[WildFly 10] SSO and SPNEGO Problems
cain May 9, 2017 4:17 PMI've been trying to get SSO working in WildFly, but I'm having many problems. I have it to the point now that I think it's almost working, but it seems to get stuck in a loop when I try to access the application from a web browser. I have follow the instructions at the these links
Configuring JBoss Negotiation in an all Windows Domain
If anyone can help me out, it would be greatly appreciated. I've been working on this for a few days now, so I'm rather frustrated that I haven't been able to get it to work.
Relevant standalone.xml stuff
<security-domain name="Kerberos"> <authentication> <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="sufficient" module="org.jboss.security.negotiation"> <module-option name="debug" value="true"/> <module-option name="storeKey" value="true"/> <module-option name="refreshKrb5Config" value="true"/> <module-option name="useKeyTab" value="true"/> <module-option name="doNotPrompt" value="false"/> <module-option name="principal" value="HTTP/jb2016.domain.com@DOMAIN.COM"/> <module-option name="keyTab" value="C:/temp/wildfly.keytab"/> </login-module> </authentication> </security-domain> <security-domain name="SPNEGO" cache-type="default"> <authentication> <login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="requisite" module="org.jboss.security.negotiation"> <module-option name="password-stacking" value="useFirstPass"/> <module-option name="serverSecurityDomain" value="Kerberos"/> </login-module> </authentication> </security-domain> </security-domains>
kbr5.conf
[code] [libdefaults] default_realm = DOMAIN.COM ticket_lifetime = 600 default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc permitted_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc [realms] DOMAIN.COM = { kdc = dc2.domain.com admin_server = dc2.domain.com default_domain = DOMAIN.COM } [domain_realm] .domain.com = .DOMAIN.COM domain.com = DOMAIN.COM
wildfly.keytab (verified KVNO is correct)
KVNO Principal ---- ---------------------------------------------------------------------- 4 HTTP/jb2016.domain.com@DOMAIN.COM (18:AES256 CTS mode with HMAC SHA1-96) 4 HTTP/jb2016.domain.com@DOMAIN.COM (17:AES128 CTS mode with HMAC SHA1-96) 4 HTTP/jb2016.domain.com@DOMAIN.COM (16:DES3 CBC mode with SHA1-KD) 4 HTTP/jb2016.domain.com@DOMAIN.COM (23:RC4 with HMAC)
Exception loop
2017-05-09 15:49:29,847 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) removeRealmFromPrincipal=false 2017-05-09 15:49:29,847 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) serverSecurityDomain=Kerberos 2017-05-09 15:49:29,847 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) usernamePasswordDomain=null 2017-05-09 15:49:29,909 INFO [stdout] (default task-3) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is C:/temp/wildfly.keytab refreshKrb5Config is true principal is HTTP/jb2016.domain.com@DOMAIN.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false 2017-05-09 15:49:29,909 INFO [stdout] (default task-3) Refreshing Kerberos configuration 2017-05-09 15:49:29,909 INFO [stdout] (default task-3) Java config name: C:/java/tools/wildfly/bin/krb5.conf 2017-05-09 15:49:29,925 INFO [stdout] (default task-3) Loaded from Java config 2017-05-09 15:49:29,925 INFO [stdout] (default task-3) >>> KdcAccessibility: reset 2017-05-09 15:49:29,925 INFO [stdout] (default task-3) >>> KdcAccessibility: reset 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTabInputStream, readName(): DOMAIN.COM 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTabInputStream, readName(): HTTP 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTabInputStream, readName(): jb2016.domain.com 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTab: load() entry length: 82; type: 18 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTabInputStream, readName(): DOMAIN.COM 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTabInputStream, readNam(): HTTP 