1 2 3 Previous Next 31 Replies Latest reply on Dec 10, 2013 9:38 AM by Andy Yip

    Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service

    Andy Yip Newbie

      Hello

       

      I'm trying to get Kerberos authentication to work with my development environment. Looking at the example in the Security document the default Kerberos module is expecting a KeyTab file. However since I'm running JBoss EAP as a Windows service with its own service account. That account should have a krbtgt session ticket already.

       

      I tested the connection to the SQL server by using a simple Java program. In my connection string I've specified authenticationScheme=JavaKerberos to ensure it is not using the sqjdbc_auth.dll module. Everything worked fine. I was able to authenticate using Kerberos.


      I've applied my setting to the Teiid configuration as much as possible but I am still getting Integrated authentication failed. Client ConnectionID ...

       

      I've tried using the Kerberos module and com.sun.security.auth.module.Krb5LoginModule but both are not connecting.

       

      What is the different between the Kerberos Login Module in Teiid/Jboss vs. com.sun.security.auth.module.Krb5LoginModule?

        • 1. Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
          Ramesh Reddy Master

          Andy,

           

          JBoss Kerberos AFAIK uses the com.sun.security.auth.module.Krb5LoginModule, and Teiid just uses the JBoss JAAS for the kerberos. So it uses the same, so there is no difference, they are one and same.

           

          Your issue could be configuration based, if you post your configuration may be we can help.

           

          Ramesh..

          • 2. Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
            Andy Yip Newbie

            Hello Ramesh

             

            Thanks for the response. I did a bit of research and yes you are correct about the JBoss Kerberos being the com.sun.security.auth.module.Krb5LoginModules. I'm sure it will be a simple/stupid configuration item I've overlooked.

             

            My configuration: standard-teiid.xml (I've re-typed out my configuration as my testing has been on an offline domain so it's hard for me to post configuration file)

             

            <?xml version='1.0' encoding='UTF-8'?>

             

            <server xmlns="urn:jboss:domain:1.4">

             

                <extensions>

                    <extension module="org.jboss.as.clustering.infinispan"/>

                    <extension module="org.jboss.as.connector"/>

                    <extension module="org.jboss.as.deployment-scanner"/>

                    <extension module="org.jboss.as.ee"/>

                    <extension module="org.jboss.as.ejb3"/>

                    <extension module="org.jboss.as.jaxrs"/>

                    <extension module="org.jboss.as.jdr"/>

                    <extension module="org.jboss.as.jmx"/>

                    <extension module="org.jboss.as.jpa"/>

                    <extension module="org.jboss.as.jsf"/>

                    <extension module="org.jboss.as.logging"/>

                    <extension module="org.jboss.as.mail"/>

                    <extension module="org.jboss.as.naming"/>

                    <extension module="org.jboss.as.pojo"/>

                    <extension module="org.jboss.as.remoting"/>

                    <extension module="org.jboss.as.sar"/>

                    <extension module="org.jboss.as.security"/>

                    <extension module="org.jboss.teiid"/>

                    <extension module="org.jboss.as.threads"/>

                    <extension module="org.jboss.as.transactions"/>

                    <extension module="org.jboss.as.web"/>

                    <extension module="org.jboss.as.webservices"/>

                    <extension module="org.jboss.as.weld"/>

                </extensions>

             

             

                <management>

                    <security-realms>

                        <security-realm name="ManagementRealm">

                            <authentication>

                                <local default-user="$local"/>

                                <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>

                            </authentication>

                        </security-realm>

                        <security-realm name="ApplicationRealm">

                            <authentication>

                                <local default-user="$local" allowed-users="*"/>

                                <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>

                            </authentication>

                            <authorization>

                                <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>

                            </authorization>

                        </security-realm>

                    </security-realms>

                    <management-interfaces>

                        <native-interface security-realm="ManagementRealm">

                            <socket-binding native="management-native"/>

                        </native-interface>

                        <http-interface security-realm="ManagementRealm">

                            <socket-binding http="management-http"/>

                        </http-interface>

                    </management-interfaces>

                </management>

             

