0 Replies Latest reply on Jul 7, 2010 10:49 AM by Neelesh Korade

    SSO using SPNego on Kerberos on JBoss

    Neelesh Korade Newbie

      Hi All,


      We are trying to implement SSO in our web application with the help of SPNEGO in JBOSS AS 4.2.2.


      We are using ‘security-negotiation-2.0.3.GA’ and have followed the user guide Negotiation_User_Guide_(en-US).pdf. After making all changes as mentioned in the user guide, we tried out Negotiation Toolkit web application to test various aspects of SPNEGO configuration. First two tests (Basic Negotiation servlet and Security Domain Test' servlet) were successful, however, for the third servlet (‘Secured’), we are getting following error:



      2010-07-07 14:45:27,304 TRACE [org.jboss.security.plugins.JaasSecurityManager.SPNEGO] Login failure

      javax.security.auth.login.LoginException: Continuation Required.


      2010-07-07 14:45:27,398 ERROR [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Unable to authenticate

      GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC)




      Also, when we run the test using kinit username@KERBEROS.REALM.COM, it prompts us for password. on Entering the correct password, it throws the following exception-



      Exception: krb_error 31 Integrity check on decrypted field failed (31) Integrity check on decrypted field failed KrbException: Integrity check on decrypted field failed (31)

              at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:154)

              at sun.security.krb5.internal.crypto.DesCbcEType.decrypt(DesCbcEType.java:125)

              at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:167)

              at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:87)

              at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:486)

              at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:444)

              at sun.security.krb5.internal.tools.Kinit.sendASRequest(Kinit.java:310)

              at sun.security.krb5.internal.tools.Kinit.<init>(Kinit.java:239)

              at sun.security.krb5.internal.tools.Kinit.main(Kinit.java:106)



      We are using Active Directory with Windows Server 2003 service pack 2, JBOSS AS 4.2.2 on Windows XP service pack 2 and Internet Explorer 6 as client from a Windows XP service pack 2 box.


      Could anyone help us fix these exceptions and get our kerberos SSO working? Also, we have some specific questions where we think we might have gone wrong-



      1) We executed ktpass as-



      ktpass -princ host/username@kerberos.realm.com -pass * -mapuser DOMAIN\username -out C:\username.host.keytab



      Is it correct? Or, do we need to execute it as-



      ktpass -princ HTTP/username@kerberos.realm.com -pass * -mapuser DOMAIN\username -out C:\username.host.keytab?


      (Note the difference of host vs HTTP)


      Documentation at- http://community.jboss.org/wiki/ConfiguringJBossNegotiationinanallWindowsDomain says that we should execute with HTTP while the user guide mentions it should be host.


      2) Do we need to execute ktab.exe on the machine where JBOSS is running? Again user guide asks for it but the documentation at the URL given above doesn't mention that.


      3) The account created for JBoss server on active directory is using the same name as the name of the server host machine. Is this fine? Or should the account name be different from the name of the machine hosting the server?


      Any help will be much appreciated.