Guide

Configuring JBoss Negotiation in an all Windows Domain

If anyone can help me out, it would be greatly appreciated. I've been working on this for a few days now, so I'm rather frustrated that I haven't been able to get it to work.

Relevant standalone.xml stuff

<security-domain name="Kerberos">
    <authentication>
  <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="sufficient" module="org.jboss.security.negotiation">
     <module-option name="debug" value="true"/>
     <module-option name="storeKey" value="true"/>
     <module-option name="refreshKrb5Config" value="true"/>
     <module-option name="useKeyTab" value="true"/>
     <module-option name="doNotPrompt" value="false"/>
     <module-option name="principal" value="HTTP/jb2016.domain.com@DOMAIN.COM"/>
     <module-option name="keyTab" value="C:/temp/wildfly.keytab"/>
  </login-module>
    </authentication>
</security-domain>
<security-domain name="SPNEGO" cache-type="default">
    <authentication>
  <login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="requisite" module="org.jboss.security.negotiation">
     <module-option name="password-stacking" value="useFirstPass"/>
     <module-option name="serverSecurityDomain" value="Kerberos"/>
  </login-module>
    </authentication>
</security-domain>
</security-domains>

kbr5.conf

[code]
[libdefaults]
  default_realm = DOMAIN.COM
  ticket_lifetime = 600
  default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
  default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
  permitted_enctypes  = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc

[realms]
  DOMAIN.COM = {
  kdc = dc2.domain.com
  admin_server = dc2.domain.com
  default_domain = DOMAIN.COM
}


[domain_realm]
  .domain.com = .DOMAIN.COM
  domain.com = DOMAIN.COM

wildfly.keytab (verified KVNO is correct)

KVNO Principal
---- ----------------------------------------------------------------------
  4 HTTP/jb2016.domain.com@DOMAIN.COM (18:AES256 CTS mode with HMAC SHA1-96)
  4 HTTP/jb2016.domain.com@DOMAIN.COM (17:AES128 CTS mode with HMAC SHA1-96)
  4 HTTP/jb2016.domain.com@DOMAIN.COM (16:DES3 CBC mode with SHA1-KD)
  4 HTTP/jb2016.domain.com@DOMAIN.COM (23:RC4 with HMAC)

