1 2 Previous Next 17 Replies Latest reply on Dec 11, 2012 11:05 PM by Richard Robinson

    Unable to authenitcate to remote domain controller

    Michael G Novice

      Now that i'm able to get the master domain started i'm running i can't seem to connect from secondary machine.

       

      I want to set up a domain with 2 virtual machines so that that i have jboss running on each one.  When i specify the remote domain controller from the second i get this.

       

       

      INFO  [org.jboss.modules] (main) JBoss Modules version 1.1.0.CR6
      INFO  [org.jboss.as.process.Host Controller.status] (main) JBAS012017: Starting process 'Host Controller'
      ler] 16:13:32,705 INFO  [org.jboss.modules] (main) JBoss Modules version 1.1.0.CR6
      ler] 16:13:32,955 INFO  [org.jboss.msc] (main) JBoss MSC version 1.0.1.GA
      ler] 16:13:33,018 INFO  [org.jboss.as] (MSC service thread 1-3) JBoss AS 7.1.0.CR1 "Flux Capacitor" starting
      ler] 16:13:33,455 INFO  [org.xnio] (MSC service thread 1-3) XNIO Version 3.0.0.CR5
      ler] 16:13:33,471 INFO  [org.xnio.nio] (MSC service thread 1-3) XNIO NIO Implementation Version 3.0.0.CR5
      ler] 16:13:33,471 INFO  [org.jboss.remoting] (MSC service thread 1-3) JBoss Remoting version 3.2.0.CR6-darranl-1
      ler] 16:13:33,924 ERROR [org.jboss.remoting.remote] (Remoting "endpoint" read-1) JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
      ler] 16:13:33,939 WARN  [org.jboss.as.host.controller] (Controller Boot Thread) JBAS010900: Could not connect to remote domain controller 129.204.124.148:9999
      ler] 16:13:33,939 ERROR [org.jboss.as.host.controller] (Controller Boot Thread) JBAS010901: Could not connect to master. Aborting. Error was: java.lang.IllegalStateException: JBAS010942: Unable to connect due to authentication failure.
      ler] 16:13:33,971 INFO  [org.jboss.as] (MSC service thread 1-4) JBoss AS 7.1.0.CR1 "Flux Capacitor" stopped in 26ms
      INFO  [org.jboss.as.process.Host Controller.status] (reaper for Host Controller) JBAS012010: Process 'Host Controller' finished with an exit status of 99
      INFO  [org.jboss.as.process] (Thread-8) JBAS012016: Shutting down process controller
      INFO  [org.jboss.as.process] (Thread-8) JBAS012015: All processes finished; exiting
       to continue . . .
      
      

       

      I followed these two post which seemed to be my problem as well but neither one worked.  https://community.jboss.org/thread/176895 and https://community.jboss.org/message/640344#640344 and reading the documentation here https://docs.jboss.org/author/display/AS7/Securing+the+Management+Interfaces.

       

      But i still can't get the second server to authenticate to the master.  Any thoughts as to what i might be doing wrong.

       

      Thanks

        • 1. Re: Unable to authenitcate to remote domain controller
          Tomaz Cerar Master

          How does your configuration on HC and DC looks like?

          • 2. Re: Unable to authenitcate to remote domain controller
            Kairi Henry Newbie

            I just had the same issue. The accurate documentation is really needed because its such a simple process.

             

            1st. Make sure your host name (node02) is added as a user to both the master and slave nodes.

            <host name="node02" xmlns="urn:jboss:domain:1.1" xmlns:xsd="http://www.w3.org/2001/XMLSchema-instance">

             

            2nd. Do the base64 trick on the password and populate the secret attribute in security.

                <security-realms>
                    <security-realm name="ManagementRealm">
                        <server-identities>
                            <secret value="YWRtaW4xMjM="/>
                        </server-identities>
                        <authentication>
                            <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
                        </authentication>
                    </security-realm>
                </security-realms>

             

            3rd. Start the node server. Good Luck and hope this helps. Just need one accurate document on starting a domain cluster.

            • 3. Re: Unable to authenitcate to remote domain controller
              Darran Lofthouse Master

              Hi all, once this phase of development is complete we will be undertaking another round trip on the documentation to make sure it is all there - however as an Open Source project if anyone is seeing gaps please feel free to contribute your own updates or articles here especially covering any parts you had issues with so we can try and make sure it is all incorporated in the docs.

              • 4. Re: Unable to authenitcate to remote domain controller
                Michael G Novice

                Thanks for the replies.

                 

                I know i'm doing something stupid but i can't seem to trace it.

                 

                Here is my host.xml file for the secondary server.