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTabInputStream, readName(): jb2016.domain.com 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTab: load() entry length: 66; type: 17 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTabInputStream, readName(): DOMAIN.COM 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTabInputStream, readName(): HTTP 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTabInputStream, readName(): jb2016.domain.com 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTab: load() entry length: 74; type: 16 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTabInputStream, readName(): DOMAIN.COM 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTabInputStream, readName(): HTTP 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTabInputStream, readName(): jb2016.domain.com 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) >>> KeyTab: load() entry length: 66; type: 23 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM 2017-05-09 15:49:29,940 INFO [stdout] (default task-3) Added key: 23version: 5 2017-05-09 15:49:29,956 INFO [stdout] (default task-3) Added key: 16version: 5 2017-05-09 15:49:29,956 INFO [stdout] (default task-3) Added key: 17version: 5 2017-05-09 15:49:29,956 INFO [stdout] (default task-3) Added key: 18version: 5 2017-05-09 15:49:29,956 INFO [stdout] (default task-3) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM 2017-05-09 15:49:29,956 INFO [stdout] (default task-3) Added key: 23version: 5 2017-05-09 15:49:29,956 INFO [stdout] (default task-3) Added key: 16version: 5 2017-05-09 15:49:29,956 INFO [stdout] (default task-3) Added key: 17version: 5 2017-05-09 15:49:29,956 INFO [stdout] (default task-3) Added key: 18version: 5 2017-05-09 15:49:29,956 INFO [stdout] (default task-3) default etypes for default_tkt_enctypes: 17 23 16. 2017-05-09 15:49:29,972 INFO [stdout] (default task-3) >>> KrbAsReq creating message 2017-05-09 15:49:29,972 INFO [stdout] (default task-3) >>> KrbKdcReq send: kdc=dc2.domain.com UDP:88, timeout=30000, number of retries =3, #bytes=153 2017-05-09 15:49:30,003 INFO [stdout] (default task-3) >>> KDCCommunication: kdc=dc2.domain.com UDP:88, timeout=30000,Attempt =1, #bytes=153 2017-05-09 15:49:30,003 INFO [stdout] (default task-3) >>> KrbKdcReq send: #bytes read=654 2017-05-09 15:49:30,003 INFO [stdout] (default task-3) >>> KdcAccessibility: remove dc2.domain.com 2017-05-09 15:49:30,019 INFO [stdout] (default task-3) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM 2017-05-09 15:49:30,019 INFO [stdout] (default task-3) Added key: 23version: 5 2017-05-09 15:49:30,019 INFO [stdout] (default task-3) Added key: 16version: 5 2017-05-09 15:49:30,019 INFO [stdout] (default task-3) Added key: 17version: 5 2017-05-09 15:49:30,019 INFO [stdout] (default task-3) Added key: 18version: 5 2017-05-09 15:49:30,019 INFO [stdout] (default task-3) >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType 2017-05-09 15:49:30,034 INFO [stdout] (default task-3) >>> KrbAsRep cons in KrbAsReq.getReply HTTP/jb2016.domain.com 2017-05-09 15:49:30,034 INFO [stdout] (default task-3) principal is HTTP/jb2016.domain.com@DOMAIN.COM 2017-05-09 15:49:30,034 INFO [stdout] (default task-3) Will use keytab 2017-05-09 15:49:30,034 INFO [stdout] (default task-3) Commit Succeeded 2017-05-09 15:49:30,034 INFO [stdout] (default task-3) 2017-05-09 15:49:30,034 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) Subject = Subject: Principal: HTTP/jb2016.domain.com@DOMAIN.COM Private Credential: Ticket (hex) = 0000: 61 82 01 0C 30 82 01 08 A0 03 02 01 05 A1 0B 1B a...0........... 0010: 09 54 41 53 4B 45 2E 43 4F 4D A2 1E 30 1C A0 03 .DOMAIN.COM..0... 0020: 02 01 02 A1 15 30 13 1B 06 6B 72 62 74 67 74 1B .....0...krbtgt. 0030: 09 54 41 53 4B 45 2E 43 4F 4D A3 81 D3 30 81 D0 .DOMAIN.COM...0.. 0040: A0 03 02 01 12 A1 03 02 01 03 A2 81 C3 04 81 C0 ................ 