1 2 Previous Next 20 Replies Latest reply on Mar 26, 2013 9:11 AM by Jonathan Durant

    SPNEGO : Accessing JBoss Server by IP address

    Jonathan Durant Newbie

      Hello,

       

      I set up an SPNEGO authentication using Negotiation (AS 7), and I can authenticate to the server using http://testserver:8080/... or http://testserver.sso.test:8080/

      Jboss runs on  CentOS and the authentication server is a Windows DC (2008 R2).

      The IP address of the JBoss server is X.X.X.X, and when I try to access the servlet using http://X.X.X.X, the Negotiation fail and I get an HTTP 401 Page. The log says : "Unsupported Negotiation Mecansim NTLM".

       

      setspn -l testserver :

       

      HTTP/testserver
      host/X.X.X.X
      HTTP/X.X.X.X
      host/testserver
      host/testserver.sso.test
      HTTP/testserver.sso.test
      

       

      When I access the application from a non-domain computer, I get a login form to authenticate with a LDAP loginModule.

       

      So I have two questions :

      1. Is it possible to get the SPNEGO working while accessing the application by IP address (bad keytab configuration ?) ?
      2. If impossible (please not), why am I not redirected to the "emergency" LDAP login Module ?

       

      Thank you,

       

      Jonathan

        • 1. Re: SPNEGO : Accessing JBoss Server by IP address
          Jonathan Durant Newbie

          The JBoss standalone.xml, if it could help :

           

          <security-domain name="host" cache-type="default">
              <authentication>
                  <login-module code="Kerberos" flag="sufficient">
                      <module-option name="storeKey" value="true"/>
                      <module-option name="useKeyTab" value="true"/>
                      <module-option name="principal" value="HTTP/testserver@SSO.TEST"/>
                      <module-option name="keyTab" value="/sso/testserver.http.keytab"/>
                      <module-option name="doNotPrompt" value="true"/>
                      <module-option name="debug" value="true"/>
                      <module-option name="defaultRole" value="Users"/>
                  </login-module>
              </authentication>
          </security-domain>
          <security-domain name="SPNEGO" cache-type="default">
              <authentication>
                  <login-module code="SPNEGO" flag="sufficient">
                      <module-option name="password-stacking" value="useFirstPass"/>
                      <module-option name="serverSecurityDomain" value="host"/>
                      <module-option name="defaultRole" value="Users"/>
                      <module-option name="debug" value="true"/>
                  </login-module>
                  <login-module code="LdapExtended" flag="sufficient">
                      <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                      <module-option name="java.naming.provider.url" value="ldap://X.X.X.X:389"/>
                      <module-option name="bindDN" value="cn=testsso,ou=myou,dc=sso,dc=test"/>
                      <module-option name="bindCredential" value="******"/>
                      <module-option name="baseCtxDN" value="ou=myou,dc=sso,dc=test"/>
                      <module-option name="baseFilter" value="(sAMAccountName={0})"/>
                      <module-option name="rolesCtxDN" value="ou=myou,dc=sso,dc=test"/>
                      <module-option name="roleFilter" value="(sAMAccountName={0})"/>
                      <module-option name="roleAttributeID" value="memberOf"/>
                      <module-option name="roleNameAttributeID" value="cn"/>
                      <module-option name="roleAttributeIsDN" value="true"/>
                      <module-option name="allowEmptyPasswords" value="false"/>
                      <module-option name="Context.REFERRAL" value="follow"/>
                      <module-option name="throwValidateError" value="true"/>
                      <module-option name="searchScope" value="SUBTREE_SCOPE"/>
                      <module-option name="allowEmptyPasswords" value="true"/>
                      <module-option name="defaultRole" value="Users"/>
                  </login-module>
              </authentication>
          </security-domain>
          
          • 2. Re: SPNEGO : Accessing JBoss Server by IP address
            Jonathan Durant Newbie

            I have more information :

            I think I have to accept that Kerberos authentication works only with domain names, not IP addresses.

            For my second question, I performed a new test. When I access the application from a computer logged in another AD domain, I get too an HTTP 401 error. So I guess that if authentication can't be done, I got the login form, but when authentication fail (IP address, or bad Kerberos token) I get an 401 error. Is it a way to get the login form instead ?

            • 3. Re: SPNEGO : Accessing JBoss Server by IP address
              Darran Lofthouse Master

              No at the moment the reason you are getting a HTTP 401 response is because your web browser is attempting to use NTLM authentication which is not supported - I would suggest raising a feature request for us to consider a subsequent fallback if a NTLM response is received.

              • 4. Re: SPNEGO : Accessing JBoss Server by IP address
                Jonathan Durant Newbie

                Ok I'll do it, but you mean I get this error because of a bad configuration of my browser. I tried it both with Firefox and IE, and I get the same issue trying to access by IP adress, or by name from another domain.