                <profile>

                    <subsystem xmlns="urn:jboss:domain:logging:1.2">

                        <console-handler name="CONSOLE">

                            <level name="INFO"/>

                            <formatter>

                                <pattern-formatter pattern="%d{HH:mm:ss,SSS} %-5p [%c] (%t) %X{teiid-session} %s%E%n"/>

                            </formatter>

                        </console-handler>

                        <periodic-rotating-file-handler name="FILE" autoflush="true">

                            <formatter>

                                <pattern-formatter pattern="%d{HH:mm:ss,SSS} %-5p [%c] (%t) %X{teiid-session} %s%E%n"/>

                            </formatter>

                            <file relative-to="jboss.server.log.dir" path="server.log"/>

                            <suffix value=".yyyy-MM-dd"/>

                            <append value="true"/>

                        </periodic-rotating-file-handler>

                        <logger category="com.arjuna">

                            <level name="WARN"/>

                        </logger>

                        <logger category="org.apache.tomcat.util.modeler">

                            <level name="WARN"/>

                        </logger>

                        <logger category="org.jboss.as.config">

                            <level name="DEBUG"/>

                        </logger>

                        <logger category="sun.rmi">

                            <level name="WARN"/>

                        </logger>

                        <logger category="jacorb">

                            <level name="WARN"/>

                        </logger>

                        <logger category="jacorb.config">

                            <level name="ERROR"/>

                        </logger>

                        <root-logger>

                            <level name="INFO"/>

                            <handlers>

                                <handler name="CONSOLE"/>

                                <handler name="FILE"/>

                            </handlers>

                        </root-logger>

                    </subsystem>

                    <subsystem xmlns="urn:jboss:domain:datasources:1.1">

                        <datasources>

                            <datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true">

                                <connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1</connection-url>

                                <driver>h2</driver>

                                <security>

                                    <user-name>sa</user-name>

                                    <password>sa</password>

                                </security>

                            </datasource>

                            <datasource jndi-name="java:/sqlserverDS" pool-name="sqlserverDS" enabled="true">

                                <connection-url>jdbc:sqlserver://app1.corp.contoso.com:1433;integratedSecurity=true;authenticationScheme=JavaKerberos</connection-url>

                                <driver>sqlserver</driver>

                                <pool>

                                    <prefill>false</prefill>

                                    <use-strict-min>false</use-strict-min>

                                    <flush-strategy>FailingConnectionOnly</flush-strategy>

                        </pool>

                            </datasource>

                            <drivers>

                                <driver name="h2" module="com.h2database.h2">

                                    <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>

                                </driver>

                                <driver name="teiid-local" module="org.jboss.teiid">

                                    <driver-class>org.teiid.jdbc.TeiidDriver</driver-class>

                                    <xa-datasource-class>org.teiid.jdbc.TeiidDataSource</xa-datasource-class>

                                </driver>

                                <driver name="teiid" module="org.jboss.teiid.client">

                                    <driver-class>org.teiid.jdbc.TeiidDriver</driver-class>

                                    <xa-datasource-class>org.teiid.jdbc.TeiidDataSource</xa-datasource-class>

                                </driver>

                                <driver name="sqlserver" module="com.microsoft.sqlserver">

                                    <driver-class>com.microsoft.sqlserver.jdbc.SQLServerDriver</driver-class>

                                </driver>

                            </drivers>

                        </datasources>

                    </subsystem>

                    <subsystem xmlns="urn:jboss:domain:deployment-scanner:1.1">

                        <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000"/>

                    </subsystem>

                    <subsystem xmlns="urn:jboss:domain:ee:1.1">

                        <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>

                        <jboss-descriptor-property-replacement>true</jboss-descriptor-property-replacement>

                    </subsystem>

                    <subsystem xmlns="urn:jboss:domain:ejb3:1.4">

                        <session-bean>

                            <stateless>

                                <bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>

                            </stateless>

                            <stateful default-access-timeout="5000" cache-ref="simple"/>

                            <singleton default-access-timeout="5000"/>

                        </session-bean>

                        <pools>

                            <bean-instance-pools>

                                <strict-max-pool name="slsb-strict-max-pool" max-pool-size="20" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>

                                <strict-max-pool name="mdb-strict-max-pool" max-pool-size="20" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>

