1 Reply Latest reply on Aug 6, 2013 3:42 AM by Minal B

    jboss-negotiation-toolkit test SecurityDomainTest does not work

    Minal B Newbie

      Hi,

       

      I need help finding out the solution to make the SecurityDomainTest and Secured test to work.

      Below is my configuration:

       

      Machines:

      AD

      ----------

      Windows 2008 R2 :  (domain : ssodomain.com)

      Users :  ASUser (SPN user)

                : john (client machine domain user)

       

      Application Server:

      --------------

      Windows 7 (domain : ssodomain)

      JBoss 5.1.0 GA

       

      Client Machine:

      ---------------

      Windows 7 (domain : ssodomain)

      Logged In user: john

      IE 8.

       

       

      I created a spn on AD:

       

       

      C:\Keytab>ktpass -out ASUser_keytab -princ ASUser@SSODOMAIN.COM -mapUser ASUser -kvno 0 -crypto AES128-SHA1 -pass Password@123 -ptype KRB5_NT_PRINCIPAL

       

      Targeting domain controller: SSOAD.ssodomain.com

      Using legacy password setting method

      Failed to set property 'servicePrincipalName' to 'ASUser' on Dn 'CN=ASUser,CN=Us

      ers,DC=ssodomain,DC=com': 0x13.

      WARNING: Unable to set SPN mapping data.

      If ASUser already has an SPN mapping installed for ASUser, this is no cause for

      concern.

      Key created.

      Output keytab to ASUser_keytab:

      Keytab version: 0x502

      keysize 54 ASUser@SSODOMAIN.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 0 etype 0x11 (AE

      S128-SHA1) keylength 16 (0x6b8614aad1ac1e482b769fd5b91d6e1b)

       

       

       

      Later configured login-config.xml file of the default profile :

       

       

      <application-policy name="host">

                <authentication>

                  <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">

                          <module-option name="storeKey">true</module-option>

                          <module-option name="useKeyTab">true</module-option>

                          <module-option name="principal">HTTP/ASUser@SSODOMAIN.COM</module-option>

                          <module-option name="keyTab">ASUser_keytab</module-option>

                          <module-option name="doNotPrompt">true</module-option>

                          <module-option name="debug">true</module-option>

                  </login-module>

                </authentication>

        </application-policy>

       

       

       

       

        <application-policy name="SPNEGO">

                <authentication>

                  <login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="required">

                          <module-option name="password-stacking">useFirstPass</module-option>

                          <module-option name="serverSecurityDomain">host</module-option>

                  </login-module>

                  <login-module code="org.jboss.security.negotiation.AdvancedLdapLoginModule" flag="required">

                          <module-option name="password-stacking">useFirstPass</module-option>

                          <module-option name="bindAuthentication">GSSAPI</module-option>

                          <module-option name="jaasSecurityDomain">host</module-option>

                          <module-option name="java.naming.provider.url">ldap://SSODOMAIN.COM:3268</moduleoption>

                          <module-option name="baseCtxDN">CN=Users,DC=ssodomain,DC=com</moduleoption>

                          <module-option name="baseFilter">(userPrincipalname={0})</module-option>

                          <module-option name="roleAttributeID">memberOf</module-option>

                          <module-option name="roleAttributeIsDN">true</module-option>

                          <module-option name="rolenameAttributeID">cn</module-option>

                          <module-option name="recurseRoles">true</module-option>

                  </login-module>

                </authentication>

        </application-policy>

       

      Configured my IE 8 on client machine for SPNEGO.

       

      when I hit the jboss-negotiation-toolkit from the client browser IE 8,

      1. Basic negotiation is successful.

       

      2. But SecurityDomainTest gives the below error:

      Negotiation Toolkit

      Security Domain Test

      Testing security-domain 'host'

      Failed!

      javax.security.auth.login.LoginException - No LoginModules configured for host

       

       

      On JBoss console I can see the following error:

      19:38:40,714 INFO  [BasicNegotiationServlet] Authorization header received - decoding token.

      19:39:27,187 ERROR [SecurityDomainTestServlet] testDomain Failed

      javax.security.auth.login.LoginException: No LoginModules configured for host

              at javax.security.auth.login.LoginContext.init(LoginContext.java:273)

              at javax.security.auth.login.LoginContext.<init>(LoginContext.java:349)

              at org.jboss.security.negotiation.toolkit.SecurityDomainTestServlet.testDomain(SecurityDomai

      nTestServlet.java:105)

              at org.jboss.security.negotiation.toolkit.SecurityDomainTestServlet.doGet(SecurityDomainTest

      Servlet.java:77)

              at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)

              at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j

      ava:290)

              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

       

       

              at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)

              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j

      ava:235)

              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

       

       

              at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)

              at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)

              at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.ja

      va:190)

              at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)

              at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)

              at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEs

      tablishmentValve.java:126)

              at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEst

      ablishmentValve.java:70)

              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

              at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:

      158)

              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)

              at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)

              at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.ja

      va:598)

              at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)

              at java.lang.Thread.run(Thread.java:722)

       

       

      3. and the Secured test gives me a blank page.

       

      Please share any workaround or solution , it would be a great help.

       

      Thanks,

      Minal

        • 1. Re: jboss-negotiation-toolkit test SecurityDomainTest does not work
          Minal B Newbie

          Update,

           

          when I use the same configuration with

          <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">

          <module-option name="password-stacking">useFirstPass</module-option>

          <module-option name="usersProperties">C:\AppServer\jboss-5.1.0.GA\server\default\conf\props\spnego-users.properties</module-option>

          <module-option name="rolesProperties">C:\AppServer\jboss-5.1.0.GA\server\default\conf\props\spnego-roles.properties</module-option>

          </login-module>,

           

          the Basic Negotiation and Security Domain test works well. and the Secured test fails.

           

          But when I use

          <login-module code="org.jboss.security.negotiation.AdvancedLdapLoginModule" flag="required">

                              <module-option name="password-stacking">useFirstPass</module-option>

                              <module-option name="bindAuthentication">GSSAPI</module-option>

                              <module-option name="jaasSecurityDomain">host</module-option>

                              <module-option name="java.naming.provider.url">ldap://SSODOMAIN.COM:3268</moduleoption>

                              <module-option name="baseCtxDN">CN=Users,DC=ssodomain,DC=com</moduleoption>

                              <module-option name="baseFilter">(userPrincipalname={0})</module-option>

                              <module-option name="roleAttributeID">memberOf</module-option>

                              <module-option name="roleAttributeIsDN">true</module-option>

                              <module-option name="rolenameAttributeID">cn</module-option>

                              <module-option name="recurseRoles">true</module-option>

                      </login-module>

           

          It gives me the above error and only the Basic Negotiation works.