0050: 41 9B E9 A5 66 55 42 90 BD 32 8E D4 A1 82 68 40 A...fUB..2....h@ 0060: DE 57 CA 94 DC E1 1B C7 9E F0 A9 A5 B3 33 49 95 .W...........3I. 0070: 8A A6 55 76 66 DB 43 4E 29 97 62 EF 57 74 FC C8 ..Uvf.CN).b.Wt.. 0080: 5D D0 70 62 AE EE BA C0 D1 BC D1 85 82 2A B6 4B ].pb.........*.K 0090: DA A9 4A 06 28 41 1F 7C 6F D6 9D 96 2E C6 9E 41 ..J.(A..o......A 00A0: D0 0F BF BE 36 3E BC AD 03 CD D3 65 EE 16 DF 56 ....6>.....e...V 00B0: 6A 69 8F F5 56 42 7E E4 40 6F 8E 26 C1 94 24 20 ji..VB..@o.&..$ 00C0: 18 44 40 0D 83 FD 97 B6 8D D9 E5 28 9F 34 16 BF .D@........(.4.. 00D0: 94 79 66 42 28 18 DF 02 37 D3 65 EF D5 A6 0E 81 .yfB(...7.e..... 00E0: 03 8E 5F C0 F4 1C 25 06 90 9A 83 E5 7F 78 45 6C .._...%......xEl 00F0: CE 45 64 6C D6 F7 82 CC 52 10 94 7B B3 69 5E FC .Edl....R....i^. 0100: 51 80 56 BD DE 48 78 05 3E D4 75 A6 A9 B2 35 6A Q.V..Hx.>.u...5j Client Principal = HTTP/jb2016.domain.com@DOMAIN.COM Server Principal = krbtgt/DOMAIN.COM@DOMAIN.COM Session Key = EncryptionKey: keyType=17 keyBytes (hex dump)= 0000: 00 B6 10 D3 DD 1A 8E 82 A7 5C 7C 90 3B DD 1D A3 .........\..;... Forwardable Ticket false Forwarded Ticket false Proxiable Ticket false Proxy Ticket false Postdated Ticket false Renewable Ticket false Initial Ticket false Auth Time = Tue May 09 19:49:29 UTC 2017 Start Time = Tue May 09 19:49:29 UTC 2017 End Time = Wed May 10 05:49:29 UTC 2017 Renew Till = null Client Addresses Null Private Credential: C:\temp\wildfly.keytab for HTTP/jb2016.domain.com@DOMAIN.COM 2017-05-09 15:49:30,034 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) Logged in 'Kerberos' LoginContext 2017-05-09 15:49:30,050 INFO [stdout] (default task-3) [Krb5LoginModule]: Entering logout 2017-05-09 15:49:30,050 INFO [stdout] (default task-3) [Krb5LoginModule]: logged out Subject 2017-05-09 15:49:30,050 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) NegotiationContext.setContinuationRequired(true) 2017-05-09 15:49:30,050 DEBUG [org.jboss.security] (default task-3) PBOX00206: Login failure: javax.security.auth.login.LoginException: Continuation Required. at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:192) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at javax.security.auth.login.LoginContext.invoke(Unknown Source) at javax.security.auth.login.LoginContext.access$000(Unknown Source) at javax.security.auth.login.LoginContext$4.run(Unknown Source) at javax.security.auth.login.LoginContext$4.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(Unknown Source) at javax.security.auth.login.LoginContext.login(Unknown Source) at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406) at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345) at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:323) at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146) at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:123) at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:96) at org.jboss.security.negotiation.NegotiationMechanism.authenticate(NegotiationMechanism.java:101) at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245) at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:263) at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:231) at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125) at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:99) at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55) at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44) at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44) at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44) at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44) at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44) at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:805) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) 2017-05-09 15:49:30,081 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) removeRealmFromPrincipal=false 2017-05-09 15:49:30,081 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) serverSecurityDomain=Kerberos 2017-05-09 15:49:30,081 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) usernamePasswordDomain=null 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is C:/temp/wildfly.keytab refreshKrb5Config is true principal is HTTP/jb2016.domain.com@DOMAIN.