Exception loop

2017-05-09 15:49:29,847 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) removeRealmFromPrincipal=false
2017-05-09 15:49:29,847 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) serverSecurityDomain=Kerberos
2017-05-09 15:49:29,847 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) usernamePasswordDomain=null
2017-05-09 15:49:29,909 INFO  [stdout] (default task-3) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is C:/temp/wildfly.keytab refreshKrb5Config is true principal is HTTP/jb2016.domain.com@DOMAIN.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
2017-05-09 15:49:29,909 INFO  [stdout] (default task-3) Refreshing Kerberos configuration
2017-05-09 15:49:29,909 INFO  [stdout] (default task-3) Java config name: C:/java/tools/wildfly/bin/krb5.conf
2017-05-09 15:49:29,925 INFO  [stdout] (default task-3) Loaded from Java config
2017-05-09 15:49:29,925 INFO  [stdout] (default task-3) >>> KdcAccessibility: reset
2017-05-09 15:49:29,925 INFO  [stdout] (default task-3) >>> KdcAccessibility: reset
2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): DOMAIN.COM
2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): HTTP
2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): jb2016.domain.com
2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTab: load() entry length: 82; type: 18
2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): DOMAIN.COM
2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readNam(): HTTP
2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): jb2016.domain.com
2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTab: load() entry length: 66; type: 17
2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): DOMAIN.COM
2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): HTTP
2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): jb2016.domain.com
2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTab: load() entry length: 74; type: 16
2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): DOMAIN.COM
2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): HTTP
2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): jb2016.domain.com
2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTab: load() entry length: 66; type: 23
2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM
2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) Added key: 23version: 5
2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Added key: 16version: 5
2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Added key: 17version: 5
2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Added key: 18version: 5
2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM
2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Added key: 23version: 5
2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Added key: 16version: 5
2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Added key: 17version: 5
2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Added key: 18version: 5
2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) default etypes for default_tkt_enctypes: 17 23 16.
2017-05-09 15:49:29,972 INFO  [stdout] (default task-3) >>> KrbAsReq creating message
2017-05-09 15:49:29,972 INFO  [stdout] (default task-3) >>> KrbKdcReq send: kdc=dc2.domain.com UDP:88, timeout=30000, number of retries =3, #bytes=153
2017-05-09 15:49:30,003 INFO  [stdout] (default task-3) >>> KDCCommunication: kdc=dc2.domain.com UDP:88, timeout=30000,Attempt =1, #bytes=153
2017-05-09 15:49:30,003 INFO  [stdout] (default task-3) >>> KrbKdcReq send: #bytes read=654
2017-05-09 15:49:30,003 INFO  [stdout] (default task-3) >>> KdcAccessibility: remove dc2.domain.com
2017-05-09 15:49:30,019 INFO  [stdout] (default task-3) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM
2017-05-09 15:49:30,019 INFO  [stdout] (default task-3) Added key: 23version: 5
2017-05-09 15:49:30,019 INFO  [stdout] (default task-3) Added key: 16version: 5
2017-05-09 15:49:30,019 INFO  [stdout] (default task-3) Added key: 17version: 5
2017-05-09 15:49:30,019 INFO  [stdout] (default task-3) Added key: 18version: 5
2017-05-09 15:49:30,019 INFO  [stdout] (default task-3) >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
2017-05-09 15:49:30,034 INFO  [stdout] (default task-3) >>> KrbAsRep cons in KrbAsReq.getReply HTTP/jb2016.domain.com
2017-05-09 15:49:30,034 INFO  [stdout] (default task-3) principal is HTTP/jb2016.domain.com@DOMAIN.COM
2017-05-09 15:49:30,034 INFO  [stdout] (default task-3) Will use keytab
2017-05-09 15:49:30,034 INFO  [stdout] (default task-3) Commit Succeeded
2017-05-09 15:49:30,034 INFO  [stdout] (default task-3)
2017-05-09 15:49:30,034 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) Subject = Subject:
  Principal: HTTP/jb2016.domain.com@DOMAIN.COM
  Private Credential: Ticket (hex) =
0000: 61 82 01 0C 30 82 01 08  A0 03 02 01 05 A1 0B 1B  a...0...........
0010: 09 54 41 53 4B 45 2E 43  4F 4D A2 1E 30 1C A0 03  .DOMAIN.COM..0...
0020: 02 01 02 A1 15 30 13 1B  06 6B 72 62 74 67 74 1B  .....0...krbtgt.
0030: 09 54 41 53 4B 45 2E 43  4F 4D A3 81 D3 30 81 D0  .DOMAIN.COM...0..
0040: A0 03 02 01 12 A1 03 02  01 03 A2 81 C3 04 81 C0  ................
0050: 41 9B E9 A5 66 55 42 90  BD 32 8E D4 A1 82 68 40  A...fUB..2....h@
0060: DE 57 CA 94 DC E1 1B C7  9E F0 A9 A5 B3 33 49 95  .W...........3I.
0070: 8A A6 55 76 66 DB 43 4E  29 97 62 EF 57 74 FC C8  ..Uvf.CN).b.Wt..
0080: 5D D0 70 62 AE EE BA C0  D1 BC D1 85 82 2A B6 4B  ].pb.........*.K
0090: DA A9 4A 06 28 41 1F 7C  6F D6 9D 96 2E C6 9E 41  ..J.(A..o......A
00A0: D0 0F BF BE 36 3E BC AD  03 CD D3 65 EE 16 DF 56  ....6>.....e...V
00B0: 6A 69 8F F5 56 42 7E E4  40 6F 8E 26 C1 94 24 20  ji..VB..@o.&..$
00C0: 18 44 40 0D 83 FD 97 B6  8D D9 E5 28 9F 34 16 BF  .D@........(.4..
00D0: 94 79 66 42 28 18 DF 02  37 D3 65 EF D5 A6 0E 81  .yfB(...7.e.....
00E0: 03 8E 5F C0 F4 1C 25 06  90 9A 83 E5 7F 78 45 6C  .._...%......xEl
00F0: CE 45 64 6C D6 F7 82 CC  52 10 94 7B B3 69 5E FC  .Edl....R....i^.
0100: 51 80 56 BD DE 48 78 05  3E D4 75 A6 A9 B2 35 6A  Q.V..Hx.>.u...5j


