0 Replies Latest reply on Jul 2, 2010 7:38 AM by Neelesh Korade

    Issues in SSO using JBoss Negotiation

    Neelesh Korade Newbie

      Hi All

      I am stuck with this problem for last many days and am finding it increasingly difficult to solve it.

      I am trying to configure SSO on my application deployed on JBoss (4.2.2) for windows 2000 ADS using Kerberos. I have done all the configurations given in the Negotiation_User_Guide_(en-US).pdf and now trying to test my configuration using the Negotiation Toolkit. Following are the issues I am seeing-

      1) When I access the negotiation toolkit application from the JBoss server machine itself, the Basic Negotiation test fails with the message given below. However, note that the test succeeds when I access the toolkit application from some other machine

      Warning, this is NTLM, only SPNEGO is supported!

      2) I am unable to get the Secured test passed from any machine (including the JBoss server). It gives me HTTP 401 error with the description-

      This request requires HTTP authentication ().

      The log that I see in JBoss server log is different when I access the toolkit test servlet from JBoss server machine and from any other machine. Here's the exception I am seeing in the JBoss server log when I access the test servlet from JBoss server machine-

       

      -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    • 2010-07-01 20:47:01,819 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] abort 
    • 2010-07-01 20:47:01,835 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize, instance=@14297215 
    • 2010-07-01 20:47:01,835 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Security domain: SPNEGO 
    • 2010-07-01 20:47:01,835 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null 
    • 2010-07-01 20:47:01,835 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/E:/JBOSS_ROHIT/jboss-4.2.2.GA/server/tdemand/conf/props/spnego-users.properties, defaults=null 
    • 2010-07-01 20:47:01,851 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[neelesh_korade@PERSISTENT.CO.IN
    • 2010-07-01 20:47:01,851 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null 
    • 2010-07-01 20:47:01,851 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/E:/JBOSS_ROHIT/jboss-4.2.2.GA/server/tdemand/conf/props/spnego-roles.properties, defaults=null 
    • 2010-07-01 20:47:01,851 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[neelesh_korade@PERSISTENT.CO.IN
    • 2010-07-01 20:47:01,851 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] abort 
    • 2010-07-01 20:47:01,866 TRACE [org.jboss.security.plugins.JaasSecurityManager.SPNEGO] Login failure 
    • javax.security.auth.login.LoginException: Unsupported negotiation mechanism 'NTLM'. 
    •     at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:111) 
    •     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
    •     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 
    •     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 
    •     at java.lang.reflect.Method.invoke(Method.java:585) 
    •     at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) 
    •     at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) 
    •     at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) 
    •     at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) 
    •     at javax.security.auth.login.LoginContext.login(LoginContext.java:579) 
    •     at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603) 
    •     at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537) 
    •     at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344) 
    •     at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491) 
    •     at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127) 
    •     at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490) 
    •     at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84) 
    •     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) 
    •     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) 
    •     at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) 
    •     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) 
    •     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262) 
    •     at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) 
    •     at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) 
    •     at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446) 
    •     at java.lang.Thread.run(Thread.java:595) 
    • 2010-07-01 20:47:01,882 TRACE [org.jboss.security.plugins.JaasSecurityManager.SPNEGO] End isValid, false 
    • 2010-07-01 20:47:01,882 TRACE [org.jboss.security.negotiation.common.NegotiationContext] clear 14238537 
    • 2010-07-01 20:47:01,882 TRACE [org.jboss.security.SecurityAssociation] clear, server=true 
    • -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    • And following is the log that I see when I access the test servlet from any other machine-

       

      -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    • 2010-07-01 20:51:35,571 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Logged in 'host' LoginContext 
    • 2010-07-01 20:51:35,571 INFO  [STDOUT] Entered Krb5Context.acceptSecContext with state=STATE_IN_PROCESS 
    • 2010-07-01 20:51:35,571 INFO  [STDOUT] 2 
    • 2010-07-01 20:51:35,571 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Result - java.lang.NullPointerException 
    • 2010-07-01 20:51:35,571 ERROR [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Unable to authenticate 
    • java.lang.NullPointerException 
    •     at sun.security.jgss.GSSNameImpl.<init>(GSSNameImpl.java:95
    •     at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:312
    •     at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246
    •     at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:294
    •     at javax.security.auth.Subject.doAs(Subject.java:337
    •     at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:118
    •     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
    •     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39
    •     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25
    •     at java.lang.reflect.Method.invoke(Method.java:585
    •     at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769
    •     at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186
    •     at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683
    •     at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680
    •     at javax.security.auth.login.LoginContext.login(LoginContext.java:579
    •     at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603
    •     at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537
    •     at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344
    •     at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491
    •     at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127
    •     at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490
    •     at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84
    •     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127
    •     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102
    •     at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157
    •     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109
    •     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262
    • 2010-07-01 20:51:35,587 INFO  [STDOUT]      [Krb5LoginModule]: Entering logout 
    • 2010-07-01 20:51:35,587 INFO  [STDOUT]      [Krb5LoginModule]: logged out Subject 
    • 2010-07-01 20:51:35,587 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] abort 
    • 2010-07-01 20:51:35,587 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize, instance=@16410353 
    • 2010-07-01 20:51:35,587 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Security domain: SPNEGO 
    • 2010-07-01 20:51:35,587 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null 
    • 2010-07-01 20:51:35,587 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/E:/JBOSS_ROHIT/jboss-4.2.2.GA/server/tdemand/conf/props/spnego-users.properties, defaults=null 
    • 2010-07-01 20:51:35,587 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[neelesh_korade@PERSISTENT.CO.IN] 
    • 2010-07-01 20:51:35,587 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null 
    • 2010-07-01 20:51:35,587 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/E:/JBOSS_ROHIT/jboss-4.2.2.GA/server/tdemand/conf/props/spnego-roles.properties, defaults=null 
    • 2010-07-01 20:51:35,587 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[neelesh_korade@PERSISTENT.CO.IN] 
    • 2010-07-01 20:51:35,587 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] abort 
    • 2010-07-01 20:51:35,587 TRACE [org.jboss.security.plugins.JaasSecurityManager.SPNEGO] Login failure 
    • javax.security.auth.login.LoginException: Unable to authenticate - null 
    •     at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:141
    •     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
    •     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39
    •     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25
    •     at java.lang.reflect.Method.invoke(Method.java:585
    •     at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769
    •     at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186
    •     at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683
    •     at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680
    •     at javax.security.auth.login.LoginContext.login(LoginContext.java:579
    •     at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603
    •     at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537
    •     at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344
    •     at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491
    •     at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127
    •     at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490
    •     at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84
    •     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127
    •     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102
    •     at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157
    •     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109
    •     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262
    •     at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844
    •     at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583
    •     at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446
    •     at java.lang.Thread.run(Thread.java:595
    • 2010-07-01 20:51:35,587 TRACE [org.jboss.security.plugins.JaasSecurityManager.SPNEGO] End isValid, false 
    • 2010-07-01 20:51:35,587 TRACE [org.jboss.security.negotiation.common.NegotiationContext] clear 15040729 
    • 2010-07-01 20:51:35,587 TRACE [org.jboss.security.SecurityAssociation] clear, server=true 
    •  
    • -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    •     
    • I am really at a loss in figuring out the issue and a fix. Could anyone help me with this? Let me know if you need any additional details to help me identify the problem.

      Thanks much
      -Neelesh