                What shoul I do ?

                • 5. Re: SPNEGO : Accessing JBoss Server by IP address
                  Darran Lofthouse Master

                  There is nothing we can do about access by IP address, that is handled by the KDC.

                   

                  The only part we may be able to work around is if a NTLM response is received we may be able to send the FORM to the client although there is still a risk the client will be pompted for their username and password twice.

                  • 6. Re: SPNEGO : Accessing JBoss Server by IP address
                    rodakr Novice

                    If impossible (please not), why am I not redirected to the "emergency" LDAP login Module ?

                     

                    Because your WEB application is configured probable configured for SPNEGO authentication... and not for something else.

                    If you would like to have LDAP you could use just BASIC in web.xml, but then you will not have SPNEGO

                    • 7. Re: SPNEGO : Accessing JBoss Server by IP address
                      Jonathan Durant Newbie

                      Could you help me implement the feature ? What should I do to send the login form once the unsupported negotiation mecanism is detected in the SPNEGOLoginModule ?

                      • 8. Re: SPNEGO : Accessing JBoss Server by IP address
                        rodakr Novice

                        You could write custom valve, which does it. Or simple use FilterServlet which redirects to login form aso..

                        1 of 1 people found this helpful
                        • 9. Re: SPNEGO : Accessing JBoss Server by IP address
                          Jonathan Durant Newbie

                          Ok,

                           

                          If I redirect to the login form, how can I give the url to redirect to after successful login ?

                          I'll test with a FilterServlet, but I have to check if the HttpServletResponse object contains a 401 HTTP Error ? How ?

                          • 11. Re: SPNEGO : Accessing JBoss Server by IP address
                            Jonathan Durant Newbie

                            Hum...I don't think there is a solution for my problem there...

                            Negotitation works well in common configurations, but there are two use cases still to improve :

                            -> Connexion with IP adress in the URL : I wrote a filter according to your advice which rewrite URL, replacing IP by hostname.

                            -> Connexion from a computer of another domain. : No solution for the moment.

                             

                            These two cases result in an 'Unsupported mechanism NTLM' . I wrote a feature request, but I need to find a solution quickly. Waiting for this feature, I think I could use the fallback login module (LDAP) with a login form to another domain's users. The fallback perfectly works for non domain users. I don't understand why the browser attempt to use NTLM while the browser can use SPNEGO and it's only a wrong token (from another domain).

                            So, I was thinking your idea (Servlet Filter) would permit me to catch 401 error and to redirect browser to the login form, instead of displaying HTTP error. But the two questions I can't answer are :

                            • how to catch 401 error ? Using HTTPServletResponse ?
                            • If I redirect to login form, how to specify which URL will the user be redirect to after successful login ? That seems to be impossible to specify.

                             

                            Any idea ?

                            • 12. Re: SPNEGO : Accessing JBoss Server by IP address
                              rodakr Novice

                              Take a look on web.xml from jboss-negotiation-toolkit.war from https://community.jboss.org/wiki/DRAFTUsingJBossNegotiationOnAS7 ....

                               

                              You Don't need FilterServlet having this in your web.xml

                               

                              <login-config>

                                  <auth-method>SPNEGO</auth-method>

                                  <realm-name>SPNEGO</realm-name>

                                  <form-login-config>

                                    <form-login-page>/login.html</form-login-page>

                                    <form-error-page>/error.html</form-error-page>

                                  </form-login-config>   

                                 </login-config>

                              • 13. Re: SPNEGO : Accessing JBoss Server by IP address
                                Jonathan Durant Newbie

                                I used this web.xml as example to configure my application, so I don't understand what you want to show me ?

                                I'm having same 2 described issues using my application or the negotiation toolkit.

                                 

                                EDIT :

                                Please read my messages : the fallback works well in main use cases, I'm having issues only for two particular cases.

                                • 14. Re: SPNEGO : Accessing JBoss Server by IP address
                                  rodakr Novice

                                  I don't see what you want to achieve....

                                   

                                  Connexion from a computer of another domain

                                   

                                  This is Browser Issue, you have to tell clients from different Domains to trust your web servers Domain:

                                  http://www.oracle.com/technetwork/articles/idm/weblogic-sso-kerberos-1619890.html  ->  Configuring Mozilla Firefox Browser

                                   

                                  Connexion with IP adress in the URL

                                   

                                  Communicate to users URL wit DNS Name!  Using IP Adress is any way bad thing. When your Server moves you just update DNS for your machine. Anybody having old IP as Link will have problems.

                                   

                                  If  SPNEGO doesn't work, you have FORM Base authentication, where the user pass his credentials. Once FORM Base Authentication  is successfull user is redirected to wecome page....


                                   


                                   


                                  1 2 Previous Next