0 Replies Latest reply on Jun 16, 2010 7:45 AM by Nick Stimpson

    JBoss Negotiation on a Windows Network

    Nick Stimpson Newbie

      I'm trying hard without success getting JBoss Negotiation working. I have a few questions.

       

      I am working with a Windows 2003 Domain Controller, a JBoss 5.1.0 on Java 1.6.0_16 running on a Windows 2003 server, and my browser is running on a Win XP SP3 machine.

       

      First I followed the instructions in the user guide.

       

      This didn't work, so I used a username that differed from the hostname.

       

      Initially, the version of the Ktpass utility for the domain controller was an early one, which defaulted to creating a keytab with a DES-CBC-CRC (type 0x3) encryption key. Using that with the negotiation toolkit, it passed the Basic Negotiation test and the Security Domain Test, but failed the Secured test with "Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC".

       

      So, I downloaded the Win2003 SP Support tools and used the Ktpass utility from that, which gave me a keytab with an RC4-HMAC (type 0x17) encryption key. Using that with the negotiation toolkit, it passed the Basic Negotiation  test but failed the Security Domain Test with "KDC has no support for  encryption type (14)"

       

      Next I tried using ktab -a {username}@{realm} as per the user guide. Using that with the negotiation toolkit, it passed the Basic Negotiation   test but failed the Security Domain Test with "Key for the principal host/{username}@{realm} not available in the {keytab file}"

       

      So, I tried using ktab -a host/{username}@{realm}. Using that with the negotiation toolkit, it passed the Basic  Negotiation   test but failed the Security Domain Test with "Integrity check on decrypted field failed (31)"

       

      In desperation, I patched together the keytab file from the first two tests so that I had a keytab file that had both the DEC-CBC-CRC and RC4-HMAC encryption keys, from ktpass. Using that with the negotiation toolkit, it passed the Basic   Negotiation   test and the Security Domain Test, but failed the Secured test with "GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)" in sun.security.krb5.internalcrypto.dk.ArcFourCrypto.decrypt; line 388.

       

      I've since found http://community.jboss.org/wiki/ConfiguringJBossNegotiationinanallWindowsDomain which differs significantly from the user guide setup and I haven't tried that yet. But in the meantime, Googling for the above problems has raised some other questions.

       

      1. allowtgtsessionkey = 1. Do I have to set this? If so, on which machine; the KDC? the jboss server host? the browser client machine? All of them?

      Does the fact that when using the DES-CBC-CRC encryption key, I don't get the "KDC has no support for  encryption type (14)" failure imply that this isn't my problem? On the other hand, Why does the KDC issue RC4-HMAC tickets if it has no support for RC4-HMAC?

       

      2. What is the difference between the host/{hostname}@{realm} and HTTP/{hostname}@{realm} principals. Why does the user guide say use "host/" and the ConfiguringJBossNegotiationinanallWindowsDomain page say use "HTTP/"

       

      3. Is it necessary to set default_tkt_enctypes and default_tgs_enctypes and if so how should I do this? Why does the all the other java based SPNEGO systems say to set this via a krb5.conf or krb5.ini file, but I can't find any mention of it in the JBOSS Negotiation documentation.

       

      Thanks for explanations on any part of these questions.