                            </bean-instance-pools>

                        </pools>

                        <caches>

                            <cache name="simple" aliases="NoPassivationCache"/>

                            <cache name="passivating" passivation-store-ref="file" aliases="SimpleStatefulCache"/>

                        </caches>

                        <passivation-stores>

                            <file-passivation-store name="file"/>

                        </passivation-stores>

                        <async thread-pool-name="default"/>

                        <timer-service thread-pool-name="default">

                            <data-store path="timer-service-data" relative-to="jboss.server.data.dir"/>

                        </timer-service>

                        <remote connector-ref="remoting-connector" thread-pool-name="default"/>

                        <thread-pools>

                            <thread-pool name="default">

                                <max-threads count="10"/>

                                <keepalive-time time="100" unit="milliseconds"/>

                            </thread-pool>

                        </thread-pools>

                        <default-security-domain value="other"/>

                        <default-missing-method-permissions-deny-access value="true"/>

                    </subsystem>

                    <subsystem xmlns="urn:jboss:domain:infinispan:1.4">

                        <cache-container name="web" aliases="standard-session-cache" default-cache="local-web" module="org.jboss.as.clustering.web.infinispan">

                            <local-cache name="local-web" batching="true">

                                <file-store passivation="false" purge="false"/>

                            </local-cache>

                        </cache-container>

                        <cache-container name="hibernate" default-cache="local-query" module="org.jboss.as.jpa.hibernate:4">

