2 Replies Latest reply on Aug 14, 2013 5:51 AM by apph_ apph_

    Problem with SPNEGO/Kerberos

    apph_ apph_ Newbie

      Dear All,

       

      we are trying to setup SPNEGO. Of course there are problems.

       

      We are using jboss-negotiation-toolkit to test basic SPNEGO parts.

      So the first test - browser to answer properly on Negotiate header passes on some machines and on some don't. I'm taking about Internet Explorer. For Chrome it is working and it's also working in Firefox after adding hostname to network.negotiate-auth.trusted-uris setting. For the Internet Explorer the hostanem was added globaly to Local Intranet.

       

      The second test - if server will authenticate - also works.

      Now the problem goes down to the third servlet. It returns 401 and this is the same for our custom application which is supposed to use SPNEGO.

       

      Now, some of our configuration:

       

      1. Hostnames of our servers are added to SPN's both with short name and with domanin name

      2. IP address of the hostanem is resolved to the correct DNS name and the other way around

      3. login-config.xml looks like this:

       

      <application-policy name="host">

          <authentication>

            <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">

              <module-option name="storeKey">true</module-option>

          <module-option name="useKeyTab">true</module-option>

          <module-option name="principal">principal@DOMAIN.COM</module-option>

          <module-option name="keyTab">/home/user/file.keytab</module-option>

          <module-option name="doNotPrompt">true</module-option>

          <module-option name="debug">true</module-option>

            </login-module>

          </authentication>

        </application-policy>

       

        <application-policy name="SPNEGO">

          <authentication>

            <login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="requisite">

              <module-option name="password-stacking">useFirstPass</module-option>

          <module-option name="serverSecurityDomain">host</module-option>

            </login-module>

            <login-module code="org.jboss.security.negotiation.AdvancedLdapLoginModule" flag="required">

              <module-option name="password-stacking">useFirstPass</module-option>

          <module-option name="bindAuthentication">GSSAPI</module-option>

          <module-option name="jaasSecurityDomain">host</module-option>

          <module-option name="java.naming.provider.url">ldap://ldapserver:389</module-option>

          <module-option name="baseCtxDN">OU=PL,OU=Users,DC=domain,DC=com</module-option>

          <module-option name="baseFilter">(sAMAccountName={0})</module-option>

          <module-option name="stripDomainName">true</module-option>

          <module-option name="roleAttributeID">memberOf</module-option>

          <module-option name="roleAttributeIsDN">true</module-option>

          <module-option name="roleNameAttributeID">cn</module-option>

          <module-option name="recurseRoles">true</module-option>

          <module-option name="searchScope">OBJECT_SCOPE</module-option>

            </login-module>

          </authentication>

        </application-policy>

       

      4. We are passing following parameters for Java

       

      -Djava.security.krb5.realm=DOMAIN.COM -Djava.security.krb5.kdc=kdc.domain.com -Djava.security.krb5.conf=/etc/krb5.conf -Dsun.security.krb5.debug=true

       

      5. Log file looks like this:

       

      2013-08-09 11:31:54,924 TRACE [org.jboss.security.SecurityRolesAssociation] (http-serverIP-8080-11) Setting threadlocal:{}

      2013-08-09 11:31:54,925 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-serverIP-8080-11) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]

      2013-08-09 11:31:54,925 TRACE [org.jboss.security.negotiation.NegotiationAuthenticator] (http-serverIP-8080-11) Authenticating user

      2013-08-09 11:31:54,925 DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator] (http-serverIP-8080-11) Header - null

      2013-08-09 11:31:54,925 DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator] (http-serverIP-8080-11) No Authorization Header, sending 401

      2013-08-09 11:31:54,925 TRACE [org.jboss.security.SecurityAssociation] (http-serverIP-8080-11) clear, server=true

      2013-08-09 11:31:54,925 TRACE [org.jboss.security.SecurityRolesAssociation] (http-serverIP-8080-11) Setting threadlocal:null

      2013-08-09 11:31:54,925 TRACE [org.jboss.security.SecurityRolesAssociation] (http-serverIP-8080-11) Setting threadlocal:null

      2013-08-09 11:31:54,939 TRACE [org.jboss.security.SecurityRolesAssociation] (http-serverIP-8080-11) Setting threadlocal:{}

      2013-08-09 11:31:54,939 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http-serverIP-8080-11) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]

      2013-08-09 11:31:54,940 TRACE [org.jboss.security.negotiation.NegotiationAuthenticator] (http-serverIP-8080-11) Authenticating user

      2013-08-09 11:31:54,940 DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator] (http-serverIP-8080-11) Header - Negotiate YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAACoTO/eJugb/imQuz4yyJIAVauv4sP4y18NFVhvUt466JJcwxcQrvJHrSZ1peD6cTQAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo=

      2013-08-09 11:31:54,940 TRACE [org.jboss.security.negotiation.common.MessageTrace.Request.Base64] (http-serverIP-8080-11) YIGeBgYrBgEFBQKggZMwgZCgGjAYBgorBgEEAYI3AgIeBgorBgEEAYI3AgIKonIEcE5FR09FWFRTAAAAAAAAAABgAAAAcAAAACoTO/eJugb/imQuz4yyJIAVauv4sP4y18NFVhvUt466JJcwxcQrvJHrSZ1peD6cTQAAAAAAAAAAYAAAAAEAAAAAAAAAAAAAAEVyfDIyRYtIv9kqa6BepAo=

      2013-08-09 11:31:54,940 TRACE [org.jboss.security.negotiation.common.MessageTrace.Request.Hex] (http-serverIP-8080-11)  0x60 0x81 0x9e 0x06 0x06 0x2b 0x06 0x01 0x05 0x05 0x02 0xa0 0x81 0x93 0x30 0x81 0x90 0xa0 0x1a 0x30 0x18 0x06 0x0a 0x2b 0x06 0x01 0x04 0x01 0x82 0x37 0x02 0x02 0x1e 0x06 0x0a 0x2b 0x06 0x01 0x04 0x01 0x82 0x37 0x02 0x02 0x0a 0xa2 0x72 0x04 0x70 0x4e 0x45 0x47 0x4f 0x45 0x58 0x54 0x53 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x60 0x00 0x00 0x00 0x70 0x00 0x00 0x00 0x2a 0x13 0x3b 0xf7 0x89 0xba 0x06 0xff 0x8a 0x64 0x2e 0xcf 0x8c 0xb2 0x24 0x80 0x15 0x6a 0xeb 0xf8 0xb0 0xfe 0x32 0xd7 0xc3 0x45 0x56 0x1b 0xd4 0xb7 0x8e 0xba 0x24 0x97 0x30 0xc5 0xc4 0x2b 0xbc 0x91 0xeb 0x49 0x9d 0x69 0x78 0x3e 0x9c 0x4d 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x60 0x00 0x00 0x00 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x45 0x72 0x7c 0x32 0x32 0x45 0x8b 0x48 0xbf 0xd9 0x2a 0x6b 0xa0 0x5e 0xa4 0x0a

      2013-08-09 11:31:54,940 DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator] (http-serverIP-8080-11) Creating new NegotiationContext

      2013-08-09 11:31:54,940 TRACE [org.jboss.security.negotiation.common.NegotiationContext] (http-serverIP-8080-11) associate 1630142211

      2013-08-09 11:31:54,941 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (http-serverIP-8080-11) Begin isValid, principal:24C714DD49C3A6FCB38FFB71BE95A2C6.node_5, cache info: null

      2013-08-09 11:31:54,941 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (http-serverIP-8080-11) defaultLogin, principal=24C714DD49C3A6FCB38FFB71BE95A2C6.node_5

      2013-08-09 11:31:54,941 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-serverIP-8080-11) Begin getAppConfigurationEntry(SPNEGO), size=14

      2013-08-09 11:31:54,941 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-serverIP-8080-11) End getAppConfigurationEntry(SPNEGO), authInfo=AppConfigurationEntry[]:

      [0]

      LoginModule Class: org.jboss.security.negotiation.spnego.SPNEGOLoginModule

      ControlFlag: LoginModuleControlFlag: requisite

      Options:

      name=serverSecurityDomain, value=host

      name=password-stacking, value=useFirstPass

      [1]

      LoginModule Class: org.jboss.security.negotiation.AdvancedLdapLoginModule

      ControlFlag: LoginModuleControlFlag: required

      Options:

      name=bindAuthentication, value=GSSAPI

      name=baseFilter, value=(sAMAccountName={0})

      name=jaasSecurityDomain, value=host

      name=stripDomainName, value=true

      name=java.naming.provider.url, value=ldap://ldapserver:389

      name=recurseRoles, value=true

      name=roleNameAttributeID, value=cn

      name=roleAttributeIsDN, value=true

      name=baseCtxDN, value=OU=PL,OU=Users,DC=domain,DC=com

      name=searchScope, value=OBJECT_SCOPE

      name=roleAttributeID, value=memberOf

      name=password-stacking, value=useFirstPass

       

      2013-08-09 11:31:54,941 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-11) initialize

      2013-08-09 11:31:54,941 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-11) Security domain: SPNEGO

      2013-08-09 11:31:54,941 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-11) serverSecurityDomain=host

      2013-08-09 11:31:54,941 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-11) login

      2013-08-09 11:31:54,941 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-serverIP-8080-11) Begin getAppConfigurationEntry(host), size=14

      2013-08-09 11:31:54,941 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (http-serverIP-8080-11) End getAppConfigurationEntry(host), authInfo=AppConfigurationEntry[]:

      [0]

      LoginModule Class: com.sun.security.auth.module.Krb5LoginModule

      ControlFlag: LoginModuleControlFlag: required

      Options:

      name=principal, value=principal@DOMAIN.COM

      name=useKeyTab, value=true

      name=storeKey, value=true

      name=keyTab, value=/home/user/file.keytab

      name=debug, value=true

      name=doNotPrompt, value=true

       

      2013-08-09 11:31:54,941 INFO  [STDOUT] (http-serverIP-8080-11) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /home/user/file.keytab refreshKrb5Config is false principal is principal@DOMAIN.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false

      2013-08-09 11:31:54,941 INFO  [STDOUT] (http-serverIP-8080-11) KeyTab instance already exists

      2013-08-09 11:31:54,941 INFO  [STDOUT] (http-serverIP-8080-11) Added key: 23version: 5

      2013-08-09 11:31:54,941 INFO  [STDOUT] (http-serverIP-8080-11) Ordering keys wrt default_tkt_enctypes list

      2013-08-09 11:31:54,942 INFO  [STDOUT] (http-serverIP-8080-11) default etypes for default_tkt_enctypes:

      2013-08-09 11:31:54,942 INFO  [STDOUT] (http-serverIP-8080-11)  17

      2013-08-09 11:31:54,942 INFO  [STDOUT] (http-serverIP-8080-11)  23

      2013-08-09 11:31:54,942 INFO  [STDOUT] (http-serverIP-8080-11)  16

      2013-08-09 11:31:54,942 INFO  [STDOUT] (http-serverIP-8080-11)  3

      2013-08-09 11:31:54,942 INFO  [STDOUT] (http-serverIP-8080-11)  1

      2013-08-09 11:31:54,942 INFO  [STDOUT] (http-serverIP-8080-11) .