Client Principal = HTTP/jb2016.domain.com@DOMAIN.COM
Server Principal = krbtgt/DOMAIN.COM@DOMAIN.COM
Session Key = EncryptionKey: keyType=17 keyBytes (hex dump)=
0000: 00 B6 10 D3 DD 1A 8E 82  A7 5C 7C 90 3B DD 1D A3  .........\..;...




Forwardable Ticket false
Forwarded Ticket false
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket false
Initial Ticket false
Auth Time = Tue May 09 19:49:29 UTC 2017
Start Time = Tue May 09 19:49:29 UTC 2017
End Time = Wed May 10 05:49:29 UTC 2017
Renew Till = null
Client Addresses  Null
  Private Credential: C:\temp\wildfly.keytab for HTTP/jb2016.domain.com@DOMAIN.COM


2017-05-09 15:49:30,034 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) Logged in 'Kerberos' LoginContext
2017-05-09 15:49:30,050 INFO  [stdout] (default task-3) [Krb5LoginModule]: Entering logout


2017-05-09 15:49:30,050 INFO  [stdout] (default task-3) [Krb5LoginModule]: logged out Subject


2017-05-09 15:49:30,050 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) NegotiationContext.setContinuationRequired(true)
2017-05-09 15:49:30,050 DEBUG [org.jboss.security] (default task-3) PBOX00206: Login failure: javax.security.auth.login.LoginException: Continuation Required.
  at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:192)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
  at java.lang.reflect.Method.invoke(Unknown Source)
  at javax.security.auth.login.LoginContext.invoke(Unknown Source)
  at javax.security.auth.login.LoginContext.access$000(Unknown Source)
  at javax.security.auth.login.LoginContext$4.run(Unknown Source)
  at javax.security.auth.login.LoginContext$4.run(Unknown Source)
  at java.security.AccessController.doPrivileged(Native Method)
  at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
  at javax.security.auth.login.LoginContext.login(Unknown Source)
  at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406)
  at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)
  at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:323)
  at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)
  at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:123)
  at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:96)
  at org.jboss.security.negotiation.NegotiationMechanism.authenticate(NegotiationMechanism.java:101)
  at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245)
  at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:263)
  at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:231)
  at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125)
  at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:99)
  at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92)
  at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
  at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
  at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
  at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
  at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
  at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
  at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
  at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
  at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
  at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
  at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
  at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
  at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
  at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
  at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
  at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
  at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
  at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
  at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
  at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
  at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
  at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
  at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
  at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
  at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
  at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
  at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
  at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
  at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
  at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
  at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
  at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:805)
  at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
  at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
  at java.lang.Thread.run(Unknown Source)