                            <local-cache name="entity">

                                <transaction mode="NON_XA"/>

                                <eviction strategy="LRU" max-entries="10000"/>

                                <expiration max-idle="100000"/>

                            </local-cache>

                            <local-cache name="local-query">

                                <transaction mode="NONE"/>

                                <eviction strategy="LRU" max-entries="10000"/>

                                <expiration max-idle="100000"/>

                            </local-cache>

                            <local-cache name="timestamps">

                                <transaction mode="NONE"/>

                                <eviction strategy="NONE"/>

                            </local-cache>

                        </cache-container>

                        <cache-container name="teiid" default-cache="resultset">

                            <local-cache name="resultset">

                                <transaction mode="NON_XA"/>

                                <expiration lifespan="7200000" />

                                <eviction max-entries="1024" strategy="LIRS"/>

                            </local-cache>

                            <local-cache name="resultset-repl">

                                <transaction mode="NON_XA"/>

                                <expiration lifespan="7200000" />

                                <eviction max-entries="1024" strategy="LIRS"/>

                            </local-cache>               

                            <local-cache name="preparedplan">

                                <expiration lifespan="28800" />

                                <eviction max-entries="512" strategy="LIRS"/>

                            </local-cache> 

                        </cache-container>           

                    </subsystem>

                    <subsystem xmlns="urn:jboss:domain:jaxrs:1.0"/>

                    <subsystem xmlns="urn:jboss:domain:jca:1.1">

                        <archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>

                        <bean-validation enabled="true"/>

                        <default-workmanager>

                            <short-running-threads>

                                <core-threads count="50"/>

                                <queue-length count="50"/>

                                <max-threads count="50"/>

                                <keepalive-time time="10" unit="seconds"/>

                            </short-running-threads>

                            <long-running-threads>

                                <core-threads count="50"/>

                                <queue-length count="50"/>

                                <max-threads count="50"/>

                                <keepalive-time time="10" unit="seconds"/>

                            </long-running-threads>

                        </default-workmanager>

                        <cached-connection-manager/>

                    </subsystem>

                    <subsystem xmlns="urn:jboss:domain:jdr:1.0"/>

                    <subsystem xmlns="urn:jboss:domain:jmx:1.2">

                        <expose-resolved-model/>

                        <expose-expression-model/>

                        <remoting-connector/>

                    </subsystem>

                    <subsystem xmlns="urn:jboss:domain:jpa:1.1">

                        <jpa default-datasource="" default-extended-persistence-inheritance="DEEP"/>

                    </subsystem>

                    <subsystem xmlns="urn:jboss:domain:jsf:1.0"/>

                    <subsystem xmlns="urn:jboss:domain:mail:1.1">

                        <mail-session jndi-name="java:jboss/mail/Default">

                            <smtp-server outbound-socket-binding-ref="mail-smtp"/>

                        </mail-session>

                    </subsystem>

                    <subsystem xmlns="urn:jboss:domain:naming:1.3">

                        <remote-naming/>

                    </subsystem>

                    <subsystem xmlns="urn:jboss:domain:pojo:1.0"/>

                    <subsystem xmlns="urn:jboss:domain:remoting:1.1">

                        <connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>

                    </subsystem>

                    <subsystem xmlns="urn:jboss:domain:resource-adapters:1.1">

                        <resource-adapters>

                            <resource-adapter id="file">

                                <module slot="main" id="org.jboss.teiid.resource-adapter.file"/>

                            </resource-adapter>

                            <resource-adapter id="google">

                                <module slot="main" id="org.jboss.teiid.resource-adapter.google"/>

                            </resource-adapter>

                            <resource-adapter id="infinispan">

                                <module slot="main" id="org.jboss.teiid.resource-adapter.infinispan"/>

                            </resource-adapter>

                            <resource-adapter id="ldap">

                                <module slot="main" id="org.jboss.teiid.resource-adapter.ldap"/>

                            </resource-adapter>

                            <resource-adapter id="salesforce">

                                <module slot="main" id="org.jboss.teiid.resource-adapter.salesforce"/>

                            </resource-adapter>

                            <resource-adapter id="webservice">

                                <module slot="main" id="org.jboss.teiid.resource-adapter.webservice"/>

                            </resource-adapter>

                            <resource-adapter id="mongodb">

                                <module slot="main" id="org.jboss.teiid.resource-adapter.mongodb"/>

                            </resource-adapter>

                            <resource-adapter id="cassandra">

                                <module slot="main" id="org.jboss.teiid.resource-adapter.cassandra"/>

                            </resource-adapter>

                        </resource-adapters>       

                    </subsystem>

                    <subsystem xmlns="urn:jboss:domain:sar:1.0"/>

                    <subsystem xmlns="urn:jboss:domain:security:1.2">

                        <security-domains>

                            <security-domain name="other" cache-type="default">

                                <authentication>

                                    <login-module code="Remoting" flag="optional">

                                        <module-option name="password-stacking" value="useFirstPass"/>

                                    </login-module>

                                    <login-module code="RealmDirect" flag="required">

                                        <module-option name="password-stacking" value="useFirstPass"/>

                                    </login-module>

                                </authentication>

                            </security-domain>

                            <security-domain name="jboss-web-policy" cache-type="default">

                                <authorization>

                                    <policy-module code="Delegating" flag="required"/>

                                </authorization>

                            </security-domain>

                            <security-domain name="jboss-ejb-policy" cache-type="default">

                                <authorization>

                                    <policy-module code="Delegating" flag="required"/>

                                </authorization>

                            </security-domain>

                    <security-domain name="krb5-domain" cache-type="default">

                        <authentication>

                            <login-module code="Kerberos" flag="required">

                                <module-option name="storeKey">true</module-option>

                                <module-option name="useKeyTab">true</module-option>

                                <module-option name="principal">HTTP/JBOSS.CORP.CONTOSO.COM@CORP.CONTOSO.COM</module-option>

                                <module-option name="keyTab">C:\jboss\keyTab\jboss.keytab</module-option>

                                <module-option name="doNotPrompt">true</module-option>

                                <module-option name="debug">true</module-option>

                            </login-module>

                        </authentication>

                    </security-domain>

                            <security-domain name="teiid-security" cache-type="default">

                                <authentication>

                                    <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">

                                        <module-option name="usersProperties" value="${jboss.server.config.dir}/teiid-security-users.properties"/>

                                        <module-option name="rolesProperties" value="${jboss.server.config.dir}/teiid-security-roles.properties"/>

                                    </login-module>

                                </authentication>

                            </security-domain>               

                        </security-domains>

                    </subsystem>

                    <subsystem xmlns="urn:jboss:domain:teiid:1.0">

                        <async-thread-pool>teiid-async</async-thread-pool>

                        <resultset-cache infinispan-container="teiid" name="resultset"/>

                        <preparedplan-cache infinispan-container="teiid" name="preparedplan"/>

                       