      2013-08-09 11:31:54,942 INFO  [STDOUT] (http-serverIP-8080-11) 0: EncryptionKey: keyType=23 kvno=5 keyValue (hex dump)=

      0000: 62 9E AB ED 98 3C 20 2D   D6 F4 8B 0F 0E 5A A6 78  b....< -.....Z.x

      2013-08-09 11:31:54,942 INFO  [STDOUT] (http-serverIP-8080-11) principal's key obtained from the keytab

      2013-08-09 11:31:54,942 INFO  [STDOUT] (http-serverIP-8080-11) Acquire TGT using AS Exchange

      2013-08-09 11:31:54,942 INFO  [STDOUT] (http-serverIP-8080-11) default etypes for default_tkt_enctypes:

      2013-08-09 11:31:54,942 INFO  [STDOUT] (http-serverIP-8080-11)  17

      2013-08-09 11:31:54,942 INFO  [STDOUT] (http-serverIP-8080-11)  23

      2013-08-09 11:31:54,942 INFO  [STDOUT] (http-serverIP-8080-11)  16

      2013-08-09 11:31:54,942 INFO  [STDOUT] (http-serverIP-8080-11)  3

      2013-08-09 11:31:54,942 INFO  [STDOUT] (http-serverIP-8080-11)  1

      2013-08-09 11:31:54,942 INFO  [STDOUT] (http-serverIP-8080-11) .

      2013-08-09 11:31:54,942 INFO  [STDOUT] (http-serverIP-8080-11) >>> KrbAsReq calling createMessage

      2013-08-09 11:31:54,942 INFO  [STDOUT] (http-serverIP-8080-11) >>> KrbAsReq in createMessage

      2013-08-09 11:31:54,943 INFO  [STDOUT] (http-serverIP-8080-11) >>> KrbKdcReq send: kdc=kdc.domain.com UDP:88, timeout=30000, number of retries =3, #bytes=152

      2013-08-09 11:31:54,943 INFO  [STDOUT] (http-serverIP-8080-11) >>> KDCCommunication: kdc=kdc.domain.com UDP:88, timeout=30000,Attempt =1, #bytes=152

      2013-08-09 11:31:54,946 INFO  [STDOUT] (http-serverIP-8080-11) >>> KrbKdcReq send: #bytes read=601

      2013-08-09 11:31:54,946 INFO  [STDOUT] (http-serverIP-8080-11) >>> KrbKdcReq send: #bytes read=601

      2013-08-09 11:31:54,947 INFO  [STDOUT] (http-serverIP-8080-11) >>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType

      2013-08-09 11:31:54,947 INFO  [STDOUT] (http-serverIP-8080-11) >>> KrbAsRep cons in KrbAsReq.getReply HTTP/hostname.domain.com

      2013-08-09 11:31:54,947 INFO  [STDOUT] (http-serverIP-8080-11) principal is principal@DOMAIN.COM

      2013-08-09 11:31:54,947 INFO  [STDOUT] (http-serverIP-8080-11) EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 62 9E AB ED 98 3C 20 2D   D6 F4 8B 0F 0E 5A A6 78  b....< -.....Z.x

      2013-08-09 11:31:54,948 INFO  [STDOUT] (http-serverIP-8080-11) Added server's keyKerberos Principal principal@DOMAIN.COMKey Version 5key EncryptionKey: keyType=23 keyBytes (hex dump)=

      0000: 62 9E AB ED 98 3C 20 2D   D6 F4 8B 0F 0E 5A A6 78  b....< -.....Z.x

      2013-08-09 11:31:54,948 INFO  [STDOUT] (http-serverIP-8080-11)         [Krb5LoginModule] added Krb5Principal  principal@DOMAIN.COM to Subject

      2013-08-09 11:31:54,948 INFO  [STDOUT] (http-serverIP-8080-11) Commit Succeeded

      2013-08-09 11:31:54,950 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-11) Subject = Subject:

          Principal: principal@DOMAIN.COM

          Private Credential: Ticket (hex) =

      0000: 61 82 01 0E 30 82 01 0A   A0 03 02 01 05 A1 0C 1B  a...0...........

      0010: 0A 49 4E 53 50 4F 4C 2E   42 49 5A A2 1F 30 1D A0  .DOMAIN.COM..0..

      0020: 03 02 01 02 A1 16 30 14   1B 06 6B 72 62 74 67 74  ......0...krbtgt

      0030: 1B 0A 49 4E 53 50 4F 4C   2E 42 49 5A A3 81 D3 30  ..DOMAIN.COM...0

      0040: 81 D0 A0 03 02 01 17 A1   03 02 01 02 A2 81 C3 04  ................

      0050: 81 C0 7A 1B 05 6A 53 E9   02 99 4B 9D 1F 82 C7 DF  ..z..jS...K.....

      0060: 0E 75 79 65 51 CE 78 F4   76 1D EA BC B2 21 07 58  .uyeQ.x.v....!.X

      0070: 50 3C 8C 19 17 43 FA ED   B0 2B 4E 8F 4A D0 7C 2F  P<...C...+N.J../

      0080: 84 F5 61 21 0A 22 3D C6   44 EE 17 17 91 F2 CB 47  ..a!."=.D......G

      0090: 59 06 28 3B 62 06 5C E0   61 F5 70 9B 24 16 51 F7  Y.(;b.\.a.p.$.Q.

      00A0: 89 27 E3 F5 57 4A C6 09   22 A1 7D F2 51 F1 01 AC  .'..WJ.."...Q...

      00B0: A1 16 C2 23 5B 5A 7A 43   52 88 BC AF 8F 64 EA 2D  ...#[ZzCR....d.-

      00C0: DF F6 0E 0D 6A 77 A6 28   05 70 5C 75 8D 40 D9 DF  ....jw.(.p\u.@..

      00D0: B0 56 84 2B 31 90 7E 9B   19 DF 9B CB 71 D4 90 F9  .V.+1.......q...

      00E0: 0E EE E8 75 2C E6 3C 0E   B3 0A 1A 16 19 FD 44 81  ...u,.<.......D.

      00F0: F5 B0 7F 0D A1 A6 DA 50   9E A6 AC 17 AD 79 38 6F  .......P.....y8o

      0100: 4B D6 6B CF 72 DD 94 81   6E 8F 42 CF B8 FE 5C 75  K.k.r...n.B...\u

      0110: FB 25                                              .%

       

      Client Principal = principal@DOMAIN.COM

      Server Principal = krbtgt/DOMAIN.COM@DOMAIN.COM

      Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=

      0000: 00 45 E9 49 ED 1E 81 DF   51 0F A5 B1 24 78 52 CB  .E.I....Q...$xR.

       

       

      Forwardable Ticket false

      Forwarded Ticket false

      Proxiable Ticket false

      Proxy Ticket false

      Postdated Ticket false

      Renewable Ticket false

      Initial Ticket false

      Auth Time = Fri Aug 09 11:31:54 CEST 2013

      Start Time = Fri Aug 09 11:31:54 CEST 2013

      End Time = Fri Aug 09 21:31:54 CEST 2013

      Renew Till = null

      Client Addresses  Null

          Private Credential: Kerberos Principal principal@DOMAIN.COMKey Version 5key EncryptionKey: keyType=23 keyBytes (hex dump)=

      0000: 62 9E AB ED 98 3C 20 2D   D6 F4 8B 0F 0E 5A A6 78  b....< -.....Z.x

       

       

       

      2013-08-09 11:31:54,950 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-11) Logged in 'host' LoginContext

      2013-08-09 11:31:54,950 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-11) Result - false

      2013-08-09 11:31:54,950 INFO  [STDOUT] (http-serverIP-8080-11)         [Krb5LoginModule]: Entering logout

      2013-08-09 11:31:54,950 INFO  [STDOUT] (http-serverIP-8080-11)         [Krb5LoginModule]: logged out Subject

      2013-08-09 11:31:54,950 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-11) super.loginOk false

      2013-08-09 11:31:54,950 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-11) abort

      2013-08-09 11:31:54,950 TRACE [org.jboss.security.negotiation.AdvancedLdapLoginModule] (http-serverIP-8080-11) initialize

      2013-08-09 11:31:54,950 TRACE [org.jboss.security.negotiation.AdvancedLdapLoginModule] (http-serverIP-8080-11) Security domain: SPNEGO

      2013-08-09 11:31:54,950 TRACE [org.jboss.security.negotiation.AdvancedLdapLoginModule] (http-serverIP-8080-11) abort

      2013-08-09 11:31:54,950 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (http-serverIP-8080-11) Login failure

      javax.security.auth.login.LoginException: Continuation Required.

          at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:172)

          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

          at java.lang.reflect.Method.invoke(Method.java:597)

          at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)

          at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)

          at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)

          at java.security.AccessController.doPrivileged(Native Method)

          at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)

          at javax.security.auth.login.LoginContext.login(LoginContext.java:579)

          at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:553)

          at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:487)

          at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)

          at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)

          at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:399)

          at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)

          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)

          at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:95)

          at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)

          at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)

          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

          at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)

          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)

          at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:905)

          at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:592)

          at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:2036)

          at java.lang.Thread.run(Thread.java:619)

      2013-08-09 11:31:54,950 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.SPNEGO] (http-serverIP-8080-11) End isValid, false

      2013-08-09 11:31:54,950 TRACE [org.jboss.security.negotiation.common.MessageTrace.Response.Base64] (http-serverIP-8080-11) oQcwBaADCgEC

      2013-08-09 11:31:54,952 TRACE [org.jboss.security.negotiation.common.NegotiationContext] (http-serverIP-8080-11) clear 1630142211

      2013-08-09 11:31:54,952 TRACE [org.jboss.security.SecurityAssociation] (http-serverIP-8080-11) clear, server=true

      2013-08-09 11:31:54,952 TRACE [org.jboss.security.SecurityRolesAssociation] (http-serverIP-8080-11) Setting threadlocal:null

      2013-08-09 11:31:54,952 TRACE [org.jboss.security.SecurityRolesAssociation] (http-serverIP-8080-11) Setting threadlocal:null

       

      Only 'exception' is javax.security.auth.login.LoginException: Continuation Required which is maybe not really an exception, but part of standard authentication process.

