5 Replies Latest reply on May 9, 2014 6:40 AM by Jozsef Frigo

    can't get jboss-negotiation-toolkit 'secured' test working

    Andi Heusser Newbie

      I have been trying to get the jboss-negiation-toolkit to work for a few weeks now and I think I've tried everything that other people have run into. I'm now stuck at the point where I can't get the 'secured' version of the servlet working. The 'security domain test' as well as the 'basic negotation' tests work fine but JBoss continues to throw 'LoginException's when trying to open the secured link. I'm pretty certain that it's got something to do with some AD/Kerberos setup but I haven't been able to make any more progress.

       

       

      11:49:43,514 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Login failure: javax.security.auth.login.LoginException: Continuation Required.

              at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:174) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]

              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_33]

              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [rt.jar:1.6.0_33]

              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_33]

              at java.lang.reflect.Method.invoke(Method.java:597) [rt.jar:1.6.0_33]

              at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) [rt.jar:1.6.0_33]

              at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [rt.jar:1.6.0_33]

              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [rt.jar:1.6.0_33]

              at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_33]

              at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.6.0_33]

              at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [rt.jar:1.6.0_33]

              at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

              ...

             

      Has anyone run into the same issue or does anyone have any suggestions of where the problem could be? Sorry for the huge post but below are all the details of the setup and how I've configured things this far, trying to provide as much detail as possible.

       

       

      Here's our setup:

      • Windows 2008 AD  (QAAD)
        • DNS name: qaad.dev.company.com
        • Domain: QUALITY (QUALITY.COMPANY.COM)

         

      • CentOS 6.2 running JBoss AS 7.1.1.Final  (BARDEV1)
        • Deployed: jboss-negotiation-toolkit-2.2.2.Final
        • DNS name: bardev1.dev.company.com

       

      • Test clients are WinXP and Win7 joined to QUALITY domain

       

       

      BARDEV1 is currently joined to the quality domain (is this necessary or should it work without being joined to the domain?).

       

      JBoss SPNEGO config is:

      <security-domain name="qaad_kerberos" cache-type="default">

      <authentication>

      <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">

      <module-option name="storeKey" value="true"/>

      <module-option name="useKeyTab" value="true"/>

      <module-option name="principal" value="HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM"/>

      <module-option name="keyTab" value="/opt/jboss-as-7.1.1.final/standalone/configuration/bardev1_qaad_rc4.keytab"/>

      <module-option name="doNotPrompt" value="true"/>

      <module-option name="debug" value="true"/>

      <module-option name="refreshKrb5Config" value="false"/>

      </login-module>

      </authentication>

      </security-domain>

       

      <security-domain name="SPNEGO" cache-type="default">

      <authentication>

      <login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="required">

      <module-option name="password-stacking" value="useFirstPass"/>

      <module-option name="serverSecurityDomain" value="qaad_kerberos"/>

      </login-module>

      </authentication>

      </security-domain>

       

       

      /etc/krb5.conf is set to:

      ------------------------------------------------------------

      [logging]

      default = FILE:/var/log/krb5libs.log

      kdc = FILE:/var/log/krb5kdc.log

      admin_server = FILE:/var/log/kadmind.log

       

      [libdefaults]

      default_realm = QUALITY.COMPANY.COM

      dns_lookup_realm = false

      dns_lookup_kdc = false

      ticket_lifetime = 24h

      renew_lifetime = 7d

      forwardable = true

      default_tgs_enctypes = rc4-hmac

      default_tkt_enctypes = rc4-hmac

      permitted_enctypes = rc4-hmac

       

      [realms]

      QUALITY.COMPANY.COM = {

        kdc = qaad.dev.company.com

        admin_server = qaad.dev.company.com

        default_domain = quality.company.com

      }

       

      [domain_realm]

      .quality.company.com = QUALITY.COMPANY.COM

      quality.company.com = QUALITY.COMPANY.COM

      ------------------------------------------------------------

       

       

      QAAD box has 'computer' account for 'bardev1'. This account has delegation set to 'Trust this computer for delgation to any service (Kerberos only)'.

      keytab was generated on QAAD box and SPN was set with the following commands:

       

          setspn -S HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM bardev1

       

                ktpass /out bardev1_qaad_rc4.keytab /princ HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM /mapuser quality\administrator -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL /pass * /kvno 0

                (Note: had to set /kvno 0 because otherwise I got: KrbException: Specified version of key is not available (44))

       

                setspn -L bardev1

                  --> output:

