0 Replies Latest reply on Aug 12, 2012 6:20 PM by mbouragba

    [Jboss AS 7] Use Jboss negotiation with JDK 7 and Windows Server 2008 checksum failed

    mbouragba Newbie

      Hello everyone, I need your help.

      I would like to use the technology "SSO" in our application and let me know if this is compatible? and if so, I would like the step I'm missing because I get errors perpetually.

      • Configuation (3 machines):

                OS for customer      =      Windows 7 and Windows XP (name => curstomer.DOMAIN.LOCAL)

                Server                     =      Windows Server 2008 with active directory and kerberos (name => serveur.DOMAIN.LOCAL)

                JBoss Server           =      Windows XP (name => application.DOMAIN.LOCAL)

      • Active directory

      In my config, I have :

      1. A user => "username" with AES256-SHA1 encrypt
      2. A SPN => "spnSSO" with AES256-SHA1 encrypt
      3. setspn -a http/application spnSSO
      4. setspn -a http/application@DOMAIN.LOCAL spnSSO
      5. ktpass -princ http/application@DOMAIN.LOCAL -out C:\spn.keytab -pass * -mapuser spnSSO@DOMAIN.LOCAL -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -kvno 0
      6. copy C:\spn.keytab in the JBoss Server

       

      • JBoss AS 7
        • standalone.xml

      <application-policy name="host">

      <authentication>

      <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">

      <module-option name="storeKey">true</module-option>

      <module-option name="useKeyTab">true</module-option>

      <module-option name="principal">http/application@DOMAIN.LOCAL</module-option>

      <module-option name="keyTab">C:\jboss\spn.keytab</module-option>

      <module-option name="doNotPrompt">true</module-option>

      <module-option name="debug">true</module-option>

      </login-module>

      </authentication>

      </application-policy>

      <application-policy name="SPNEGO">

      <authentication>

      <login-module

      code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule"

      flag="requisite">

      <module-option name="password-stacking">useFirstPass</module-option>

      <module-option name="serverSecurityDomain">host</module-option>

      </login-module>

      </authentication>

      </application-policy>

        • krb5.conf (C:\jboss\krb5.conf)

      [libdefaults]
          default_realm = DOMAIN.LOCAL
          default_keytab_name = C:\jboss\spn.keytab
          default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
          default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
          permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
          dns_lookup_realm = false
          dns_lookup_kdc = false

      [realms]
           DOMAIN.LOCAL  = {
                     kdc          = serveur.DOMAIN.LOCAL:88
                              default_domain = DOMAIN.LOCAL
                          };
      [domain_realm]
          DOMAIN.LOCAL = DOMAIN.LOCAL
          .DOMAIN.LOCAL = DOMAIN.LOCAL

        • JAVA_OPTS for use the kerberos config

      set JAVA_OPTS=%JAVA_OPTS% -Djava.security.krb5.conf="C:\jboss\krb5.conf"

      • Configure Internet Explorer
      1. In the Local intranet dialog, I enter the URL of the server with the JBoss installation (http://application)
      • Launch application

      To make sure you have completed the installation I use the Negotiation Toolkit as the toolkit tests involve communication with the application server, web browser, and the KDC.

      Nevertheless,  when  I use the tool, The first two tests passes with success but the last test fails with the following error:

      17:19:11,954 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] New Kerberos auth request from 10.3.112.6 (10.3.112.6:0)

      17:19:14,849 ERROR [org.alfresco.fileserver] GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

      GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)

         at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)

         at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)

         at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)

         at org.alfresco.jlan.server.auth.kerberos.SessionSetupPrivilegedAction.run(SessionSetupPrivilegedAction.java:102)

         at java.security.AccessController.doPrivileged(Native Method)

         at javax.security.auth.Subject.doAs(Subject.java:337)

         at org.alfresco.repo.webdav.auth.BaseKerberosAuthenticationFilter.doKerberosLogon(BaseKerberosAuthenticationFilter.java:494)

         at org.alfresco.repo.webdav.auth.BaseKerberosAuthenticationFilter.authenticateRequest(BaseKerberosAuthenticationFilter.java:384)

         at org.alfresco.repo.webdav.auth.BaseSSOAuthenticationFilter.doFilter(BaseSSOAuthenticationFilter.java:132)

         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

         at java.lang.reflect.Method.invoke(Method.java:597)

         at org.alfresco.repo.management.subsystems.ChainingSubsystemProxyFactory$1.invoke(ChainingSubsystemProxyFactory.java:103)

         at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:172)

         at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:202)

         at $Proxy218.doFilter(Unknown Source)

         at org.alfresco.repo.web.filter.beans.BeanProxyFilter.doFilter(BeanProxyFilter.java:82)

         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)

         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

         at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:58)

         at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)

         at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)

         at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210)

         at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)

         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

         at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)

         at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)

         at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)

         at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:200)

         at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)

         at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:775)

         at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:704)

         at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:897)

         at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)

         at java.lang.Thread.run(Thread.java:662)

      Caused by: KrbException: Checksum failed

         at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:85)

         at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:77)

         at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)

         at sun.security.krb5.KrbCred.<init>(KrbCred.java:137)

         at sun.security.jgss.krb5.InitialToken$OverloadedChecksum.<init>(InitialToken.java:262)

         at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:102)

         at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)

         ... 35 more

      Caused by: java.security.GeneralSecurityException: Checksum failed

         at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:431)

         at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:254)

         at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:59)

         at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:83)

         ... 41 more

      17:19:14,851 DEBUG [org.alfresco.web.app.servlet.KerberosAuthenticationFilter] No SPNEGO response, Kerberos logon failed

       

      I've installed the jce-policy-unlimited file so support for "AES-256 CTS mode with 96-bit SHA-1 HMAC" tickets. My keytab appears to be in order:

       


      # klist -ke /etc/krb5.keytab
      Keytab name: FILE:/etc/krb5.keytab
      KVNO Principal
      ---- --------------------------------------------------------
         0 HTTP/application@DOMAIN.LOCAL (AES-256 CTS mode with 96-bit SHA-1 HMAC)

       

       

       


       

      This makes a certain moment I search the solution, one of you could guide me ? And sorry for my broken English
      Thanks