                        <transport name="embedded"/>

                        <transport name="odata">

                            <authentication security-domain="teiid-security"/>

                        </transport>

                        <transport name="jdbc" protocol="teiid" socket-binding="teiid-jdbc">

                            <authentication security-domain="teiid-security" krb5-domain="krb5-domain"/>

                        </transport>

                        <transport name="odbc" protocol="pg" socket-binding="teiid-odbc">

                            <authentication security-domain="teiid-security"/>

                        </transport>

                        <policy-decider-module>org.jboss.teiid</policy-decider-module>       

                        <translator name="jdbc-simple" module="org.jboss.teiid.translator.jdbc"/>

                        <translator name="jdbc-ansi" module="org.jboss.teiid.translator.jdbc"/>

                        <translator name="access" module="org.jboss.teiid.translator.jdbc"/>

                        <translator name="db2" module="org.jboss.teiid.translator.jdbc"/>

                        <translator name="derby" module="org.jboss.teiid.translator.jdbc"/>

                        <translator name="h2" module="org.jboss.teiid.translator.jdbc"/>

                        <translator name="hsql" module="org.jboss.teiid.translator.jdbc"/>

                        <translator name="informix" module="org.jboss.teiid.translator.jdbc"/>

                        <translator name="metamatrix" module="org.jboss.teiid.translator.jdbc"/>

                        <translator name="mysql" module="org.jboss.teiid.translator.jdbc"/>

                        <translator name="mysql5" module="org.jboss.teiid.translator.jdbc"/>

                        <translator name="oracle" module="org.jboss.teiid.translator.jdbc"/>

                        <translator name="postgresql" module="org.jboss.teiid.translator.jdbc"/>

                        <translator name="sqlserver" module="org.jboss.teiid.translator.jdbc"/>

                        <translator name="sybase" module="org.jboss.teiid.translator.jdbc"/>

                        <translator name="teiid" module="org.jboss.teiid.translator.jdbc"/>

                        <translator name="teradata" module="org.jboss.teiid.translator.jdbc"/>

                        <translator name="modeshape" module="org.jboss.teiid.translator.jdbc"/>

                        <translator name="ingres" module="org.jboss.teiid.translator.jdbc"/>

                        <translator name="ingres93" module="org.jboss.teiid.translator.jdbc"/>

                        <translator name="intersystems-cache" module="org.jboss.teiid.translator.jdbc"/>

                        <translator name="netezza" module="org.jboss.teiid.translator.jdbc"/>

                        <translator name="file" module="org.jboss.teiid.translator.file"/>

                        <translator name="ldap" module="org.jboss.teiid.translator.ldap"/>

                        <translator name="loopback" module="org.jboss.teiid.translator.loopback"/>

                        <translator name="olap" module="org.jboss.teiid.translator.olap"/>

                        <translator name="ws" module="org.jboss.teiid.translator.ws"/>

                        <translator name="salesforce" module="org.jboss.teiid.translator.salesforce"/>

                        <translator name="hive" module="org.jboss.teiid.translator.hive"/>

                        <translator name="jpa2" module="org.jboss.teiid.translator.jpa"/>

                        <translator name="infinispan-cache" module="org.jboss.teiid.translator.object"/>

                        <translator name="map-cache" module="org.jboss.teiid.translator.object"/>

                        <translator name="odata" module="org.jboss.teiid.translator.odata"/>

                        <translator name="sap-nw-gateway" module="org.jboss.teiid.translator.odata"/>

                        <translator name="mongodb" module="org.jboss.teiid.translator.mongodb"/>

                        <translator name="cassandra" module="org.jboss.teiid.translator.cassandra"/>

                    </subsystem>       

                    <subsystem xmlns="urn:jboss:domain:threads:1.1">

                        <bounded-queue-thread-pool name="teiid-async">

                            <max-threads count="4"/>

                            <queue-length count="100"/>

                        </bounded-queue-thread-pool>       

                    </subsystem>

                    <subsystem xmlns="urn:jboss:domain:transactions:1.2">

                        <core-environment>

                            <process-id>

                                <uuid/>

                            </process-id>

                        </core-environment>

                        <recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>

                        <coordinator-environment default-timeout="300"/>

                    </subsystem>

                    <subsystem xmlns="urn:jboss:domain:web:1.4" default-virtual-server="default-host" native="false">