                 

                 

                <?xml version='1.0' encoding='UTF-8'?>
                
                <host name="secondary" xmlns="urn:jboss:domain:1.1">
                
                    <management>
                        <security-realms>
                            <security-realm name="ManagementRealm">
                            <authentication>
                                    <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
                                </authentication>
                               <server-identities>
                                    <secret value="aWJlc2Vjb25k" />
                                </server-identities> 
                            </security-realm>
                        </security-realms>
                
                        <management-interfaces>
                            <native-interface security-realm="ManagementRealm">
                                <socket interface="management" port="${jboss.management.native.port:9999}"/>
                            </native-interface>
                            <http-interface security-realm="ManagementRealm">
                                <socket interface="management" port="${jboss.management.http.port:9990}"/>
                            </http-interface>
                        </management-interfaces>
                    </management>
                
                    <domain-controller>
                            <remote host="129.204.124.148" port="9999" security-realm="ManagementRealm"/>
                    </domain-controller>
                
                    <interfaces>
                        <interface name="management">
                            <inet-address value="${jboss.bind.address.management:129.204.124.154}"/>
                        </interface>
                        <interface name="public">
                           <inet-address value="${jboss.bind.address:129.204.124.154}"/>
                        </interface>
                    </interfaces>
                
                     <jvms>
                        <jvm name="default">
                          <heap size="64m" max-size="256m"/>
                       </jvm>
                     </jvms>
                
                    <servers>
                        <server name="server-two" group="main-server-group">
                        </server>
                    </servers>
                </host>
                

                 

                and here it the host.xml on the DC

                 

                 

                <?xml version='1.0' encoding='UTF-8'?>
                
                <host name="primary" xmlns="urn:jboss:domain:1.1">
                
                    <management>
                        <security-realms>
                            <security-realm name="ManagementRealm">
                                <authentication>
                                    <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>
                                </authentication>
                            </security-realm>
                        </security-realms>
                        <management-interfaces>
                            <native-interface security-realm="ManagementRealm">
                                <socket interface="management" port="${jboss.management.native.port:9999}"/>
                            </native-interface>
                            <http-interface security-realm="ManagementRealm">
                                <socket interface="management" port="${jboss.management.http.port:9990}"/>
                            </http-interface>
                        </management-interfaces>
                    </management>
                
                    <domain-controller>
                       <local/>
                    </domain-controller>
                
                    <interfaces>
                        <interface name="management">
                            <inet-address value="129.204.124.148"/>
                        </interface>
                        <interface name="public">
                           <inet-address value="129.204.124.148"/>
                        </interface>
                    </interfaces>
                
                     <jvms>
                        <jvm name="default">
                          <heap size="1024m" max-size="1024m"/>
                       </jvm>
                     </jvms>
                
                    <servers>
                        <server name="server-one" group="main-server-group">
                        </server>        
                    </servers>
                </host>
                

                 

                 

                I start the Main DC using the domain.bat script and the secondary server i use the same script.  Is that how it suppose to work?  Both of the mgmt-users.properties has the user secondary in it along with the same password.

                 

                So i'm not sure what i'm still doing wrong.  Any other thoughts or suggests.

                • 5. Re: Unable to authenitcate to remote domain controller
                  Darran Lofthouse Master

                  Can you also post the line from the properties file for the user secondary?  I will compare the values outside of the AS environment.

                  • 6. Re: Unable to authenitcate to remote domain controller
                    Michael G Novice

                    secondary=463a52cddebf816ae343d872733538e9

                     

                    the pw should be ibesecond

                     

                    Thanks

                    • 7. Re: Unable to authenitcate to remote domain controller
                      Kairi Henry Newbie

                      Adding Tracing levels to the logging output on the master node is what pointed me in the right direction. I had so many mistakes with the password, I really wouldn't of figured it out blind. Maybe the master node should display the connection errors of remote nodes trying to connect, its really helpful information.Dont want to be a back seat driver, LOL.

                       

                      Check your property files to make sure that data is alike on both nodes. Maybe even redo adding a user.

                       

                      Kai-

                      • 8. Re: Unable to authenitcate to remote domain controller
                        Michael G Novice

                        Kairi

                         

                        what would be good log settings that would give the most useful amount of information?

                         

                        Thanks

                        • 9. Re: Unable to authenitcate to remote domain controller
                          Kairi Henry Newbie

                          Below is what my logging.properties looked like on my master and slave nodes.