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) Refreshing Kerberos configuration 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) Java config name: C:/java/tools/wildfly/bin/krb5.conf 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) Loaded from Java config 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) >>> KdcAccessibility: reset 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) Added key: 23version: 5 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) Added key: 16version: 5 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) Added key: 17version: 5 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) Added key: 18version: 5 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) Added key: 23version: 5 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) Added key: 16version: 5 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) Added key: 17version: 5 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) Added key: 18version: 5 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) default etypes for default_tkt_enctypes: 17 23 16. 2017-05-09 15:49:30,081 INFO [stdout] (default task-4) >>> KrbAsReq creating message 2017-05-09 15:49:30,097 INFO [stdout] (default task-4) >>> KrbKdcReq send: kdc=dc2.domain.com UDP:88, timeout=30000, number of retries =3, #bytes=153 2017-05-09 15:49:30,097 INFO [stdout] (default task-4) >>> KDCCommunication: kdc=dc2.domain.com UDP:88, timeout=30000,Attempt =1, #bytes=153 2017-05-09 15:49:30,097 INFO [stdout] (default task-4) >>> KrbKdcReq send: #bytes read=654 2017-05-09 15:49:30,097 INFO [stdout] (default task-4) >>> KdcAccessibility: remove dc2.domain.com 2017-05-09 15:49:30,097 INFO [stdout] (default task-4) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM 2017-05-09 15:49:30,097 INFO [stdout] (default task-4) Added key: 23version: 5 2017-05-09 15:49:30,097 INFO [stdout] (default task-4) Added key: 16version: 5 2017-05-09 15:49:30,097 INFO [stdout] (default task-4) Added key: 17version: 5 2017-05-09 15:49:30,097 INFO [stdout] (default task-4) Added key: 18version: 5 2017-05-09 15:49:30,097 INFO [stdout] (default task-4) >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType 2017-05-09 15:49:30,097 INFO [stdout] (default task-4) >>> KrbAsRep cons in KrbAsReq.getReply HTTP/jb2016.domain.com 2017-05-09 15:49:30,097 INFO [stdout] (default task-4) principal is HTTP/jb2016.domain.com@DOMAIN.COM 2017-05-09 15:49:30,097 INFO [stdout] (default task-4) Will use keytab 2017-05-09 15:49:30,097 INFO [stdout] (default task-4) Commit Succeeded 2017-05-09 15:49:30,097 INFO [stdout] (default task-4) 2017-05-09 15:49:30,097 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) Subject = Subject: Principal: HTTP/jb2016.domain.com@DOMAIN.COM Private Credential: Ticket (hex) = 0000: 61 82 01 0C 30 82 01 08 A0 03 02 01 05 A1 0B 1B a...0........... 0010: 09 54 41 53 4B 45 2E 43 4F 4D A2 1E 30 1C A0 03 .DOMAIN.COM..0... 0020: 02 01 02 A1 15 30 13 1B 06 6B 72 62 74 67 74 1B .....0...krbtgt. 0030: 09 54 41 53 4B 45 2E 43 4F 4D A3 81 D3 30 81 D0 .DOMAIN.COM...0.. 0040: A0 03 02 01 12 A1 03 02 01 03 A2 81 C3 04 81 C0 ................ 0050: 00 50 D5 73 D8 70 D7 2E AD 43 74 D9 A1 6A 74 2C .P.s.p...Ct..jt, 0060: 70 CB 23 3A 3A 58 A6 05 F4 31 5C 24 60 64 BD 9C p.#::X...1\$`d.. 0070: B5 DB E5 63 A3 49 AF 2B DC 8A 2E 43 39 03 59 BA ...c.I.+...C9.Y. 0080: A0 A7 A7 90 E5 8D A1 35 C5 E7 C6 79 83 A1 94 E2 .......5...y.... 0090: 54 77 AD A6 73 A2 8D 98 06 BD 0A 96 4A 0D D3 8C Tw..s.......J... 00A0: 08 21 D7 50 B0 C6 1B 2C B3 13 F2 D7 5E 32 3D 24 .!.P...,....^2=$ 00B0: A0 18 51 82 6C E9 10 92 F7 DF 0A 6F 52 D7 72 53 ..Q.l......oR.rS 00C0: 70 73 71 82 19 E3 56 73 CE 38 B7 6A CE 65 AF F6 psq...Vs.8.j.e.. 00D0: FC 05 01 50 82 50 82 5A E9 DC F1 9B 18 9A 0B E3 ...P.P.Z........ 00E0: FF 55 31 EE 21 E7 1B 1A A9 58 8A B3 50 F1 E7 1B .U1.!....X..P... 00F0: AB 96 F1 37 BC A8 1F EE C8 54 FD 27 5E A7 4B CD ...7.....T.'