      I've tried using Wireshark to see what goes around behind the scenes and track down and warnings/errors. There's probably something similar: negResult: accept-incomplete (1).

      Nothing more.

       

      If you need any other parts of our configuration - and probably you do - please let me know.\

       

       

      EDIT:

      One more log, this time from our application. As you can see, at the end it (goes?) to LDAP. There are no exceptions in log file.

       

      2013-08-09 15:14:21,260 TRACE [org.jboss.security.negotiation.NegotiationAuthenticator] (http-serverIP-8080-3) Authenticating user

      2013-08-09 15:14:21,260 DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator] (http-serverIP-8080-3) Header - null

      2013-08-09 15:14:21,260 DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator] (http-serverIP-8080-3) No Authorization Header, sending 401

      2013-08-09 15:14:21,274 TRACE [org.jboss.security.negotiation.NegotiationAuthenticator] (http-serverIP-8080-3) Authenticating user

      2013-08-09 15:14:21,274 DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator] (http-serverIP-8080-3) Header - Negotiate YIIXswYGKwYBBQUCoIIXpzCCF6OgMDAuBgkqhkiC9xIBAgIGCSqGSIb3EgECAgYKKwYBBAGCNwICHgYKKwYBBAGCNwICCqKCF20EghdpYIIXZQYJKoZIhvcSAQICAQBughdUMIIXUKADAgEFoQMCAQ6iBwMFACAAAACjghXaYYIV1jCCFdKgAwIBBaEMGwpJTlNQT0wuQklaoiYwJKADAgECoR0wGxsESFRUUBsTc3RwbHUzODAuaW5zcG9sLmJpeqOCFZMwghWPoAMCARehAwIBBaKCFYEEghV9kyUMnqxum90u0eHYKW7PlmDR7y+UDX1MFJArTMaxCZ5VBERulOsP/P62qr3J+zR/fBG+SNiBjsc9BWJ+pxlDVENQC2LYNggMGFBBmXogi9wULw1cTbLTNWzJbuEiV66lJiACVtky9t1IG7ZEbWl0+pEdNy4tgE2iD4fblzXWBWVEDUfElATIJs6PZF5POk9li77c8Q+sSwSj7I/mYDIBOQ0fza1291yGtCH49yGr8jXVAzZmvAj8bzFkhdffwh8o0rzwOTQ6S6wcbJ5URk3Q7kzq9YV+DrvsY/Q4TD/KeS+IhnDVbOKcEwOtshPnfB2YkvZ32TECeEW3SNRUAICunb5sXNP8W+khCZH5ij8wRPpwZuxyyv06L5v1ULfr/V7DTBbweh6YVgry5fGwOku6+lk06AX0541W19aqdXvAB13aXaE4JbmbJujrAgzpOs4vgn1bFOm0xtqxCDEnuQMXmtqpbqJktXXOKmrKoIivuheqaB88AOr5IeGREF4LTnfP4e9X/VMm54SmvfKcXN5LV69W+hNoIn4gCLLV36Hb+dOyjMqTP/rQl8s6Sj+QCOFO9IxQqTwNfyYtxvediM1Ajhj8c0IRCHMbg7VvxpofOoAHoMeSTlBXJRkPZnncf8QWmV1Y2SsUWT0ADVIAcGkaSKU6/Kagju9y2kIB+7Xzz1U3qy0GWuUVD00JSf8tr8DfbZmqpUfBUxIXVwAjhwNsAPFdmb5oWivH3NEbE8snLwFgWjWa8Nwk8mk6n0/cTuoomgCHXGqVLU0zvQ6yT+s3RQN/R/SSQVHquY6f4eeCRfo2h3vSlKPqn9yeuLNMeauN5LYigikDn6dunV/onfhMhxouDKZ1Ga4ggGYQD2CNWvHiI6eHNXpA0kv2Vq0XeKGxAafkpTO92TnZRpCrygAydIJbJn7uwLiB+mRPnFGwntEEjP/6BtIqGm+b49lHSj5ILoOtXi0tWSU4drd8Kh6AMTCwYivtksyiIBe7xqMaVgxYWlUEX68yhf5GUsUFZ859GnoV7rBvOA/7zwykgorBMfEvpG7Nrn4fTzlbEKROh/58wyOtGc7RRPMkXCSz2rrir1/mWqgfLMOV6EX3dUwNRQaTbMBBHOsXuzcoCBJP4kDLrJtMGiBBtevRIaZeqo2/kgRKfWhp+yHLHWRWkLWjXngTYv91ThyP/d6xRSD4n7P8PMX50XX3uHvB1dh/nigK2m01pBtuBcKr4S4dYQagDzQmbVAR67rN69IbktjhgIJq1Y9Tjv52EeoMGmAykeGjR8Y4wxg34TkG3XOiG7yQ9yBWsXR4JAy6EMz31bitZzimrELtmcwEI70BanvUNQNl1eSeVyxM++t11bGU5eKDbjXGbG1P82rGcKTH2bUULzLJN4Kfxm4wddKXfUDU7/K/B4tR8cobzwafXon7OrFjq5XbtKtU3KtT/lGoeA3upnzY5enXprFtRLKbXMjilImltqXDxrc4sVnp0Gox3dJAKUXF0Vl31c4LuHYFe1mpkpQGp8qsVEZsz37J4VAmRGdV/nVSIiZ9SM76obZgWtz9PMKoSKsKwUGOV7iHZ3ajFiQ7YRSv2lufSxwoLY1Q0NOBv8tgf4ifswEKBkm9qDmOBgmV7FkG3XUY1PMG9Qy/KosP/8pOxEUCe27NZoKppH+WnASLfFo7OXzfnczc8RkrY+apoRSDdQcs+D87X11D3Ew2xIl8LcT/5lqokfEu6MQX51+fKIynT6c52F94uEHzNWNJ7YvLazW7vKtyXh5YXvwNJr/plP4cgUx0JtjFzwCAj9eHpCXqnwXRaN9Y3zdpGSdtCi8y0AI7yNKU4XkNFxsFHbvI7AQokJTi4T7d8v8oqJ6GFxZPwkmfEc7veVk6InvXo9W/uGnoBvkv/2Et5FJCeHiab29r47Gd8OBZSXSdHyKa5kDUA02SSbJjECBu9ITurxKo6mGUrjb9JMuYKiOm5tB8Dke0NzTVYWGcHNv/+J/Yn5WsVZVQWWgVQqWGtFxEIPEhbn3e6DJJPTBmANh3k5svMWQZIvgMk02ntY59xZGV96FXim0HhZeJ6pBnHaCSOYe2HEL/xqHk6rC30jAgqNNS4pS1lnmjhWm+ZnVBU61Bwm1avUbNHkSp7NPnCaMI5cXXJsm03S5YajqwWthSkNKr7c+JQtP45JV0UCgZbma6iGwEdRAsQaKEfRo1Zo9l6CvAuipNvwpi9ZsK1bjSTFwixtKMTebm9GDTMBWUOwerpdsjPzOxYn810dYqaGj1HF+I1aNpdhIMXpaXYnmJD2Qyi9KzMUdkOPxRNb82keN+vDW28I2RwckJHl/WtAUi82MrcyMfS3Q/HRX0f3pzJ7mVDWwKaZPhRwwXjAEE+VCixfhQl3j7lBbVta7zUOZv6FhdPfkufLJAVeMgkpUidCyQwpZRVxjetRpofAoj2vcbHyRqse2iWRLBD5SlbqPnb7wJ8dLm+mhgMmJgQt9W5Vzq0kIbQJXyeY6te9RapvniP7AQklpKQmQq9oGvRXdXBJi0ibyMLmSQW4vKwRgpzm18qmIBwVyjJbqKJQ4d1i6Z+tV8HT4R629dhkD4jmFsI38rgOxC8SoZGVJnWjQHVa7IOUofwRO880fHgJ1php8DQJGXo3CATcA4J06qoKHRS+WXGkDH1vkNz1yKQ0iaXRgV4d6rTnKIN3dj20Or2QPpOmQy1iUu4nkmm511/7wfr8/K73csla7EpI5w3+BUJZ8Lnom+qX2lhosw89DneU1qf3xoEtUbK1oZikTQlstkltLxNyKXtLtb2us9SJdYkjKY8xJfqdEHL/oi77uL0+AVxi2SzfNCeHMvuti2fJGt0E+BkbAjvZFreXQSWIk5sCeERkkUrWAYApDFwEgoaCEqZMtrCGI0k7vf8nJvuPVG8id6JzyRkytyL1DvYSlFZiX+N8MLntRwf50Z/LsOKaBYHGDPAM6Vymu5v/AoMh8LPs6vHXxSSo9L6A0ees24icND+jjDRQ+cJ4zisKKZ1zpXBVanpN5eXdDtdRhXnVu93SYgUtT03TGp7gtrJC1zFcJriTSpTfwaElIXaeNR+SwO2drgbYmgkrA0AXGmAEkrP7cZ/2pQMwj/orAIWdKYxayn0d2ysKarufkV+tpZ79MI2l866GCgQXYIkseV68XitrdksefU84K9NXHI/t+6C77kPT+Y0GtQM6X1z87kiLd4+cK3hIiy1hXCQ3uTVW7LIDw04xNS7xZyGCnozdEoMDqC2yBvfg8aQobLvjW+RFpOwFc81x26H58fmulT464IyO2MHyfUoobn23SJSW+D14QtUg9Rw5sG0naGiH+CXzs9ZEy5QgVxmIWstuiIftwbfO1gxlhMrFhCHQyNMzjrK0y1Fty3x92jRNTp6X3XjGiH44+Vl/NTm0487FhzS7NFE58InBCicBBQywg3tW6vK/RDP8eMtqakW2OTGEvhiZLsvM8b2YsPCLK6oS2KibuWCSrLh6F3sN20F91r5UW580stvDuSihNrZkLXhFNfiN3m4GUfEMtIw+rYwwbKR3wt9wmUjlHJjXdva7dattBOi5dTwG3jnmgTnyE/MF9Y5NCu8XU6MD8tNXsdV/CZTOOD88BCbeDGORX5t+NsmD7gYcik7Tcua9QEugEYDRfgYAGcQKJCWyb