Can not get SPNEGO kerberos ldap to work in AS 7.1.0.Final
daxxy Jan 8, 2019 9:47 AMHi, we use kerberos to authenticate and ldap to lookup roles. Here is my configuration from login-config.xml from AS 5.1.
<application-policy name="host">
<authentication>
<login-module code="com.sun.security.auth.module.Krb5LoginModule"
flag="required">
<module-option name="storeKey">true</module-option>
<module-option name="useKeyTab">true</module-option>
<module-option name="principal">HTTP/hostname_redacted_by_autheor</module-option>
<module-option name="keyTab">redacted</module-option>
<module-option name="doNotPrompt">true</module-option>
<module-option name="debug">true</module-option>
</login-module>
</authentication>
</application-policy>
<!-- SPNEGO -->
<application-policy name="SPNEGO">
<authentication>
<login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule"
flag="required">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="serverSecurityDomain">host</module-option>
</login-module>
<login-module
code="org.jboss.security.negotiation.AdvancedLdapLoginModule"
flag="required">
<module-option name="password-stacking">useFirstPass</module-option>
<!-- <module-option name="bindAuthentication">GSSAPI</module-option> -->
<!-- <module-option name="jaasSecurityDomain">host</module-option> -->
<module-option name="java.naming.provider.url">ldap://hostname_redacted:3268</module-option>
<module-option name="baseCtxDN">DC=ad,DC=mydc,DC=mydc2</module-option>
<module-option name="baseFilter">(userPrincipalName={0})</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleNameAttributeID">cn</module-option>
<module-option name="recurseRoles">true</module-option>
<module-option name="bindDN">redacted</module-option>
<module-option name="bindCredential">XXXXXXXX</module-option>
</login-module>
</authentication>
</application-policy>
Note the commented out part. I think I am having now the problem we had then that was FIXED by commenting out those two module-options. Here is the AS 7 analog from standalone.xml
<security-domain name="host" cache-type="default">
<authentication>
<login-module code="Kerberos" flag="required">
<module-option name="storeKey" value="true"/>
<module-option name="useKeyTab" value="true"/>
<module-option name="principal" value="redacted" />
<module-option name="keyTab" value="redacted"/>
<module-option name="doNotPrompt" value="true"/>
<module-option name="debug" value="false"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="SPNEGO" cache-type="default">
<authentication>
<login-module code="SPNEGO" flag="requisite">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="serverSecurityDomain" value="host"/>
</login-module>
<login-module code="AdvancedLdap" flag="required">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="java.naming.provider.url" value="redacted" />
<module-option name="baseCtxDN" value="DC=ad,DC=mydc,DC=mydc2"/>
<module-option name="baseFilter" value="userPrincipalName={0}"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleNameAttributeID" value="cn"/>
<module-option name="recurseRoles" value="true"/>
<module-option name="bindDN" value="redacted"/>
<module-option name="bindCredential" value="XXXXXXX" />
</login-module>
</authentication>
</security-domain>
I'm appending my logfile. I can successfully do both the basic negotation and secure domain test from the negotiation toolkit. But when I try the secured servlet, it bombs. To me it looks like the client or server or whatever - "it" - does not know I am authenticated so it attempts to authenticate using NTLM. But the logs tell the complete story. I have tried this with bindAuthentication and jaasSecurityDomain set, but it still didn't work.
FTR here is my jboss-web.xml
<jboss-web>
<security-domain>SPNEGO</security-domain>
<valve>
<class-name>org.jboss.security.negotiation.NegotiationAuthenticator</class-name>
</valve>
<context-root>/</context-root>
</jboss-web>
Can anyone explain why this is not working? I'm new to this -- my colleague set this up -- but trying very hard to understand.
Thanks,
TDR
Message was edited by: Tanya Ruttenberg identifying info redacted on recommendation of org security
Message was edited by: Tanya Ruttenberg attachments removed