^.K. 0100: 47 A6 B4 97 C9 EC 3C 3F 2B 2D 61 B7 05 1E D2 56 G.....<?+-a....V Client Principal = HTTP/jb2016.domain.com@DOMAIN.COM Server Principal = krbtgt/DOMAIN.COM@DOMAIN.COM Session Key = EncryptionKey: keyType=17 keyBytes (hex dump)= 0000: 5D 63 BA 79 64 01 1D 8C 66 F4 6B 6F A9 80 85 BF ]c.yd...f.ko.... Forwardable Ticket false Forwarded Ticket false Proxiable Ticket false Proxy Ticket false Postdated Ticket false Renewable Ticket false Initial Ticket false Auth Time = Tue May 09 19:49:29 UTC 2017 Start Time = Tue May 09 19:49:29 UTC 2017 End Time = Wed May 10 05:49:29 UTC 2017 Renew Till = null Client Addresses Null Private Credential: C:\temp\wildfly.keytab for HTTP/jb2016.domain.com@DOMAIN.COM 2017-05-09 15:49:30,112 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) Logged in 'Kerberos' LoginContext 2017-05-09 15:49:30,112 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) Creating new GSSContext. 2017-05-09 15:49:30,190 INFO [stdout] (default task-4) Found KeyTab C:\temp\wildfly.keytab for HTTP/jb2016.domain.com@DOMAIN.COM 2017-05-09 15:49:30,190 INFO [stdout] (default task-4) Found KeyTab C:\temp\wildfly.keytab for HTTP/jb2016.domain.com@DOMAIN.COM 2017-05-09 15:49:30,190 INFO [stdout] (default task-4) Found ticket for HTTP/jb2016.domain.com@DOMAIN.COM to go to krbtgt/DOMAIN.COM@DOMAIN.COM expiring on Wed May 10 05:49:29 UTC 2017 2017-05-09 15:49:30,190 INFO [stdout] (default task-4) Entered Krb5Context.acceptSecContext with state=STATE_NEW 2017-05-09 15:49:30,190 INFO [stdout] (default task-4) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM 2017-05-09 15:49:30,190 INFO [stdout] (default task-4) Added key: 23version: 5 2017-05-09 15:49:30,190 INFO [stdout] (default task-4) Added key: 16version: 5 2017-05-09 15:49:30,190 INFO [stdout] (default task-4) Added key: 17version: 5 2017-05-09 15:49:30,190 INFO [stdout] (default task-4) Added key: 18version: 5 2017-05-09 15:49:30,190 INFO [stdout] (default task-4) >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType 2017-05-09 15:49:30,206 INFO [stdout] (default task-4) default etypes for permitted_enctypes: 17 23 16. 2017-05-09 15:49:30,206 INFO [stdout] (default task-4) >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType 2017-05-09 15:49:30,206 INFO [stdout] (default task-4) MemoryCache: add 1494359370/000065/5D08B107F11CA334A023AAABC7B198BB/user@DOMAIN.COM to user@DOMAIN.COM|HTTP/jb2016.domain.com@DOMAIN.COM 2017-05-09 15:49:30,206 INFO [stdout] (default task-4) >>> KrbApReq: authenticate succeed. 2017-05-09 15:49:30,206 INFO [stdout] (default task-4) Krb5Context setting peerSeqNumber to: 1582590877 2017-05-09 15:49:30,206 INFO [stdout] (default task-4) >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType 2017-05-09 15:49:30,206 INFO [stdout] (default task-4) Krb5Context setting mySeqNumber to: 528134496 2017-05-09 15:49:30,206 INFO [stdout] (default task-4) >>> Constrained deleg from GSSCaller{UNKNOWN} 2017-05-09 15:49:30,206 INFO [stdout] (default task-4) Found ticket for HTTP/jb2016.domain.com@DOMAIN.COM to go to krbtgt/DOMAIN.COM@DOMAIN.COM expiring on Wed May 10 05:49:29 UTC 2017 2017-05-09 15:49:30,206 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) context.getCredDelegState() = true 2017-05-09 15:49:30,206 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) context.getMutualAuthState() = true 2017-05-09 15:49:30,206 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) context.getSrcName() = user@DOMAIN.COM 2017-05-09 15:49:30,222 INFO [stdout] (default task-4) [Krb5LoginModule]: Entering logout 2017-05-09 15:49:30,222 INFO [stdout] (default task-4) [Krb5LoginModule]: logged out Subject 2017-05-09 15:49:30,222 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) Storing username 'user@DOMAIN.COM' and empty password