2017-05-09 15:49:30,081 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) removeRealmFromPrincipal=false
2017-05-09 15:49:30,081 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) serverSecurityDomain=Kerberos
2017-05-09 15:49:30,081 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) usernamePasswordDomain=null
2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is C:/temp/wildfly.keytab refreshKrb5Config is true principal is HTTP/jb2016.domain.com@DOMAIN.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Refreshing Kerberos configuration
2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Java config name: C:/java/tools/wildfly/bin/krb5.conf
2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Loaded from Java config
2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) >>> KdcAccessibility: reset
2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM
2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 23version: 5
2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 16version: 5
2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 17version: 5
2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 18version: 5
2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM
2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 23version: 5
2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 16version: 5
2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 17version: 5
2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 18version: 5
2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) default etypes for default_tkt_enctypes: 17 23 16.
2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) >>> KrbAsReq creating message
2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) >>> KrbKdcReq send: kdc=dc2.domain.com UDP:88, timeout=30000, number of retries =3, #bytes=153
2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) >>> KDCCommunication: kdc=dc2.domain.com UDP:88, timeout=30000,Attempt =1, #bytes=153
2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) >>> KrbKdcReq send: #bytes read=654
2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) >>> KdcAccessibility: remove dc2.domain.com
2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM
2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) Added key: 23version: 5
2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) Added key: 16version: 5
2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) Added key: 17version: 5
2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) Added key: 18version: 5
2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) >>> KrbAsRep cons in KrbAsReq.getReply HTTP/jb2016.domain.com
2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) principal is HTTP/jb2016.domain.com@DOMAIN.COM
2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) Will use keytab
2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) Commit Succeeded
2017-05-09 15:49:30,097 INFO  [stdout] (default task-4)
2017-05-09 15:49:30,097 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) Subject = Subject:
  Principal: HTTP/jb2016.domain.com@DOMAIN.COM
  Private Credential: Ticket (hex) =
0000: 61 82 01 0C 30 82 01 08  A0 03 02 01 05 A1 0B 1B  a...0...........
0010: 09 54 41 53 4B 45 2E 43  4F 4D A2 1E 30 1C A0 03  .DOMAIN.COM..0...
0020: 02 01 02 A1 15 30 13 1B  06 6B 72 62 74 67 74 1B  .....0...krbtgt.
0030: 09 54 41 53 4B 45 2E 43  4F 4D A3 81 D3 30 81 D0  .DOMAIN.COM...0..
0040: A0 03 02 01 12 A1 03 02  01 03 A2 81 C3 04 81 C0  ................
0050: 00 50 D5 73 D8 70 D7 2E  AD 43 74 D9 A1 6A 74 2C  .P.s.p...Ct..jt,
0060: 70 CB 23 3A 3A 58 A6 05  F4 31 5C 24 60 64 BD 9C  p.#::X...1\$`d..
0070: B5 DB E5 63 A3 49 AF 2B  DC 8A 2E 43 39 03 59 BA  ...c.I.+...C9.Y.
0080: A0 A7 A7 90 E5 8D A1 35  C5 E7 C6 79 83 A1 94 E2  .......5...y....
0090: 54 77 AD A6 73 A2 8D 98  06 BD 0A 96 4A 0D D3 8C  Tw..s.......J...
00A0: 08 21 D7 50 B0 C6 1B 2C  B3 13 F2 D7 5E 32 3D 24  .!.P...,....^2=$
00B0: A0 18 51 82 6C E9 10 92  F7 DF 0A 6F 52 D7 72 53  ..Q.l......oR.rS
00C0: 70 73 71 82 19 E3 56 73  CE 38 B7 6A CE 65 AF F6  psq...Vs.8.j.e..
00D0: FC 05 01 50 82 50 82 5A  E9 DC F1 9B 18 9A 0B E3  ...P.P.Z........
00E0: FF 55 31 EE 21 E7 1B 1A  A9 58 8A B3 50 F1 E7 1B  .U1.!....X..P...
00F0: AB 96 F1 37 BC A8 1F EE  C8 54 FD 27 5E A7 4B CD  ...7.....T.'^.K.
0100: 47 A6 B4 97 C9 EC 3C 3F  2B 2D 61 B7 05 1E D2 56  G.....<?+-a....V


Client Principal = HTTP/jb2016.domain.com@DOMAIN.COM
Server Principal = krbtgt/DOMAIN.COM@DOMAIN.COM
Session Key = EncryptionKey: keyType=17 keyBytes (hex dump)=
0000: 5D 63 BA 79 64 01 1D 8C  66 F4 6B 6F A9 80 85 BF  ]c.yd...f.ko....