                          Registered ServicePrincipalNames for CN=bardev1,CN=Computers,DC=quality,DC=company,DC=com:

                                    HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM

                                    HOST/bardev1.dev.company.com

                                    HOST/BARDEV1

       

                setspn -L administrator

                  --> output:

                          Registered ServicePrincipalNames for CN=Administrator,CN=Users,DC=quality,DC=company,DC=com:

                                    HTTP/bardev1.dev.company.com

       

       

      Used the 'Administrator' account for initial tests so I wouldn't have to deal with new user accounts. That account has delegation set to 'Trust this computer for delgation to any service (Kerberos only)' and has no other account options set like 'use kerberos DES encryption...', 'account supports AES 128/256...' or 'do not require kerberos preauth'. Are any of them needed?

       

      From the client machines, in order to get the browsers to use the logged in user's credentials, I have to set the URL to:

                http://bardev1:8080/jboss-negotiation-toolkit-2.2.2.Final

      If I put it as:

                http://bardev1.dev.company.com:8080/jboss-negotiation-toolkit-2.2.2.Final

      then I get the username and password pop up.

       

       

      I did try to run the setspn and ktpass with 'HTTP/bardev1@QUALITY.COMPANY.COM' with the same results, i.e. basic and domain tests work, secured doesn't.

       

       

      Output from 'SecurityDomainTest':

                JBoss log:

                ----------

                12:01:33,229 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /opt/jboss-as-7.1.1.final/standalone/configuration/bardev1_qaad_rc4_domain.keytab refreshKrb5Config is false principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false

                12:01:33,238 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal's key obtained from the keytab

                12:01:33,241 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Acquire TGT using AS Exchange

                12:01:33,259 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM

                12:01:33,269 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 30 89 05 17 EB 07 89 AE   06 E2 B1 5D 58 B6 6E A4  0..........]X.n.

                12:01:33,273 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)

                12:01:33,276 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Added server's keyKerberos Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COMKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=

                12:01:33,283 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) 0000: 30 89 05 17 EB 07 89 AE   06 E2 B1 5D 58 B6 6E A4  0..........]X.n.

                12:01:33,285 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)

                12:01:33,285 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)

                12:01:33,286 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)          [Krb5LoginModule] added Krb5Principal  HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM to Subject

                12:01:33,288 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Commit Succeeded

                12:01:33,290 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)

                12:01:33,295 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)          [Krb5LoginModule]: Entering logout

                12:01:33,296 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)          [Krb5LoginModule]: logged out Subject

       

                Browser:

                --------

                Negotiation Toolkit

                Security Domain Test

                Testing security-domain 'qaad_kerberos'

       

                Authenticated

                Subject:

                Principal: HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM

                Private Credential: Ticket (hex) =

                0000: 61 82 04 A6 30 82 04 A2 A0 03 02 01 05 A1 16 1B a...0...........

                0010: 14 51 55 41 4C 49 54 59 2E 53 59 4D 50 48 4F 4E .QUALITY.COMPANY

                0020: 4F 2E 43 4F 4D A2 29 30 27 A0 03 02 01 02 A1 20 O.COM.)0'......

                0030: 30 1E 1B 06 6B 72 62 74 67 74 1B 14 51 55 41 4C 0...krbtgt..QUAL

                ...

                04A0: 1C 85 74 1A 9B EF B9 EE D2 A8 ..t.......

       

                Client Principal = HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM

                Server Principal = krbtgt/QUALITY.COMPANY.COM@QUALITY.COMPANY.COM

                Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=

                0000: 67 2B 5A 9B FE 97 00 2B 68 0B D2 0F 35 FA D1 CB g+Z....+h...5...

       

                Forwardable Ticket true

                Forwarded Ticket false

                Proxiable Ticket false

                Proxy Ticket false

                Postdated Ticket false

                Renewable Ticket false

                Initial Ticket false

                Auth Time = Tue Feb 05 12:01:33 CST 2013

                Start Time = Tue Feb 05 12:01:33 CST 2013

                End Time = Tue Feb 05 22:01:33 CST 2013

                Renew Till = null

                Client Addresses Null

                Private Credential: Kerberos Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COMKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=

                0000: 30 89 05 17 EB 07 89 AE 06 E2 B1 5D 58 B6 6E A4 0..........]X.n.