                           

                          # Additional logger names to configure (root logger is always configured)

                          #loggers=org.jboss.whatever,org.jboss.foo

                          loggers=org.jboss,org.jboss.modules

                          logger.org.jboss.level=TRACE

                           

                          logger.org.jboss.modules.level=INFO

                           

                          # Root logger level

                          logger.level=${jboss.boot.server.log.level:INFO}

                          # Root logger handlers

                          logger.handlers=FILE,CONSOLE

                           

                          # Console handler configuration

                          handler.CONSOLE=org.jboss.logmanager.handlers.ConsoleHandler

                          handler.CONSOLE.properties=autoFlush

                          #handler.CONSOLE.level=${jboss.boot.server.log.console.level:INFO}

                          handler.CONSOLE.autoFlush=true

                          handler.CONSOLE.formatter=PATTERN

                           

                          # File handler configuration

                          handler.FILE=org.jboss.logmanager.handlers.FileHandler

                          handler.FILE.level=DEBUG

                          handler.FILE.properties=autoFlush,fileName

                          handler.FILE.autoFlush=true

                          handler.FILE.fileName=${org.jboss.boot.log.file:boot.log}

                          handler.FILE.formatter=PATTERN

                           

                          # Formatter pattern configuration

                          formatter.PATTERN=org.jboss.logmanager.formatters.PatternFormatter

                          formatter.PATTERN.properties=pattern

                          formatter.PATTERN.pattern=%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n

                          • 10. Re: Unable to authenitcate to remote domain controller
                            Tomaz Cerar Master

                            Hi,

                             

                            configuration looks ok...

                            From log it looks like you are using jboss 7.1.0.CR1 that has bug how to handle security...

                            That is why 7.1.0.CR1b was released to address this issue...

                             

                            plase try with jboss CR1b or any nightly build.

                             

                            cheers,

                            tomaz

                            • 11. Re: Unable to authenitcate to remote domain controller
                              Michael G Novice

                              Ok, i'll wil try the CR1b build.

                               

                              Thanks

                              • 12. Re: Unable to authenitcate to remote domain controller
                                Michael G Novice

                                Well, this is kind of interesting.  Before trying the beta cr i thought maybe i could remove the security around the management interfaces.  Took that out of the domain controller host file and from the host controller files and it is still giving me the same error.  Is it not possible to connect without a security-realm configured?

                                • 13. Re: Unable to authenitcate to remote domain controller
                                  Tomaz Cerar Master

                                  hi,

                                   

                                  7.1.0.CR1b is not beta build but second release of CR1 with four bugs fixed...

                                  for more: https://issues.jboss.org/secure/ReleaseNote.jspa?projectId=12311211&version=12318697

                                   

                                  in your case this was the issue: https://issues.jboss.org/browse/AS7-3125

                                  in issue it is described how you can manually fix it without downloading whole new distro...

                                   

                                  becouse of the same bug you cannot disable it...

                                   

                                  cheers,

                                  tomaz

                                  • 14. Re: Unable to authenitcate to remote domain controller
                                    Michael G Novice

                                    ok, that worked to get around the initial authentication problem.

                                     

                                    Thanks for that.

                                     

                                    But i see this - Is it something i should be concerned about - is it fixed in the CR1b.  I didn't see the second server in the domain status console.  Should i be able to?

                                     

                                    Thanks

                                     

                                     

