5 Replies Latest reply on Nov 29, 2012 11:07 AM by guillaume cornet

    Configure AS7 to authenticate users with kerberos

    fremak Newbie

      Hi all!

      It's the first time in my life I'm using jboss and I decided to start with a very simple task....authenticating users that access our web application using a kerberos server. Please, can someone point me to any resource or example I may read to accomplish this task?

      I looked for kerberos into the documentation and I found some matches that point to the security-subsystems and secirity domain section but I was not able to achieve any result.

      Thanks

      fil

        • 1. Re: Configure AS7 to authenticate users with kerberos
          Darran Lofthouse Master

          Are you familiar with the KDC side of the configuration to obtain a valid keytab for you AS installation?

           

          The AS specific configuration is in this aritcle: -

            Using JBoss Negotiation on AS7

          1 of 1 people found this helpful
          • 2. Re: Configure AS7 to authenticate users with kerberos
            fremak Newbie

            Thanks for your answer Darran,

            I started studying how kerberos works so I read this document http://www.kerberos.org/software/tutorial.html

            If I understood correctly, in order to have an instance of jboss authenticating with kerberos, we should register the AS as a service

            handled by KDC. It's the only way kerberos work, right?

            thanks again

            fil

            • 3. Re: Configure AS7 to authenticate users with kerberos
              Darran Lofthouse Master

              Is your Kerberos server Windows or something else like a MIT KDC?  If I know which one you are looking at I can point you to some docs that cover it further.

               

              You are correct in that the AS7 server needs to have a prinicpal assigned to it, this needs to mapped to a service principal for it to be able to handle request.  As part of the negotiation as the connection is made the client retrieved a ticket from the KDC for the expected identity of the server so as the negotiation messages are exhanged both the client and the server verify each other.

              • 4. Re: Configure AS7 to authenticate users with kerberos
                Antoan Nikolaev Newbie

                I think JBOSS will be better if there is a comprehensive documentation on the Kerberos setup. From A-Z.... I've been working on this for couple of days and must tell you it is not a picnic. The hardest part in my case is to get the linux box to get connected to the KDC. I've got that done and now am stuck on the SPNEGO piece.

                 

                I'll be happy to contribute if anyone helps resolve the issue.

                 

                Do you have any idea what Mechanis Level: Checksum failed means?

                 

                13:14:57,898 ERROR [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-0.0.0.0-0.0.0.0-8082-1) Unable to authenticate: GSSException: F
                ailure unspecified at GSS-API level (Mechanism level: Checksum failed)
                        at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741) [:1.6.0_10]
                        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323) [:1.6.0_10]
                        at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267) [:1.6.0_10]
                        at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:396) [jboss-negotiation-2.2.0.Beta3
                .jar:2.2.0.Beta3]
                        at java.security.AccessController.doPrivileged(Native Method) [:1.6.0_10]
                        at javax.security.auth.Subject.doAs(Subject.java:337) [:1.6.0_10]
                        at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.spnegoLogin(SPNEGOLoginModule.java:237) [jboss-negotiation-2.2.0.Beta3.jar:2.2.
                0.Beta3]
                        at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.innerLogin(SPNEGOLoginModule.java:194) [jboss-negotiation-2.2.0.Beta3.jar:2.2.0
                .Beta3]
                        at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:137) [jboss-negotiation-2.2.0.Beta3.jar:2.2.0.Beta
                3]
                        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [:1.6.0_10]
                        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [:1.6.0_10]
                        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [:1.6.0_10]
                        at java.lang.reflect.Method.invoke(Method.java:597) [:1.6.0_10]
                        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) [:1.6.0_10]
                        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [:1.6.0_10]
                        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [:1.6.0_10]
                        at java.security.AccessController.doPrivileged(Native Method) [:1.6.0_10]
                        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [:1.6.0_10]
                        at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [:1.6.0_10]
                        at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:411) [picketbox-i
                nfinispan-4.0.1.jar:4.0.1]

                 

                • 5. Re: Configure AS7 to authenticate users with kerberos
                  guillaume cornet Newbie

                  Hi Antoan,

                   

                   

                  I faced the same problem (e.g. 'Checksum failed'), and, in my case, I solve this error by changing the 'host' security-domain configuration.

                   

                   

                  According to https://community.jboss.org/wiki/DRAFTUsingJBossNegotiationOnAS7, the 'host' security-domain should be configured like that :

                   

                      <security-domain name="host" cache-type="default">

                          <authentication>

                          <login-module code="Kerberos" flag="required">

                              <module-option name="storeKey" value="true"/>

                              <module-option name="useKeyTab" value="true"/>

                              <module-option name="principal" value="host/testserver@MY_REALM"/>

                              <module-option name="keyTab" value="/home/username/service.keytab"/>

                              <module-option name="doNotPrompt" value="true"/>

                              <module-option name="debug" value="false"/>

                          </login-module>

                          </authentication>

                      </security-domain>

                   

                   

                  In my case, the solution was to configure it like that :

                   

                      <security-domain name="host" cache-type="default">

                          <authentication>

                          <login-module code="Kerberos" flag="required">

                              <module-option name="storeKey" value="true"/>

                              <module-option name="useKeyTab" value="true"/>

                              <module-option name="principal" value="HTTP/{testserver}"/>

                              <module-option name="keyTab" value="/home/username/service.keytab"/>

                              <module-option name="doNotPrompt" value="true"/>

                              <module-option name="debug" value="false"/>

                          </login-module>

                          </authentication>

                      </security-domain>

                   

                  where {testserver} is the FQDN of the machine.

                   

                   

                  Cheers