2rjsFny3x4gzjE2eSPw9HRlDVVDFWVekRIgbZbE4IBzEDAdyh7rXIhYQSNROizTZsBTGOSghDi568wsKVS+c+tFtuYyayQjTf5ojyukO8JIsj8f9ltx1YM4kER2Y+wglGOlRUXfDW45X+Sm9HnmmgqHO2DYdRTiiUm63u9x6cOK9tvZ58lKJfUN4WW1c+vv1VnujHVDsWRCDD20Zs4OhYXEDWaEXwtC1u+tG8uv0rp9IgST88lUoLOlE8DpQcmF05kD3rBI4fNFFdG3rrTzcdbyNymEu5x2Fj/BR2cl2E3t9AaHmadaEU4e/KHt08YkDUNpqc6ctikO6MCeKiPeQavH5Ur1SetU7ddQFxvpN5P70W5u+ayQ0OGxl6JUTDBnNLUKAh3aOjcJptPIZg2pb52y0/GhMC0P3dnbA+zFqJGHngBGLFPO8OBtCQDztVXyAa81qaRoaYV9DH5U+RyORoNWdSrw7AiB0Hj4q/Too5teFi7Q+NzA4Jf5bj5s0uXkYeEqgMJHkmtEZwKAzDp87DVtPXDiutwSWDIHJS2+WZjmbFfrv0eCpz2SFwPGyBFItEv9f38zfsmGqjmPiELizrkzn/2Xr5CqfDJ9paAWmhWLF4ggQ8YJrjU1//BJO2pOyFzZBdT03H49X4Q70lbGIK7IVgQX+S46LKrUg47ANBGtmM9SOGX+Pxxq6dErk3CuVo24xTt1UWHMGT0kIb3cCJAPiMX4oQe3QXAouNrp2f0hV801UeYsbwBW7ITKySc3XCzmcHQUjX7AISPNE5Os92IvICzcMdJB5iOmLWfBJDb7gvWwK8vYtV0iSOaAhXqBTdXdfsw68eRt2QIobSKMy2sY1PTi2J96sj5oBX+TkqYwB9jowvrJ891fvGGEqHyBKNaLbNl0F9p2no2yVFaJfFDHnJqj0xHfQKNg01Ns7nzEsBhh51+NUa0xQpjYDNvvHgV1yLW4W4iOG905TO/KU9GQizbHjEAXpedOd41TTnt8wqBer6JxP1gvV2JOBY+q13J+WU9W+YrjzP0aP74ceJBiMWmhWJWtEUQl0I0HR0/grparIfm+cjV5uo+9iK/F0roNdTwxdoKshkJFn+FBgMAhDXxSTCshW3K7KyvDdMVy8NeRw0xzavogHVDpQbS/RWJvqMQKSEKQLa4Iz+Z7yEcP8wOxKdVbxa8TFRRgZQmclLEujOhUUeFy+18ttVY4hpqLg4PGroLzB3r+cqwbPbMTB5m21XK5VgxNPcvM18i1P9JplJixpLnb+qowRPYEX9bPI3dhz72X3HzYgjEKK7+uCNpirBR2HtvWVma83bm1pvesXVm9MC8Ztk5uxjRFU8CdF0CPOGRJks5eME16PtZS/uEG54nN8sEP6Mjbg6mRKlU+aXlUTX9M1tqmCKcSzUbSqKVtXl/gqHkHSPMlW+Qu00NRKLeu/mE1jTHJUPCVx7GfEFB9Rrvx6tf5xugJ2pMWP4WzlrHQtYp2LrAw+dGImbHZKosVXIORFXQ4Zfcdz8hpEIyzLL1ju+WFhiXWB4LAPg8JH5gT0bBoFQPdgGwp4zbEkWlbXk/soJU3oReDclc31OCZYq4hO3pbolyLH1pUFLzMQZ0PLnZ+lM0/TShILdvbqvPraTumkB9v/yOz1abQ6XwJjb6aypVDC5I1jEPM3H1ktf2AGQd7Tp71sy6hPg2j2cxmG25sBPlEjzA01qjRQ1rM8nr29p3LMTd6FZO5nIlgrQKiz6acAuXofcNzB5+2blc0dn2e7TaS4I9x0A10fnK9rVqAwjOVtvOPoi+ib8deCsAi3LB7j5bw3EVW+uhP2IHuRHaDLYYElgR8mPUFyd6xLVVWXv6m+A3m71o3Kfxb7wpjBWjOf2Ux6oIg+IF0XSdRgByi16tE+x8ToVboMkMmDmmZoMIHNU5oMFyZvP633l6GTPPI+ET31DwBzNWPYkbwysBPI78jER7LkCRK2gl0CDpRenVHrytOLVugwlFO44XPlF+TxNitbTjCEmOgtmwxo9jCh9MYAT973LmsVmepGLjqnGWNX20ZHFJPQsMbRrSQZRtO59a6F3tdM6BSA6x8tEMrEOGsv/GQjE3IOW+6CKf7rADnDz04IgV6R4Z4ppq/jolb++dBffcxWc8uihiFWrIndLZ0SPVcnBErtcfHH06T87FgtB3gWXtkRwBkBPH0mmXwtGmsJqcMgVu3zQf0K/3KYAUp4t2/F28O6Zpjo6jmHKSfQVR09vumICEX0hULZs5s6kqRLu+qElUqP0xJiqt6pg9vsQXpyMXDVCQA2yYNMR+8SYme/zVoaIqqZIxrNjxlgpo0bHEwZdYX/ED3Qo2fNM8iqaNZKpya07MRg87JucQ0qG8emgDypRAVrFxBrkzsmtw4GAV0/zmOmFEA3ozWoLlxJYob9KFABZuOZ/CpV6k5ajI0QuufpkS5PQpCn7BVgswSl2ILxIXu+i0mWEPnQOEa1KEyYqq8db/w+9RY7OeI2gUd8qGaZPJnf5pk6hddHYJUCMDqTMdEkmTAcxdO66WoK/vyGy2p91FQrF6xXp9vMQNK8UfcevmT3z1djOC+Ckq42DHP1Tk9jodtVtiDgYOnS+H+VRh1Vbg/U64ej50AIUEqlWAD3AuuhZTDDTNeWm8NR8LIHX6rqST+axQgGX4cTcJbuwTOZpxAoBAhIolaA7IB/iO7VhcB6r7CyQxAa+noU57Vmv6DjCT2qAtrtWstLQy2m9bg8pkayu7t6oy7LetjnjuuTKVZHz/cR1rp1DKZv39QXu1rrVw1Hk+pl5DSYBiN1mSRaSjaForX8cCjVzkDmOdxYiwe/JG+hPvS9VhYDZLXckxyj3QimvjD88QzWkg4RN61UcRgnmBhdfzfMcR+kw59xWQyZjCGwo5pTICSK+2v492bLtlxFeEmsi9XgZEmNMkWaDdbbNxjX96K8s9ex2hg50OuMUTX+BZVhSXvh4Y76z+4aJW4hWqPTV9856WAgHoubb7Tv4nTqXKDRGmkpF/zIpOfvq36HJi8eyF0FsqC93GpNb71Vf8Z0H3Xoha8OJsy0i74nYSk5XFLUzlJEA+4eLRgZMsJvqo/7FaH9nHSBLKVCOO5WRMLknehwLV+EvxLRwyCmaRW+dd3Ugf1ZmtgTSMWS+uL8AlTassBeNa46eSPtIRcCCQkhBiZkp730DvRyRvmMtIxnJbIjN24/sTSg7FmRVl2WKHqpVEywPugLTlR1489GKRDNvkKhs8JWEc9jeqCVkRtGr8vrR0kjs/MZ6a8K03SSLwyfYCgH2QgnSQlM4gxjRFBz4+u2FOl7+PpqioV6JyMMT4imqdM9iPIMCpTEKG0jQs9v7vV6kxr0nDVbMNG2uhwTDRCmVqw6DGggMc0dw1EXcpQJFiaYTiuIwkMVI0u84sLZbqoc78j6X32hb2ozc28FRioJD5BY/xYVCyE0hvddEjkeOi8IUr5Wt79aFR5o4yQgZgjABmCNYKznfADUo/mFsTXIh4bLyh8jSA906VfuOjcBZ5xlmY/lLqJ4g/d1oVY+/sEYDKyPhAtoJuj4ZTe0TPKTh0luZz17/bnNcO7wKQRDdrtO868q62uT5vhwE4hrupPtUxWfyjyTAsHct7FwerEAcdcd3wvlMUdFBlbe4ecueB/16AJp28tIXNVNzLycnOp9jTg3/Q0WkggFbMIIBV6ADAgEXooIBTgSCAUo5weojEENXUfV+gDlxkZ92pZRfbXk5yPkX/KyYlD4V84zlRW0Al+M+1OloTmssNUdsc1WhSb9ScQiKHcwSpcOrS5QVYsfcfa5xdymxrRLHq3dYGdiL72KX2OWLtZki2O7MQyLRDWPMfDFGGikhB3xDpdrHn/dQkGAb8x9iN5pgWtTZTB/u2Kv1Rw6s+Sw6lxjDn6Kui+ORQJ1Q0egEUIKOXvmte+uSJYWZsNwPfc19h0zXelSXQve/xqlg2vdPitS5hEoZuBERu+Q7YWAeLfLgIlx85fr7pPmD9N5omugeUNEa2dP4+zyveFBLcqYVh6WKsXuotC62ag7rT0SL4RyRATQrSmXyMjdqtYUuUa5RnaW9/fPqk7tHiFVEYkVSj7g2i6rZZuHuQULG59L0aQ09izrnhnGzy29gYeOPdKMYAfKKBS25Ub4oN5k=

      2013-08-09 15:14:21,276 DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator] (http-serverIP-8080-3) Creating new NegotiationContext

      2013-08-09 15:14:21,276 TRACE [org.jboss.security.negotiation.common.NegotiationContext] (http-serverIP-8080-3) associate 925390004

      2013-08-09 15:14:21,277 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-3) initialize

      2013-08-09 15:14:21,277 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-3) Security domain: SPNEGO

      2013-08-09 15:14:21,277 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-3) serverSecurityDomain=host

      2013-08-09 15:14:21,277 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-3) login

      2013-08-09 15:14:21,298 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-3) Subject = Subject:

          Principal: principal@DOMAIN.COM

          Private Credential: Ticket (hex) =

      0000: 61 82 01 0E 30 82 01 0A   A0 03 02 01 05 A1 0C 1B  a...0...........