Forwardable Ticket false
Forwarded Ticket false
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket false
Initial Ticket false
Auth Time = Tue May 09 19:49:29 UTC 2017
Start Time = Tue May 09 19:49:29 UTC 2017
End Time = Wed May 10 05:49:29 UTC 2017
Renew Till = null
Client Addresses  Null
  Private Credential: C:\temp\wildfly.keytab for HTTP/jb2016.domain.com@DOMAIN.COM


2017-05-09 15:49:30,112 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) Logged in 'Kerberos' LoginContext
2017-05-09 15:49:30,112 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) Creating new GSSContext.
2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Found KeyTab C:\temp\wildfly.keytab for HTTP/jb2016.domain.com@DOMAIN.COM
2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Found KeyTab C:\temp\wildfly.keytab for HTTP/jb2016.domain.com@DOMAIN.COM
2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Found ticket for HTTP/jb2016.domain.com@DOMAIN.COM to go to krbtgt/DOMAIN.COM@DOMAIN.COM expiring on Wed May 10 05:49:29 UTC 2017
2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Entered Krb5Context.acceptSecContext with state=STATE_NEW
2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM
2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Added key: 23version: 5
2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Added key: 16version: 5
2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Added key: 17version: 5
2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Added key: 18version: 5
2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) default etypes for permitted_enctypes: 17 23 16.
2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) MemoryCache: add 1494359370/000065/5D08B107F11CA334A023AAABC7B198BB/user@DOMAIN.COM to user@DOMAIN.COM|HTTP/jb2016.domain.com@DOMAIN.COM
2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) >>> KrbApReq: authenticate succeed.
2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) Krb5Context setting peerSeqNumber to: 1582590877
2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) Krb5Context setting mySeqNumber to: 528134496
2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) >>> Constrained deleg from GSSCaller{UNKNOWN}
2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) Found ticket for HTTP/jb2016.domain.com@DOMAIN.COM to go to krbtgt/DOMAIN.COM@DOMAIN.COM expiring on Wed May 10 05:49:29 UTC 2017
2017-05-09 15:49:30,206 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) context.getCredDelegState() = true
2017-05-09 15:49:30,206 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) context.getMutualAuthState() = true
2017-05-09 15:49:30,206 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) context.getSrcName() = user@DOMAIN.COM
2017-05-09 15:49:30,222 INFO  [stdout] (default task-4) [Krb5LoginModule]: Entering logout
2017-05-09 15:49:30,222 INFO  [stdout] (default task-4) [Krb5LoginModule]: logged out Subject
2017-05-09 15:49:30,222 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) Storing username 'user@DOMAIN.COM' and empty password

1. Re: [WildFly 10] SSO and SPNEGO Problems

mchoma May 10, 2017 2:34 AM (in response to cain)

You hit [JBEAP-3709] [EAP 7] Negotiation/UnderTow does not handle the "Continuation Required" situation correctly - JBoss Issue …
As a solution you can upgrade jboss negotiation [1].

[1] spnego - WildFly 10 running on Windows with kerberos authentication - Stack Overflow
Actions
2. Re: [WildFly 10] SSO and SPNEGO Problems

cain May 10, 2017 8:27 AM (in response to mchoma)

Thanks for the info. I upgraded to 3.0.4 and while the execption is gone, I still get in a loop where it logs the user out immediately. It looks like it's trying to do the right thing. Here's a link to the debug info so as to not clutter up the topic.

Pastebin.com
Actions
3. Re: [WildFly 10] SSO and SPNEGO Problems

cain May 10, 2017 2:06 PM (in response to mchoma)

I had another look here and it's still not working, and I'm still getting the continuation exception. It looks like it's logging the user in, but then it logs them out immediately. I can't for the life of me get this to work, no matter what guides I come across from googling.
Actions
4. Re: [WildFly 10] SSO and SPNEGO Problems

mchoma May 10, 2017 2:58 PM (in response to cain)

In attached log, there is many kerberos authnetication involved. Is it what you refer to "loop"? Is that only one request to browser? Probably you can take network dump for http port and kerberos server port to see what is going on.

Is your browser configured correctly for negotiation? Is there any redirecting involved on application level? Is there any roles check involved in application?
Actions
5. Re: [WildFly 10] SSO and SPNEGO Problems

cain May 11, 2017 11:31 AM (in response to mchoma)

It turns out that the problem was actually at the authentication level and the SPNEGO was working. Thanks for you help.
Actions

Go to original post