                                    [Server:server-two] 10:39:09,892 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC00001: Failed to start service jboss.host.controller.channel: org.jboss.msc.service.StartException in service jbo
                                    ote://0.0.0.0:9999. The connection failed
                                    [Server:server-two]     at org.jboss.as.server.mgmt.domain.HostControllerConnectionService.start(HostControllerConnectionService.java:101) [jboss-as-server-7.1.0.CR1.jar:7.1.0.CR1]
                                    [Server:server-two]     at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1824) [jboss-msc-1.0.1.GA.jar:1.0.1.GA]
                                    [Server:server-two]     at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1759) [jboss-msc-1.0.1.GA.jar:1.0.1.GA]
                                    [Server:server-two]     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) [:1.7.0_01]
                                    [Server:server-two]     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) [:1.7.0_01]
                                    [Server:server-two]     at java.lang.Thread.run(Thread.java:722) [:1.7.0_01]
                                    [Server:server-two] Caused by: java.net.ConnectException: JBAS012174: Could not connect to remote://0.0.0.0:9999. The connection failed
                                    [Server:server-two]     at org.jboss.as.protocol.ProtocolChannelClient.connectSync(ProtocolChannelClient.java:164) [jboss-as-protocol-7.1.0.CR1.jar:7.1.0.CR1]
                                    [Server:server-two]     at org.jboss.as.protocol.ProtocolChannelClient.connectSync(ProtocolChannelClient.java:129) [jboss-as-protocol-7.1.0.CR1.jar:7.1.0.CR1]
                                    [Server:server-two]     at org.jboss.as.server.mgmt.domain.HostControllerConnectionService.start(HostControllerConnectionService.java:98) [jboss-as-server-7.1.0.CR1.jar:7.1.0.CR1]
                                    [Server:server-two]     ... 5 more
                                    [Server:server-two] Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
                                    [Server:server-two]     at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:308) [jboss-remoting-3.2.0.CR6-darranl-1.jar:3.2.0.CR6-darranl-1]
                                    [Server:server-two]     at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:207) [jboss-remoting-3.2.0.CR6-darranl-1.jar:3.2.0.CR6-darranl-1]
                                    [Server:server-two]     at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72) [xnio-api-3.0.0.CR5.jar:3.0.0.CR5]
                                    [Server:server-two]     at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:179) [xnio-api-3.0.0.CR5.jar:3.0.0.CR5]
                                    [Server:server-two]     at org.xnio.channels.TranslatingSuspendableChannel$2.handleEvent(TranslatingSuspendableChannel.java:100) [xnio-api-3.0.0.CR5.jar:3.0.0.CR5]
                                    [Server:server-two]     at org.xnio.channels.TranslatingSuspendableChannel$2.handleEvent(TranslatingSuspendableChannel.java:98) [xnio-api-3.0.0.CR5.jar:3.0.0.CR5]
                                    [Server:server-two]     at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72) [xnio-api-3.0.0.CR5.jar:3.0.0.CR5]
                                    [Server:server-two]     at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:179) [xnio-api-3.0.0.CR5.jar:3.0.0.CR5]
                                    [Server:server-two]     at org.xnio.ssl.JsseConnectedSslStreamChannel.handleReadable(JsseConnectedSslStreamChannel.java:191) [xnio-api-3.0.0.CR5.jar:3.0.0.CR5]
                                    [Server:server-two]     at org.xnio.ssl.JsseConnectedSslStreamChannel.handleReadable(JsseConnectedSslStreamChannel.java:58) [xnio-api-3.0.0.CR5.jar:3.0.0.CR5]
                                    [Server:server-two]     at org.xnio.channels.TranslatingSuspendableChannel$2.handleEvent(TranslatingSuspendableChannel.java:100) [xnio-api-3.0.0.CR5.jar:3.0.0.CR5]
                                    [Server:server-two]     at org.xnio.channels.TranslatingSuspendableChannel$2.handleEvent(TranslatingSuspendableChannel.java:98) [xnio-api-3.0.0.CR5.jar:3.0.0.CR5]
                                    [Server:server-two]     at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72) [xnio-api-3.0.0.CR5.jar:3.0.0.CR5]
                                    [Server:server-two]     at org.xnio.nio.NioHandle.run(NioHandle.java:90)
                                    [Server:server-two]     at org.xnio.nio.WorkerThread.run(WorkerThread.java:184)
                                    [Server:server-two]     at ...asynchronous invocation...(Unknown Source)
                                    [Server:server-two]     at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:263) [jboss-remoting-3.2.0.CR6-darranl-1.jar:3.2.0.CR6-darranl-1]
                                    [Server:server-two]     at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:246) [jboss-remoting-3.2.0.CR6-darranl-1.jar:3.2.0.CR6-darranl-1]
                                    [Server:server-two]     at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:353) [jboss-remoting-3.2.0.CR6-darranl-1.jar:3.2.0.CR6-darranl-1]
                                    [Server:server-two]     at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:341) [jboss-remoting-3.2.0.CR6-darranl-1.jar:3.2.0.CR6-darranl-1]
                                    [Server:server-two]     at org.jboss.as.protocol.ProtocolChannelClient.connect(ProtocolChannelClient.java:125) [jboss-as-protocol-7.1.0.CR1.jar:7.1.0.CR1]
                                    [Server:server-two]     at org.jboss.as.protocol.ProtocolChannelClient.connectSync(ProtocolChannelClient.java:134) [jboss-as-protocol-7.1.0.CR1.jar:7.1.0.CR1]
                                    [Server:server-two]     ... 7 more
                                    [Server:server-two]
                                    [Server:server-two] 10:39:09,892 DEBUG [org.jboss.as.deployment.connector.registry] (MSC service thread 1-2) Starting sevice service jboss.raregistry
                                    [Server:server-two] 10:39:09,892 DEBUG [org.jboss.as.connector.mdr] (MSC service thread 1-2) Starting service RaRepositoryService
                                    
                                    1 2 Previous Next