      0010: 0A 49 4E 53 50 4F 4C 2E   42 49 5A A2 1F 30 1D A0  .DOMAIN.COM..0..

      0020: 03 02 01 02 A1 16 30 14   1B 06 6B 72 62 74 67 74  ......0...krbtgt

      0030: 1B 0A 49 4E 53 50 4F 4C   2E 42 49 5A A3 81 D3 30  ..DOMAIN.COM...0

      0040: 81 D0 A0 03 02 01 17 A1   03 02 01 02 A2 81 C3 04  ................

      0050: 81 C0 00 22 CE C7 C7 89   F2 D2 10 75 84 82 14 FD  ...".......u....

      0060: E0 1E AB 95 78 A3 C9 10   C0 FF B3 C7 BC C6 6D BC  ....x.........m.

      0070: 7D BF FF 86 9C AC 22 15   FB 9B 16 D7 93 2E 76 E0  ......".......v.

      0080: 49 46 E1 85 0D BC DF B6   C1 D6 8D 54 92 3F 09 F0  IF.........T.?..

      0090: 91 56 80 B9 F0 51 90 04   37 F5 BE FA 4A 8A E9 8D  .V...Q..7...J...

      00A0: 4D 02 3F 79 85 5F 6D 38   07 A1 2A 10 AE 6E 6C ED  M.?y._m8..*..nl.

      00B0: DA 45 B1 AA 69 4E 8F CF   F9 22 94 DD 39 F8 D2 FA  .E..iN..."..9...

      00C0: D8 23 E0 04 F6 67 52 0E   E1 27 36 66 07 EF F5 B7  .#...gR..'6f....

      00D0: 48 6A 52 BD 61 C7 15 B8   56 19 A7 44 A7 78 7A 3E  HjR.a...V..D.xz>

      00E0: 2C 61 67 5F A8 80 25 31   0A 98 9A 0A BE 2E D6 7E  ,ag_..%1........

      00F0: 8E D9 7B BE C7 1F EA B1   3F 4C 5B 8F 75 77 76 7B  ........?L[.uwv.

      0100: 73 D9 8B F1 58 37 C0 46   92 FB 82 0C 37 27 29 D6  s...X7.F....7').

      0110: BA D1                                              ..

       

      Client Principal = principal@DOMAIN.COM

      Server Principal = krbtgt/DOMAIN.COM@DOMAIN.COM

      Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=

      0000: 40 77 D6 54 C6 31 AA CF   35 1D ED F7 E0 43 11 C9  @w.T.1..5....C..

       

       

      Forwardable Ticket false

      Forwarded Ticket false

      Proxiable Ticket false

      Proxy Ticket false

      Postdated Ticket false

      Renewable Ticket false

      Initial Ticket false

      Auth Time = Fri Aug 09 15:14:24 CEST 2013

      Start Time = Fri Aug 09 15:14:24 CEST 2013

      End Time = Sat Aug 10 01:14:24 CEST 2013

      Renew Till = null

      Client Addresses  Null

          Private Credential: Kerberos Principal principal@DOMAIN.COMKey Version 5key EncryptionKey: keyType=23 keyBytes (hex dump)=

      0000: 62 9E AB ED 98 3C 20 2D   D6 F4 8B 0F 0E 5A A6 78  b....< -.....Z.x

       

       

       

      2013-08-09 15:14:21,298 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-3) Logged in 'host' LoginContext

      2013-08-09 15:14:21,298 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-3) Result - false

      2013-08-09 15:14:21,299 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-3) super.loginOk false

      2013-08-09 15:14:21,299 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-3) abort

      2013-08-09 15:14:21,299 TRACE [org.jboss.security.negotiation.AdvancedLdapLoginModule] (http-serverIP-8080-3) initialize

      2013-08-09 15:14:21,299 TRACE [org.jboss.security.negotiation.AdvancedLdapLoginModule] (http-serverIP-8080-3) Security domain: SPNEGO

      2013-08-09 15:14:21,299 TRACE [org.jboss.security.negotiation.AdvancedLdapLoginModule] (http-serverIP-8080-3) abort

      2013-08-09 15:14:21,299 TRACE [org.jboss.security.negotiation.common.MessageTrace.Response.Base64] (http-serverIP-8080-3) oRQwEqADCgEBoQsGCSqGSIb3EgECAg==

      2013-08-09 15:14:21,299 TRACE [org.jboss.security.negotiation.common.NegotiationContext] (http-serverIP-8080-3) clear 925390004

      2013-08-09 15:14:21,328 DEBUG [org.jboss.messaging.core.impl.OrderingGroupMonitor] (Thread-31) message doesn't have group prop, fine by me

      2013-08-09 15:14:21,333 TRACE [org.jboss.security.negotiation.NegotiationAuthenticator] (http-serverIP-8080-3) Authenticating user