                        <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>

                        <virtual-server name="default-host" enable-welcome-root="true">

                            <alias name="localhost"/>

                            <alias name="example.com"/>

                        </virtual-server>

                    </subsystem>

                    <subsystem xmlns="urn:jboss:domain:webservices:1.2">

                        <modify-wsdl-address>true</modify-wsdl-address>

                        <wsdl-host>${jboss.bind.address:127.0.0.1}</wsdl-host>

                        <endpoint-config name="Standard-Endpoint-Config"/>

                        <endpoint-config name="Recording-Endpoint-Config">

                            <pre-handler-chain name="recording-handlers" protocol-bindings="##SOAP11_HTTP ##SOAP11_HTTP_MTOM ##SOAP12_HTTP ##SOAP12_HTTP_MTOM">

                                <handler name="RecordingHandler" class="org.jboss.ws.common.invocation.RecordingServerHandler"/>

                            </pre-handler-chain>

                        </endpoint-config>

                        <client-config name="Standard-Client-Config"/>

                    </subsystem>

                    <subsystem xmlns="urn:jboss:domain:weld:1.0"/>

                </profile>

                <interfaces>

                    <interface name="management">

                        <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>

                    </interface>

                    <interface name="public">

                        <inet-address value="${jboss.bind.address:0.0.0.0}"/>

                    </interface>

                    <interface name="unsecure">

                        <inet-address value="${jboss.bind.address.unsecure:127.0.0.1}"/>

                    </interface>

                </interfaces>

                <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">

                    <socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>

                    <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>

                    <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"/>

                    <socket-binding name="ajp" port="8009"/>

                    <socket-binding name="http" port="8080"/>

                    <socket-binding name="https" port="8443"/>

                    <socket-binding name="remoting" port="4447"/>

                    <socket-binding name="txn-recovery-environment" port="4712"/>

                    <socket-binding name="txn-status-manager" port="4713"/>

                    <socket-binding name="teiid-jdbc" interface="public" port="31000"/>

                    <socket-binding name="teiid-odbc" interface="public" port="35432"/>       

                    <outbound-socket-binding name="mail-smtp">

                        <remote-destination host="localhost" port="25"/>

                    </outbound-socket-binding>

                </socket-binding-group>

            </server>

             

            In the standalone.conf.bat I've added:

            set "JAVA_OPTS=%JAVA_HOME% -Djava.security.krb5.realm=CORP.CONTOSO.COM"

            set "JAVA_OPTS=%JAVA_HOME% -Djava.security.krb5.kd=DC1.CORP.CONTOSO.COM"

            set "JAVA_OPTS=%JAVA_HOME% -Djava.security.useSubjectCredsOnly=false"

             

            My test vdb

            <vdb name="testSQL" version="1">

                <description>test sql server</description>

                <property name="importer.useFullSchemaName" value="true"/>

                <source name="sql-connector" translator-name="sqlserver" connection-jndi-name="java:/sqlserverDS"/>

            </vdb>

             

            I've installed the JBoss Negotiation Toolkit. I've passed the basic negotiation test. For the Security Domain test, it failed. I used JBOSS.CORP.CONTOSO.COM as my host. I got back a java exception: java.security.auth.login.LoginException - PBOX000053: No CallbackHandler available to collect authentication information. This is the same error I get when I start my Jboss server with the vdb deployed.

             

            I did a bit of searching on the internet it could be my keytab file location that's incorrect. i tried file:///C:/jboss/keyTab/jboss.keytab and C:/jboss/keyTab/jboss.keytab as thevalue but still no success.

             

            My test domain setup (followed technet article: Steps for Configuring the Corpnet Subnet)

            DC1.CORP.CONTOSO.COM - Win2008 R2 (Domain Controller, DNS, DHCP, CA)

            APP1.CORP.CONTOSO.COM - Win2008 R2 (SQL Server, IIS)

            APP2.CORP.CONTOSO.COM - Win2008 R2 (JBoss, also known as JBOSS.CORP.CONTOSO,COM)

            A couple Clients (Windows 7,8.1)

            • 3. Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
              Andy Yip Newbie

              Some update. I deleted my Jboss Teiid directory and started fresh with a freshly extracted JBoss files.