       

       

      Output from 'Basic Negotiation':

                JBoss log:

                ----------

                12:48:01,226 INFO  [org.jboss.security.negotiation.toolkit.BasicNegotiationServlet] (http-bardev1.dev.company.com-10.10.5.232-8080-1) No Authorization Header, sending 401

                12:48:01,243 INFO  [org.jboss.security.negotiation.toolkit.BasicNegotiationServlet] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Authorization header received - decoding token.

       

                Browser:

                --------

                Negotiation Toolkit

                Basic Negotiation

                WWW-Authenticate - Negotiate YIILwgYGKwYBBQUCoIILtjCCC7KgJDAiBgkqhkiC9xIBAgIGCSq ... i4=

       

                NegTokenInit

                Message Oid - SPNEGO

                Mech Types - {Kerberos V5 Legacy} {Kerberos V5} {NTLM}

                Req Flags -

                Mech Token -YIILgAYJKoZIhvcSAQICAQBuggtvMIILa6A ... Gi4=

                Mech List Mic -

       

       

      Output from 'Secured':

                JBoss log:

                ----------

                12:51:52,877 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /opt/jboss-as-7.1.1.final/standalone/configuration/bardev1_qaad_rc4_domain.keytab refreshKrb5Config is false principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false

                12:51:52,894 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal's key obtained from the keytab

                12:51:52,895 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Acquire TGT using AS Exchange

                12:51:52,929 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM

                12:51:52,933 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 30 89 05 17 EB 07 89 AE   06 E2 B1 5D 58 B6 6E A4  0..........]X.n.

                12:51:52,937 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)

                12:51:52,939 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Added server's keyKerberos Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COMKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=

                12:51:52,944 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) 0000: 30 89 05 17 EB 07 89 AE   06 E2 B1 5D 58 B6 6E A4  0..........]X.n.

                12:51:52,945 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)

                12:51:52,946 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)

                12:51:52,947 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)          [Krb5LoginModule] added Krb5Principal  HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM to Subject

                12:51:52,949 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Commit Succeeded

                12:51:52,950 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)

                12:51:52,950 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)          [Krb5LoginModule]: Entering logout

                12:51:52,952 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)          [Krb5LoginModule]: logged out Subject

                12:51:52,953 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Login failure: javax.security.auth.login.LoginException: Continuation Required.

                          at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:174) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]

                          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_33]

                          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [rt.jar:1.6.0_33]

                          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_33]

                          at java.lang.reflect.Method.invoke(Method.java:597) [rt.jar:1.6.0_33]

                          at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) [rt.jar:1.6.0_33]

                          at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [rt.jar:1.6.0_33]

                          at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [rt.jar:1.6.0_33]

                          at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_33]

                          at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.6.0_33]

                          at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [rt.jar:1.6.0_33]

                          at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

                          at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

                          at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

                          at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]

                          at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]

                          at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:187) [jboss-negotiation-common-2.2.0.SP1.jar:2.2.0.SP1]

                          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.13.Final.jar:]

                          at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]

                          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]

                          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]

                          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]

                          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]

                          at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]

                          at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]

                          at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]

                          at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_33]

       

       

                12:51:52,985 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /opt/jboss-as-7.1.1.final/standalone/configuration/bardev1_qaad_rc4_domain.keytab refreshKrb5Config is false principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false

                12:51:52,989 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal's key obtained from the keytab

                12:51:52,990 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Acquire TGT using AS Exchange

                12:51:53,015 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) principal is HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM

                12:51:53,058 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 30 89 05 17 EB 07 89 AE   06 E2 B1 5D 58 B6 6E A4  0..........]X.n.

                12:51:53,060 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)

                12:51:53,061 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Added server's keyKerberos Principal HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COMKey Version 0key EncryptionKey: keyType=23 keyBytes (hex dump)=

                12:51:53,063 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) 0000: 30 89 05 17 EB 07 89 AE   06 E2 B1 5D 58 B6 6E A4  0..........]X.n.

                12:51:53,065 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)

                12:51:53,065 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)

                12:51:53,066 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)          [Krb5LoginModule] added Krb5Principal  HTTP/bardev1.dev.company.com@QUALITY.COMPANY.COM to Subject

                12:51:53,068 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1) Commit Succeeded

                12:51:53,068 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)

                12:51:53,081 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)          [Krb5LoginModule]: Entering logout

                12:51:53,082 INFO  [stdout] (http-bardev1.dev.company.com-10.10.5.232-8080-1)          [Krb5LoginModule]: logged out Subject

       

                Browser:

                --------

                HTTP Status 403 - Access to the requested resource has been denied