      2013-08-09 15:14:21,333 DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator] (http-serverIP-8080-3) Header - Negotiate oYIXejCCF3agAwoBAaKCF20EghdpYIIXZQYJKoZIhvcSAQICAQBughdUMIIXUKADAgEFoQMCAQ6iBwMFACAAAACjghXaYYIV1jCCFdKgAwIBBaEMGwpJTlNQT0wuQklaoiYwJKADAgECoR0wGxsESFRUUBsTc3RwbHUzODAuaW5zcG9sLmJpeqOCFZMwghWPoAMCARehAwIBBaKCFYEEghV9kyUMnqxum90u0eHYKW7PlmDR7y+UDX1MFJArTMaxCZ5VBERulOsP/P62qr3J+zR/fBG+SNiBjsc9BWJ+pxlDVENQC2LYNggMGFBBmXogi9wULw1cTbLTNWzJbuEiV66lJiACVtky9t1IG7ZEbWl0+pEdNy4tgE2iD4fblzXWBWVEDUfElATIJs6PZF5POk9li77c8Q+sSwSj7I/mYDIBOQ0fza1291yGtCH49yGr8jXVAzZmvAj8bzFkhdffwh8o0rzwOTQ6S6wcbJ5URk3Q7kzq9YV+DrvsY/Q4TD/KeS+IhnDVbOKcEwOtshPnfB2YkvZ32TECeEW3SNRUAICunb5sXNP8W+khCZH5ij8wRPpwZuxyyv06L5v1ULfr/V7DTBbweh6YVgry5fGwOku6+lk06AX0541W19aqdXvAB13aXaE4JbmbJujrAgzpOs4vgn1bFOm0xtqxCDEnuQMXmtqpbqJktXXOKmrKoIivuheqaB88AOr5IeGREF4LTnfP4e9X/VMm54SmvfKcXN5LV69W+hNoIn4gCLLV36Hb+dOyjMqTP/rQl8s6Sj+QCOFO9IxQqTwNfyYtxvediM1Ajhj8c0IRCHMbg7VvxpofOoAHoMeSTlBXJRkPZnncf8QWmV1Y2SsUWT0ADVIAcGkaSKU6/Kagju9y2kIB+7Xzz1U3qy0GWuUVD00JSf8tr8DfbZmqpUfBUxIXVwAjhwNsAPFdmb5oWivH3NEbE8snLwFgWjWa8Nwk8mk6n0/cTuoomgCHXGqVLU0zvQ6yT+s3RQN/R/SSQVHquY6f4eeCRfo2h3vSlKPqn9yeuLNMeauN5LYigikDn6dunV/onfhMhxouDKZ1Ga4ggGYQD2CNWvHiI6eHNXpA0kv2Vq0XeKGxAafkpTO92TnZRpCrygAydIJbJn7uwLiB+mRPnFGwntEEjP/6BtIqGm+b49lHSj5ILoOtXi0tWSU4drd8Kh6AMTCwYivtksyiIBe7xqMaVgxYWlUEX68yhf5GUsUFZ859GnoV7rBvOA/7zwykgorBMfEvpG7Nrn4fTzlbEKROh/58wyOtGc7RRPMkXCSz2rrir1/mWqgfLMOV6EX3dUwNRQaTbMBBHOsXuzcoCBJP4kDLrJtMGiBBtevRIaZeqo2/kgRKfWhp+yHLHWRWkLWjXngTYv91ThyP/d6xRSD4n7P8PMX50XX3uHvB1dh/nigK2m01pBtuBcKr4S4dYQagDzQmbVAR67rN69IbktjhgIJq1Y9Tjv52EeoMGmAykeGjR8Y4wxg34TkG3XOiG7yQ9yBWsXR4JAy6EMz31bitZzimrELtmcwEI70BanvUNQNl1eSeVyxM++t11bGU5eKDbjXGbG1P82rGcKTH2bUULzLJN4Kfxm4wddKXfUDU7/K/B4tR8cobzwafXon7OrFjq5XbtKtU3KtT/lGoeA3upnzY5enXprFtRLKbXMjilImltqXDxrc4sVnp0Gox3dJAKUXF0Vl31c4LuHYFe1mpkpQGp8qsVEZsz37J4VAmRGdV/nVSIiZ9SM76obZgWtz9PMKoSKsKwUGOV7iHZ3ajFiQ7YRSv2lufSxwoLY1Q0NOBv8tgf4ifswEKBkm9qDmOBgmV7FkG3XUY1PMG9Qy/KosP/8pOxEUCe27NZoKppH+WnASLfFo7OXzfnczc8RkrY+apoRSDdQcs+D87X11D3Ew2xIl8LcT/5lqokfEu6MQX51+fKIynT6c52F94uEHzNWNJ7YvLazW7vKtyXh5YXvwNJr/plP4cgUx0JtjFzwCAj9eHpCXqnwXRaN9Y3zdpGSdtCi8y0AI7yNKU4XkNFxsFHbvI7AQokJTi4T7d8v8oqJ6GFxZPwkmfEc7veVk6InvXo9W/uGnoBvkv/2Et5FJCeHiab29r47Gd8OBZSXSdHyKa5kDUA02SSbJjECBu9ITurxKo6mGUrjb9JMuYKiOm5tB8Dke0NzTVYWGcHNv/+J/Yn5WsVZVQWWgVQqWGtFxEIPEhbn3e6DJJPTBmANh3k5svMWQZIvgMk02ntY59xZGV96FXim0HhZeJ6pBnHaCSOYe2HEL/xqHk6rC30jAgqNNS4pS1lnmjhWm+ZnVBU61Bwm1avUbNHkSp7NPnCaMI5cXXJsm03S5YajqwWthSkNKr7c+JQtP45JV0UCgZbma6iGwEdRAsQaKEfRo1Zo9l6CvAuipNvwpi9ZsK1bjSTFwixtKMTebm9GDTMBWUOwerpdsjPzOxYn810dYqaGj1HF+I1aNpdhIMXpaXYnmJD2Qyi9KzMUdkOPxRNb82keN+vDW28I2RwckJHl/WtAUi82MrcyMfS3Q/HRX0f3pzJ7mVDWwKaZPhRwwXjAEE+VCixfhQl3j7lBbVta7zUOZv6FhdPfkufLJAVeMgkpUidCyQwpZRVxjetRpofAoj2vcbHyRqse2iWRLBD5SlbqPnb7wJ8dLm+mhgMmJgQt9W5Vzq0kIbQJXyeY6te9RapvniP7AQklpKQmQq9oGvRXdXBJi0ibyMLmSQW4vKwRgpzm18qmIBwVyjJbqKJQ4d1i6Z+tV8HT4R629dhkD4jmFsI38rgOxC8SoZGVJnWjQHVa7IOUofwRO880fHgJ1php8DQJGXo3CATcA4J06qoKHRS+WXGkDH1vkNz1yKQ0iaXRgV4d6rTnKIN3dj20Or2QPpOmQy1iUu4nkmm511/7wfr8/K73csla7EpI5w3+BUJZ8Lnom+qX2lhosw89DneU1qf3xoEtUbK1oZikTQlstkltLxNyKXtLtb2us9SJdYkjKY8xJfqdEHL/oi77uL0+AVxi2SzfNCeHMvuti2fJGt0E+BkbAjvZFreXQSWIk5sCeERkkUrWAYApDFwEgoaCEqZMtrCGI0k7vf8nJvuPVG8id6JzyRkytyL1DvYSlFZiX+N8MLntRwf50Z/LsOKaBYHGDPAM6Vymu5v/AoMh8LPs6vHXxSSo9L6A0ees24icND+jjDRQ+cJ4zisKKZ1zpXBVanpN5eXdDtdRhXnVu93SYgUtT03TGp7gtrJC1zFcJriTSpTfwaElIXaeNR+SwO2drgbYmgkrA0AXGmAEkrP7cZ/2pQMwj/orAIWdKYxayn0d2ysKarufkV+tpZ79MI2l866GCgQXYIkseV68XitrdksefU84K9NXHI/t+6C77kPT+Y0GtQM6X1z87kiLd4+cK3hIiy1hXCQ3uTVW7LIDw04xNS7xZyGCnozdEoMDqC2yBvfg8aQobLvjW+RFpOwFc81x26H58fmulT464IyO2MHyfUoobn23SJSW+D14QtUg9Rw5sG0naGiH+CXzs9ZEy5QgVxmIWstuiIftwbfO1gxlhMrFhCHQyNMzjrK0y1Fty3x92jRNTp6X3XjGiH44+Vl/NTm0487FhzS7NFE58InBCicBBQywg3tW6vK/RDP8eMtqakW2OTGEvhiZLsvM8b2YsPCLK6oS2KibuWCSrLh6F3sN20F91r5UW580stvDuSihNrZkLXhFNfiN3m4GUfEMtIw+rYwwbKR3wt9wmUjlHJjXdva7dattBOi5dTwG3jnmgTnyE/MF9Y5NCu8XU6MD8tNXsdV/CZTOOD88BCbeDGORX5t+NsmD7gYcik7Tcua9QEugEYDRfgYAGcQKJCWyb2rjsFny3x4gzjE2eSPw9HRlDVVDFWVekRIgbZbE4IBzEDAdyh7rXIhYQSNROizTZsBTGOSghDi568wsKVS+c+tFtuYyayQjTf5ojyukO8JIsj8f9ltx1YM4kER2Y+wglGOlRUXfDW45X+Sm9HnmmgqHO2DYdRTiiUm63u9x6cOK9tvZ58lKJfUN4WW1c+vv1VnujHVDsWRCDD20Zs4OhYXEDWaEXwtC1u+tG8uv0rp9IgST88lUoLOlE8DpQcmF05kD3rBI4fNFFdG3rrTzcdbyNymEu5x2Fj/BR2cl2E3t9AaHmadaEU4e/KHt08YkDUNpqc6ctikO6MCeKiPeQavH5Ur1SetU7ddQFxvpN5P70W5u+ayQ0OGxl6JUTDBnNLUKAh3aOjcJptPIZg2pb52y0/GhMC0P3dnbA+zFqJGHngBGLFPO8OBtCQDztVXyAa81qaRoaYV9DH5U+RyORoNWdSrw7AiB0Hj4q/Too5teFi7Q+NzA4Jf5bj5s0uXkYeEqgMJHkmtEZwKAzDp87DVtPXDiutwSWDIHJS2+WZjmbFfrv0eCpz2SFwPGyBFItEv9f38zfsmGqjmPiELizrkzn/2Xr5CqfDJ9paAWmhWLF4ggQ8YJrjU1//BJO2pOyFzZBdT03H49X4Q70lbGIK7IVgQX+S46LKrUg47ANBGtmM9SOGX+Pxxq6dErk3CuVo24xTt1UWHMGT0kIb3cCJAPiMX4oQe3QXAouNrp2f0hV801UeYsbwBW7ITKySc3XCzmcHQUjX7AISPNE5Os92IvICzcMdJB5iOmLWfBJDb7gvWwK8vYtV0iSOaAhXqBTdXdfsw68eRt2QIobSKMy2sY1PTi2J96sj5oBX+TkqYwB9jowvrJ891fvGGEqHyBKNaLbNl0F9p2no2yVFaJfFDHnJqj0xHfQKNg01Ns7nzEsBhh51+NUa0xQpjYDNvvHgV1yLW4W4iOG905TO/KU9GQizbHjEAXpedOd41TTnt8wqBer6JxP1gvV2JOBY+q13J+WU9W+YrjzP0aP74ceJBiMWmhWJWtEUQl0I0HR0/grparIfm+cjV5uo+9iK/F0roNdTwxdoKshkJFn+FBgMAhDXxSTCshW3K7KyvDdMVy8NeRw0xzavogHVDpQbS/RWJvqMQKSEKQLa4Iz+Z7yEcP8wOxKdVbxa8TFRRgZQmclLEujOhUUeFy+18ttVY4hpqLg4PGroLzB3r+cqwbPbMTB5m21XK5VgxNPcvM18i1P9JplJixpLnb+qowRPYEX9bPI3dhz72X3HzYgjEKK7+uCNpirBR2HtvWVma83bm1pvesXVm9MC8Ztk5uxjRFU8CdF0CPOGRJks5eME16PtZS/uEG54nN8sEP6Mjbg6mRKlU+aXlUTX9M1tqmCKcSzUbSqKVtXl/gqHkHSPMlW+Qu00NRKLeu/mE1jTHJUPCVx7GfEFB9Rrvx6tf5xugJ2pMWP4WzlrHQtYp2LrAw+dGImbHZKosVXIORFXQ4Zfcdz8hpEIyzLL1ju+WFhiXWB4LAPg8JH5gT0bBoFQPdgGwp4zbEkWlbXk/soJU3oReDclc31OCZYq4hO3pbolyLH1pUFLzMQZ0PLnZ+lM0/TShILdvbqvPraTumkB9v/yOz1abQ6XwJjb6aypVDC5I1jEPM3H1ktf2AGQd7Tp71sy6hPg2j2cxmG25sBPlEjzA01qjRQ1rM8nr29p3LMTd6FZO5nIlgrQKiz6acAuXofcNzB5+2blc0dn2e7TaS4I9x0A10fnK9rVqAwjOVtvOPoi+ib8deCsAi3LB7j5bw3EVW+uhP2IHuRHaDLYYElgR8mPUFyd6xLVVWXv6m+A3m71o3Kfxb7wpjBWjOf2Ux6oIg+IF0XSdRgByi16tE+x8ToVboMkMmDmmZoMIHNU5oMFyZvP633l6GTPPI+ET31DwBzNWPYkbwysBPI78jER7LkCRK2gl0CDpRenVHrytOLVugwlFO44XPlF+TxNitbTjCEmOgtmwxo9jCh9MYAT973LmsVmepGLjqnGWNX20ZHFJPQsMbRrSQZRtO59a6F3tdM6BSA6x8tEMrEOGsv/GQjE3IOW+6CKf7rADnDz04IgV6R4Z4ppq/jolb++dBffcxWc8uihiFWrIndLZ0SPVcnBErtcfHH06T87FgtB3gWXtkRwBkBPH0mmXwtGmsJqcMgVu3zQf0K/3KYAUp4t2/F28O6Zpjo6jmHKSfQVR09vumICEX0hULZs5s6kqRLu+qElUqP0xJiqt6pg9vsQXpyMXDVCQA2yYNMR+8SYme/zVoaIqqZIxrNjxlgpo0bHEwZdYX/ED3Qo2fNM8iqaNZKpya07MRg87JucQ0qG8emgDypRAVrFxBrkzsmtw4GAV0/zmOmFEA3ozWoLlxJYob9KFABZuOZ/CpV6k5ajI0QuufpkS5PQpCn7BVgswSl2ILxIXu+i0mWEPnQOEa1KEyYqq8db/w+9RY7OeI2gUd8qGaZPJnf5pk6hddHYJUCMDqTMdEkmTAcxdO66WoK/vyGy2p91FQrF6xXp9vMQNK8UfcevmT3z1djOC+Ckq42DHP1Tk9jodtVtiDgYOnS+H+VRh1Vbg/U64ej50AIUEqlWAD3AuuhZTDDTNeWm8NR8LIHX6rqST+axQgGX4cTcJbuwTOZpxAoBAhIolaA7IB/iO7VhcB6r7CyQxAa+noU57Vmv6DjCT2qAtrtWstLQy2m9bg8pkayu7t6oy7LetjnjuuTKVZHz/cR1rp1DKZv39QXu1rrVw1Hk+pl5DSYBiN1mSRaSjaForX8cCjVzkDmOdxYiwe/JG+hPvS9VhYDZLXckxyj3QimvjD88QzWkg4RN61UcRgnmBhdfzfMcR+kw59xWQyZjCGwo5pTICSK+2v492bLtlxFeEmsi9XgZEmNMkWaDdbbNxjX96K8s9ex2hg50OuMUTX+BZVhSXvh4Y76z+4aJW4hWqPTV9856WAgHoubb7Tv4nTqXKDRGmkpF/zIpOfvq36HJi8eyF0FsqC93GpNb71Vf8Z0H3Xoha8OJsy0i74nYSk5XFLUzlJEA+4eLRgZMsJvqo/7FaH9nHSBLKVCOO5WRMLknehwLV+EvxLRwyCmaRW+dd3Ugf1ZmtgTSMWS+uL8AlTassBeNa46eSPtIRcCCQkhBiZkp730DvRyRvmMtIxnJbIjN24/sTSg7FmRVl2WKHqpVEywPugLTlR1489GKRDNvkKhs8JWEc9jeqCVkRtGr8vrR0kjs/MZ6a8K03SSLwyfYCgH2QgnSQlM4gxjRFBz4+u2FOl7+PpqioV6JyMMT4imqdM9iPIMCpTEKG0jQs9v7vV6kxr0nDVbMNG2uhwTDRCmVqw6DGggMc0dw1EXcpQJFiaYTiuIwkMVI0u84sLZbqoc78j6X32hb2ozc28FRioJD5BY/xYVCyE0hvddEjkeOi8IUr5Wt79aFR5o4yQgZgjABmCNYKznfADUo/mFsTXIh4bLyh8jSA906VfuOjcBZ5xlmY/lLqJ4g/d1oVY+/sEYDKyPhAtoJuj4ZTe0TPKTh0luZz17/bnNcO7wKQRDdrtO868q62uT5vhwE4hrupPtUxWfyjyTAsHct7FwerEAcdcd3wvlMUdFBlbe4ecueB/16AJp28tIXNVNzLycnOp9jTg3/Q0WkggFbMIIBV6ADAgEXooIBTgSCAUqX+emxORwztTJ+1qDERMFSvO0ODMHXvafC94PT8WIn185vx8cNqDjmK4vQBcN9J4xqpkSBBD6TvUG2A1o2ZGkRdlxmXmTuzqbMmGPgZxcgPvKMnrfz/umI/ywQl3gBayg7t2fRQZL+ATRAmE3YWSiLxmJcQY6CzS6lRTQJCYz/DnT4W69dUsEMzwB84ryty52VUcQo+pRJFTO4Abgc+r0dSc9+5J65UhrMoJ7Snio1yQdpTK4QZtjZERL0PbDOk077eaRW2SVCNgKjSFaMPlJYoEQHSFM+CClbInXdvSpYiBF8TM8YTg/mjecwIyAVcXGncOKoMrS96fn386sErxoSFNHcTMfpNEm6Fh2BGKacXdtd/yZWYmLjlE/xR2/yjOXZaWjaQ5AecHmmNrwKv+bcQl+9yFg5d7KggKOv3A6S2ZiIq6nHn7QHh4I=