               

              I've added back the configuration in standard.xml

               

              1. <system-properties> 
              2. <property name="java.security.krb5.kdc" value="DC1.CORP.CONTOSO.COM"/> 
              3. <property name="java.security.krb5.realm" value="CORP.CONTOSO.COM"/> 
              4. </system-properties> 
              5. ...... 
              6. <security-domain name="host" cache-type="default"> 
              7. <authentication> 
              8. <login-module code="Kerberos" flag="required"> 
              9. <module-option name="storeKey" value="true"/> 
              10. <module-option name="useKeyTab" value="true"/> 
              11. <module-option name="principal" value="HTTP/JBOSS.CORP.CONTOSO.COM@CORP.CONTOSO.COM"/> 
              12. <module-option name="keyTab" value="${jboss.home.dir}\jboss.keytab"/> 
              13. <module-option name="doNotPrompt" value="true"/> 
              14. <module-option name="debug" value="true"/> 
              15. </login-module> 
              16. </authentication> 
              17. </security-domain> 
              18. <security-domain name="SPNEGO" cache-type="default"> 
              19. <authentication> 
              20. <login-module code="SPNEGO" flag="requisite"> 
              21. <module-option name="password-stacking" value="useFirstPass"/> 
              22. <module-option name="serverSecurityDomain" value="host"/> 
              23. <module-option name="defaultRole" value="Users"/> 
              24. <module-option name="debug" value="true"/> 
              25. </login-module> 
              26. <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"> 
              27. <module-option name="password-stacking" value="useFirstPass"/> 
              28. <module-option name="usersProperties" value="${jboss.home.dir}\spnego-users.properties"/> 
              29. <module-option name="rolesProperties" value="${jboss.home.dir}\spnego-roles.properties"/> 
              30. </login-module> 
              31. </authentication> 
              32. </security-domain> 


              I am now getting Client not found in Kerberos database (6) in the Security Domain Test


              If I change the Kerberos module to include the option renewTGT=true and useTicketCache=true and remove the storeKey, useKeyTab principal, keyTab option. I will pass the Security Domain Test. However I still fail the Secured test.



              • 4. Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
                Ramesh Reddy Master

                Can you try a normal account rather than the service account to see it that an issue?

                • 5. Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
                  Graeme Gillies Newbie

                  Hi,

                   

                  I think you might want to take a closer look at

                   

                  1. <login-module code="Kerberos" flag="required"> 
                  2. <module-option name="storeKey" value="true"/> 
                  3. <module-option name="useKeyTab" value="true"/> 
                  4. <module-option name="principal" value="HTTP/JBOSS.CORP.CONTOSO.COM@CORP.CONTOSO.COM"/> 
                  5. <module-option name="keyTab" value="${jboss.home.dir}\jboss.keytab"/> 
                  6. <module-option name="doNotPrompt" value="true"/> 
                  7. <module-option name="debug" value="true"/> 
                  8. </login-module>


                  If you are not using a keytab, then you want to remove the keytab value, and change useKeyTab to false. You will want to change the principal to be the principal of the logged in user of the service (I'm assuming something like servicename@CORP.CONTOSO.COM). There might be some other options on the kerberos login module you will need to tweak as well

                  https://docs.jboss.org/author/display/AS71/Security+subsystem+configuration

                  http://docs.oracle.com/javase/6/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html

                   

                  Regards,


                  Graeme

                  • 6. Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
                    Andy Yip Newbie

                    Hello Ramesh

                     

                    I figured out why the keytab file wasn't working. The Principal was associated with too many account (I believe it was because I forgot to clean it up when I was testing). Now both methods are working. Using the keytab and using the service account's session ticket.

                     

                    Now I'm faced with a small ...or odd error: I am getting Filed to open properties file from URL: java.net.MalformedURLException

                     

                    I've tried changing the module options for usersProperties and rolesProperties to:

                    file://C:/jboss/spnego-users.properties, file://C:\jboss\spnego-users.properties

                    file://C:/jboss/spnego-roles.properties, file://C:\jboss\spnego-roles.properties

                     

                    But no dice, still the same error. It's probably something small I've over looked.