      2013-08-09 15:14:21,335 TRACE [org.jboss.security.negotiation.common.NegotiationContext] (http-serverIP-8080-3) associate 925390004

      2013-08-09 15:14:21,337 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-3) initialize

      2013-08-09 15:14:21,338 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-3) Security domain: SPNEGO

      2013-08-09 15:14:21,338 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-3) serverSecurityDomain=host

      2013-08-09 15:14:21,338 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-3) login

      2013-08-09 15:14:21,348 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-3) Subject = Subject:

          Principal: principal@DOMAIN.COM

          Private Credential: Ticket (hex) =

      0000: 61 82 01 0E 30 82 01 0A   A0 03 02 01 05 A1 0C 1B  a...0...........

      0010: 0A 49 4E 53 50 4F 4C 2E   42 49 5A A2 1F 30 1D A0  .DOMAIN.COM..0..

      0020: 03 02 01 02 A1 16 30 14   1B 06 6B 72 62 74 67 74  ......0...krbtgt

      0030: 1B 0A 49 4E 53 50 4F 4C   2E 42 49 5A A3 81 D3 30  ..DOMAIN.COM...0

      0040: 81 D0 A0 03 02 01 17 A1   03 02 01 02 A2 81 C3 04  ................

      0050: 81 C0 DA 92 C7 3F 92 5D   BA D2 89 1C 57 33 56 7B  .....?.]....W3V.

      0060: 88 57 E9 45 07 C8 CB 01   2C 67 5F 72 54 8A FB 34  .W.E....,g_rT..4

      0070: 4F B2 4E BD 83 D8 B9 79   DB E2 D7 4C 85 60 05 64  O.N....y...L.`.d

      0080: 17 33 12 0C B6 65 62 E8   B3 DE FE D2 9E 7A D1 92  .3...eb......z..

      0090: 02 D8 35 34 8B A7 AC F7   AE D9 61 DA A8 EA 17 F2  ..54......a.....

      00A0: 29 AA 71 72 B4 17 83 77   DA 17 21 F1 B3 3B 68 17  ).qr...w..!..;h.

      00B0: 90 C4 AB C9 9C 86 9B C3   1E AB 8F B1 C9 F8 0A 38  ...............8

      00C0: A3 B7 C6 EB 34 87 4A 7F   7C 02 AB D1 1D 1D B0 F9  ....4.J.........

      00D0: D8 ED B0 81 8E 44 5F 95   C4 B8 FD 78 DF BB 03 B1  .....D_....x....

      00E0: 08 27 82 79 75 67 EE EE   04 EE 5E 5C 8F 2D 03 56  .'.yug....^\.-.V

      00F0: 7A 34 BB A0 C3 98 4D E5   B2 BF CD 38 DA BB 8C 2A  z4....M....8...*

      0100: 47 7A 66 FC A8 60 3C 42   C2 C3 BA AD D6 52 D2 17  Gzf..`<B.....R..

      0110: 28 F1                                              (.

       

      Client Principal = principal@DOMAIN.COM

      Server Principal = krbtgt/DOMAIN.COM@DOMAIN.COM

      Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=

      0000: 36 B4 9C 9A 3C D7 F8 59   F9 F8 C9 87 F5 E3 1D D5  6...<..Y........

       

       

      Forwardable Ticket false

      Forwarded Ticket false

      Proxiable Ticket false

      Proxy Ticket false

      Postdated Ticket false

      Renewable Ticket false

      Initial Ticket false

      Auth Time = Fri Aug 09 15:14:25 CEST 2013

      Start Time = Fri Aug 09 15:14:25 CEST 2013

      End Time = Sat Aug 10 01:14:25 CEST 2013

      Renew Till = null

      Client Addresses  Null

          Private Credential: Kerberos Principal principal@DOMAIN.COMKey Version 5key EncryptionKey: keyType=23 keyBytes (hex dump)=

      0000: 62 9E AB ED 98 3C 20 2D   D6 F4 8B 0F 0E 5A A6 78  b....< -.....Z.x

       

       

       

      2013-08-09 15:14:21,348 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-3) Logged in 'host' LoginContext

      2013-08-09 15:14:21,348 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-3) Creating new GSSContext.

      2013-08-09 15:14:21,353 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-3) context.getCredDelegState() = false

      2013-08-09 15:14:21,353 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-3) context.getMutualAuthState() = true

      2013-08-09 15:14:21,353 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-3) context.getSrcName() = n0100106@DOMAIN.COM

      2013-08-09 15:14:21,353 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-3) Result - true

      2013-08-09 15:14:21,353 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-3) Storing username 'n0100106@DOMAIN.COM' and empty password

      2013-08-09 15:14:21,353 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-3) super.loginOk true

      2013-08-09 15:14:21,353 TRACE [org.jboss.security.negotiation.AdvancedLdapLoginModule] (http-serverIP-8080-3) initialize

      2013-08-09 15:14:21,353 TRACE [org.jboss.security.negotiation.AdvancedLdapLoginModule] (http-serverIP-8080-3) Security domain: SPNEGO

      2013-08-09 15:14:21,353 TRACE [org.jboss.security.negotiation.AdvancedLdapLoginModule] (http-serverIP-8080-3) Using GSSAPI to connect to LDAP

      2013-08-09 15:14:21,364 DEBUG [org.jboss.security.negotiation.AdvancedLdapLoginModule] (http-serverIP-8080-3) Subject = Subject:

          Principal: principal@DOMAIN.COM

          Private Credential: Ticket (hex) =

      0000: 61 82 01 0E 30 82 01 0A   A0 03 02 01 05 A1 0C 1B  a...0...........

      0010: 0A 49 4E 53 50 4F 4C 2E   42 49 5A A2 1F 30 1D A0  .DOMAIN.COM..0..

      0020: 03 02 01 02 A1 16 30 14   1B 06 6B 72 62 74 67 74  ......0...krbtgt

      0030: 1B 0A 49 4E 53 50 4F 4C   2E 42 49 5A A3 81 D3 30  ..DOMAIN.COM...0

      0040: 81 D0 A0 03 02 01 17 A1   03 02 01 02 A2 81 C3 04  ................

      0050: 81 C0 CE 96 81 7B 8C 78   6D 83 8C 50 23 D5 55 4C  .......xm..P#.UL

      0060: F2 8F D7 92 4B A3 4C E7   99 25 A6 A8 BE FE 87 F8  ....K.L..%......

      0070: 82 05 4C BF DC 1F 1F 3C   1F AD D4 6F DC 0A 52 AE  ..L....<...o..R.

      0080: 01 7B B3 CA 0D 5F 48 9C   81 56 6E E0 25 8F F1 FF  ....._H..Vn.%...

      0090: C6 09 7E B9 CA 2F 84 FD   23 F3 AC 7A 5C 12 29 AE  ...../..#..z\.).

      00A0: B3 18 9D 72 54 E2 48 FD   D1 BD 81 B2 B0 31 2C 66  ...rT.H......1,f

      00B0: 65 4D 39 30 E6 66 FF E2   67 E1 02 D6 7F 24 B4 D6  eM90.f..g....$..

      00C0: DB F0 7A 62 98 A8 63 7E   F4 46 BA AE B7 CF C3 C2  ..zb..c..F......

      00D0: 4F AE A5 70 C8 E2 D5 54   97 CE 46 FF F6 34 B6 79  O..p...T..F..4.y

      00E0: 4B 2A 75 B6 F6 D1 E6 FD   8C 2C 5E 00 6C DB E0 45  K*u......,^.l..E

      00F0: F1 1C 52 AE 58 14 D8 48   BD CA BE ED 73 79 A2 1B  ..R.X..H....sy..

      0100: D6 53 7B B4 FB 03 15 4A   2C 57 24 B1 EA 4D EA 96  .S.....J,W$..M..

      0110: 96 83                                              ..

       

      Client Principal = principal@DOMAIN.COM

      Server Principal = krbtgt/DOMAIN.COM@DOMAIN.COM

      Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=

      0000: EA 04 83 68 10 C6 21 AB   0C 07 84 AA 01 02 09 5D  ...h..!........]

       

       

      Forwardable Ticket false

      Forwarded Ticket false

      Proxiable Ticket false

      Proxy Ticket false

      Postdated Ticket false

      Renewable Ticket false

      Initial Ticket false

      Auth Time = Fri Aug 09 15:14:25 CEST 2013

      Start Time = Fri Aug 09 15:14:25 CEST 2013

      End Time = Sat Aug 10 01:14:25 CEST 2013

      Renew Till = null

      Client Addresses  Null

          Private Credential: Kerberos Principal principal@DOMAIN.COMKey Version 5key EncryptionKey: keyType=23 keyBytes (hex dump)=

      0000: 62 9E AB ED 98 3C 20 2D   D6 F4 8B 0F 0E 5A A6 78  b....< -.....Z.x

       

       

       

      2013-08-09 15:14:21,364 DEBUG [org.jboss.security.negotiation.AdvancedLdapLoginModule] (http-serverIP-8080-3) Logged in 'javax.security.auth.login.LoginContext@38eaf4b2' LoginContext

      2013-08-09 15:14:21,364 TRACE [org.jboss.security.negotiation.AdvancedLdapLoginModule] (http-serverIP-8080-3) login

      2013-08-09 15:14:21,364 TRACE [org.jboss.security.negotiation.AdvancedLdapLoginModule] (http-serverIP-8080-3) Identity - UserName@DOMAIN.COM

      2013-08-09 15:14:21,364 TRACE [org.jboss.security.negotiation.AdvancedLdapLoginModule] (http-serverIP-8080-3) Logging into LDAP server, env={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, roleNameAttributeID=cn, searchScope=OBJECT_SCOPE, password-stacking=useFirstPass, baseCtxDN=OU=PL,OU=Users,DC=domain,DC=com, roleAttributeID=memberOf, baseFilter=(sAMAccountName={0}), jboss.security.security_domain=SPNEGO, bindAuthentication=GSSAPI, java.naming.provider.url=ldap://ldapserver:389, stripDomainName=true, roleAttributeIsDN=true, jaasSecurityDomain=host, java.naming.security.authentication=GSSAPI, recurseRoles=true}

      2013-08-09 15:14:21,402 DEBUG [org.jboss.security.negotiation.AdvancedLdapLoginModule] (http-serverIP-8080-3) Obtained LdapContext

      2013-08-09 15:14:21,430 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-3) abort

      2013-08-09 15:14:21,430 TRACE [org.jboss.security.negotiation.AdvancedLdapLoginModule] (http-serverIP-8080-3) abort

      2013-08-09 15:14:21,430 TRACE [org.jboss.security.negotiation.common.MessageTrace.Response.Base64] (http-serverIP-8080-3) oW0wa6JpBGdgZQYJKoZIhvcSAQICAgBvVjBUoAMCAQWhAwIBD6JIMEagAwIBF6I/BD0Iht0C9r36

      dmNo0X0LfRpr4/nK7ZD/m7pNkh35jcTAjy4dKwJMqy6qOymNTPRF13FwUErrG41EtMDrk60g

      2013-08-09 15:14:21,430 TRACE [org.jboss.security.negotiation.common.NegotiationContext] (http-serverIP-8080-3) clear 925390004

      Regards

        • 1. Re: Problem with SPNEGO/Kerberos
          apph_ apph_ Newbie

          I suspect it might have something with user retieval from LDAP. The log is:

           

          Identity - UserName@DOMAIN.COM

          2013-08-09 15:14:21,364 TRACE [org.jboss.security.negotiation.AdvancedLdapLoginModule] (http-serverIP-8080-3) Logging into LDAP server, env={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, roleNameAttributeID=cn, searchScope=OBJECT_SCOPE, password-stacking=useFirstPass, baseCtxDN=OU=PL,OU=Users,DC=domain,DC=com, roleAttributeID=memberOf, baseFilter=(sAMAccountName={0}), jboss.security.security_domain=SPNEGO, bindAuthentication=GSSAPI, java.naming.provider.url=ldap://ldapserver:389, stripDomainName=true, roleAttributeIsDN=true, jaasSecurityDomain=host, java.naming.security.authentication=GSSAPI, recurseRoles=true}

          2013-08-09 15:14:21,402 DEBUG [org.jboss.security.negotiation.AdvancedLdapLoginModule] (http-serverIP-8080-3) Obtained LdapContext

          2013-08-09 15:14:21,430 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-serverIP-8080-3) abort

          2013-08-09 15:14:21,430 TRACE [org.jboss.security.negotiation.AdvancedLdapLoginModule] (http-serverIP-8080-3) abort

           

           

           

           

          So the LDAP context was created which is kind of wired. But then 'abort' is logged. It's a method from AbstractServerLoginModule. I think it is called because LoginException was thrown in findUserDN in AdvancedLdapLoginModule class, as there is this little line at the end of this method:

           

          this.log.trace("findUserDN - " + userDN);

           

          and it's not in my log file. The stripDomainName=true parameter is no longer there in EAP 5.1.2. So i have switched to baseFilter=(userPrincipalName={0}), but still no luck.

          • 2. Re: Problem with SPNEGO/Kerberos
            apph_ apph_ Newbie

            Ok, so all in all solution was quite simple. It turns out that it was necessary to turn off 'Do not require Kerberos preauthentication'. It was not that easy to find because JBoss 'swallowed' original exception and there was no exception in log files. It was in:

             

            results = ctx.search(this.baseCtxDN, this.baseFilter, filterArgs, this.userSearchControls);

             

            in org.jboss.security.negotiation.AdvancedLdapLoginModule.findUserDN().

             

            2013-08-13 16:51:38,552 DEBUG [org.jboss.security.negotiation.AdvancedLdapLoginModule] (http-10.81.129.177-8080-1) Obtained LdapContext

            2013-08-13 16:51:38,557 TRACE [org.jboss.security.negotiation.AdvancedLdapLoginModule] (http-10.81.129.177-8080-1)

            javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, veceun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)

                at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)

                at org.jboss.security.negotiation.AdvancedLdapLoginModule.findUserDN(AdvancedLdapLoginModule.java:391)

                at org.jboss.security.negotiation.AdvancedLdapLoginModule.innerLogin(AdvancedLdapLoginModule.java:236)

                at org.jboss.security.negotiation.AdvancedLdapLoginModule$AuthorizeAction.run(AdvancedLdapLoginModule.java:629)

                at java.security.AccessController.doPrivileged(Native Method)

                at javax.security.auth.Subject.doAs(Subject.java:337)

                at org.jboss.security.negotiation.AdvancedLdapLoginModule.login(AdvancedLdapLoginModule.java:175)

                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

                at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

                at java.lang.reflect.Method.invoke(Method.java:597)

                at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)

                at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)

                at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)

                at java.security.AccessController.doPrivileged(Native Method)

                at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)

                at javax.security.auth.login.LoginContext.login(LoginContext.java:579)

                at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:553)

                at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:487)

                at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)

                at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)

                at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:399)

                at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)

                at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)

                at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:95)

                at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)

                at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)

                at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)

                at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

                at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)

                at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

                at org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.internalProcess(ActiveRequestResponseCacheValve.java:74)

                at org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.invoke(ActiveRequestResponseCacheValve.java:47)

                at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)

                at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)

                at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:599)

                at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:451)

                at java.lang.Thread.run(Thread.java:662)

            2013-08-13 16:51:38,560 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] (http-10.81.129.177-8080-1) abort

            2013-08-13 16:51:38,560 TRACE [org.jboss.security.negotiation.AdvancedLdapLoginModule] (http-10.81.129.177-8080-1) abort