                    • 7. Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
                      Andy Yip Newbie

                      Hello Graeme

                       

                      Thanks for the links. When using the service account I'm using the module-option renewTGT=true, useTicketCache=true while removing (commenting out) the storeKey, useKeyTab, principal, and keyTab module-option.

                       

                      I can't say which method is better but both options seems to be working.

                       

                      Cheers,

                      • 8. Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
                        Ramesh Reddy Master

                        Andy,

                         

                        great!

                         

                        ${jboss.home.dir}/spnego-users.properties
                        

                        Did not work?


                        Is there anyway you can write up your setup in detail? Both using the keytab and service account in a Blog or in Teiid documents or WIKI? I feel Teiid needs more documentation around this topic than what we have(my knowledge on this topic is limited). I would really appreciate it.


                        Thanks


                        Ramesh..

                        • 9. Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
                          Andy Yip Newbie

                          Hello Ramesh

                           

                          I'm documenting on my side as I go along. Once I get everything to work (including Teiid), I will definitely post here for the result. Thanks for your help.

                           

                          Combination

                          <module-option name="usersProperties" value="${jboss.home.dir}\spnego-users.properties"/> 

                          <module-option name="rolesProperties" value="${jboss.home.dir}\spnego-roles.properties"/> 

                           

                          server.log

                          Failed to open properties file from URL: java.net.MalformedURLException: no protocol: defaultRoles.properties

                          Failed to open properties file from URL: java.net.MalformedURLException: unknown protocol: c

                           

                          Combination

                          <module-option name="usersProperties" value="file://${jboss.home.dir}\spnego-users.properties"/> 

                          <module-option name="rolesProperties" value="file://${jboss.home.dir}\spnego-roles.properties"/> 


                          server.log

                          Failed to open properties file from URL: java.net.MalformedURLException: no protocol: defaultUsers.properties

                          Login failure: javax.security.auth.login.LoginException: Missing properties file: file://C:\jboss\spnego-users.properties

                          • 10. Re: Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
                            Ramesh Reddy Master

                            URL does not like back slashes, so in your case the ${jboss.home.dir} is set to "c:\jboss" which is resulting in the "file://C:\jboss\spnego-users.properties", which should have been

                            file://C:/jboss/spnego-users.properties


                            so try below, no pre-pedning "file://", or appending backslash "\"

                            ${jboss.home.dir}/spnego-roles.properties


                            Or simply copy them into the config directory as teiid-securuty-users.properties" file, and use the similar path pattern defined there.


                            Ramesh..



                            • 11. Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
                              Andy Yip Newbie

                              Hello Ramesh

                               

                              Still no dice.

                               

                              The closest I've gotten is ...

                              <module-option name="defaultUsersProperties" value="file://C:/jboss/standalone/configurtion/spnego-users.properties"/> 

                              <module-option name="defaultRolesProperties" value="file://C:/jboss/standalone/configurtion/spnego-roles.properties"/> 


                              I get a java.net.UnknownHostException: C


                              I tried adding the third / after the protocol but that got me an unknown protocol.




                              • 12. Re: Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
                                Ramesh Reddy Master

                                Andy,

                                 

                                When the code does not find the property files you defined, then it looks for the defaultUsersProperties and defaultRolesProperties. So, if we fix the first issue, then the code will not look for the "default" properties files.

                                 

                                so I want to make sure you tried

                                 

                                  <module-option name="usersProperties" value="${jboss.home.dir}/spnego-users.propertie"/>
                                  <module-option name="rolesProperties" value="${jboss.home.dir}/spnego-roles.properties"/>
                                


                                where the property files are in root jboss installation directory.  or alternatively


                                  <module-option name="usersProperties" value="${jboss.server.config.dir}/spnego-users.propertie"/>
                                  <module-option name="rolesProperties" value="${jboss.server.config.dir}/spnego-roles.properties"/>
                                


                                where the property files are in "<jboss-eap>/standalone/configuration" directory.


                                Ramesh..

                                • 13. Re: Kerberos Authentication with JBoss EAP 6.1Alpha +Teiid 8.6 Beta 2 running as a Windows service
                                  Andy Yip Newbie

                                  Hello Ramesh

                                   

                                  I tried both and the users/rolesProperties does not seem to use the value ... but with defaultUsers/RolesProperties option, it picks up my value...

                                  1 2 3 Previous Next