0 Replies Latest reply on Jan 28, 2014 10:49 PM by jmsjr

    javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed when in a domain and cluster

    jmsjr Newbie

      I have a managed domain where the domain controller is on master ( on Window7 ) and a host controller running on slave ( called ubuntu1, running as a guest inside Oracle VirtualBox )

      I created an ApplicationRealm user called onlineuser from the domain controller ( Yes, I re-added / recreated the user as I initially said No to the last question ):

       

       

      C:\jboss-eap-6.2\bin>add-user.bat

       

       

      What type of user do you wish to add?

      a) Management User (mgmt-users.properties)

      b) Application User (application-users.properties)

      (a): b

       

       

      Enter the details of the new user to add.

      Using realm 'ApplicationRealm' as discovered from the existing property files.

      Username : onlineuser

      User 'onlineuser' already exits, would you like to update the existing user password and roles

      Is this correct yes/no? yes

      Password :

      Re-enter Password :

      What groups do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[  ]:

      Updated user 'onlineuser' to file 'C:\jboss-eap-6.2\standalone\configuration\application-users.properties'

      Updated user 'onlineuser' to file 'C:\jboss-eap-6.2\domain\configuration\application-users.properties'

      Updated user 'onlineuser' with groups  to file 'C:\jboss-eap-6.2\standalone\configuration\application-roles.properties'

      Updated user 'onlineuser' with groups  to file 'C:\jboss-eap-6.2\domain\configuration\application-roles.properties'

      Is this new user going to be used for one AS process to connect to another AS process?

      e.g. for a slave host controller connecting to the master or for a Remoting connection for server to server EJB calls.

      yes/no? yes

      To represent the user add the following to the server-identities definition <secret value="MG5sIW4zNDU=" />

      Press any key to continue . . .

       

       

      In the host.xml of *BOTH* the master and ubuntu1 host, I have the following in the security-realm:

       

              <security-realms>

                  <security-realm name="ManagementRealm">

                      <server-identities>

                           <!-- Replace this with either a base64 password of your own, or use a vault with a vault expression -->

                           <secret value="ZDBtNDFuNGRtMW5e"/>

                      </server-identities>

                      <authentication>

                          <local default-user="$local" />

                          <properties path="mgmt-users.properties" relative-to="jboss.domain.config.dir"/>

                      </authentication>

                      <authorization map-groups-to-roles="false">

                          <properties path="mgmt-groups.properties" relative-to="jboss.domain.config.dir"/>

                      </authorization>              

                  </security-realm>

                  <security-realm name="ApplicationRealm">

                      <server-identities>

                           <!-- Replace this with either a base64 password of your own, or use a vault with a vault expression -->

                           <secret value="MG5sIW4zNDU="/>

                      </server-identities>

                      <authentication>

                          <local default-user="$local" allowed-users="*" />

                          <properties path="application-users.properties" relative-to="jboss.domain.config.dir" />

                      </authentication>

                      <authorization>

                          <properties path="application-roles.properties" relative-to="jboss.domain.config.dir"/>

                      </authorization>

                  </security-realm>

              </security-realms>

       

      3. Only the domain controller has the user onlineuser in domain/configuration/application-users.properties:

       

      #$REALM_NAME=ApplicationRealm$ This line is used by the add-user utility to identify the realm name already used in this file.

      #

      # The following illustrates how an admin user could be defined, this

      # is for illustration only and does not correspond to a usable password.

      #

      #admin=2a0923285184943425d1f53ddd58ec7a

      onlineuser=1cf9385dd0c9b957e157af627a2444cb

       

      4. Only the domain controller has the onlineuser in domain/configuration/application-roles.properties:

       

      #admin=PowerUser,BillingAdmin,

      #guest=guest

      onlineuser=

       

       

      5. Now from my EJB client code, I have the following jboss-ejb-client.properties:

       

      remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false

      remote.connections=ejb

      remote.connection.ejb.host=172.21.17.142

      remote.connection.ejb.port=4447

      remote.connection.ejb.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false

      remote.connection.ejb.username=onlineuser

      remote.connection.ejb.password=0nl!n345

       

      The host 172.21.17.142 is the master / domain controller

       

       

      When I do a JNDI lookup of a SFSB, I get the following output from the console:

       

      XNIO Version 3.0.7.GA-redhat-1

      XNIO NIO Implementation Version 3.0.7.GA-redhat-1

      JBoss Remoting version 3.2.18.GA-redhat-1

      EJBCLIENT000017: Received server version 2 and marshalling strategies [river]

      EJBCLIENT000013: Successful version handshake completed for receiver context EJBReceiverContext{clientContext=org.jboss.ejb.client.EJBClientContext@f5a07b6, receiver=Remoting connection EJB receiver [connection=org.jboss.ejb.client.remoting.ConnectionPool$PooledConnection@5fb04599,channel=jboss.ejb,nodename=master:server-one]} on channel Channel ID c617229a (outbound) of Remoting connection 7e93107f to /172.21.17.142:4447

      JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

      Could not create a connection for cluster node ClusterNode{clusterName='ejb', nodeName='ubuntu1:server-one', clientMappings=[ClientMapping{sourceNetworkAddress=/0:0:0:0:0:0:0:0, sourceNetworkMaskBits=0, destinationAddress='172.21.17.126', destinationPort=4447}], resolvedDestination=[Destination address=172.21.17.126, destination port=4447]} in cluster ejb

      java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

        at org.jboss.ejb.client.remoting.IoFutureHelper.get(IoFutureHelper.java:92)

        at org.jboss.ejb.client.remoting.ConnectionPool.getConnection(ConnectionPool.java:77)

        at org.jboss.ejb.client.remoting.RemotingConnectionManager.getConnection(RemotingConnectionManager.java:51)

        at org.jboss.ejb.client.remoting.RemotingConnectionClusterNodeManager.getEJBReceiver(RemotingConnectionClusterNodeManager.java:77)

        at org.jboss.ejb.client.ClusterContext$EJBReceiverAssociationTask.call(ClusterContext.java:416)

        at org.jboss.ejb.client.ClusterContext$EJBReceiverAssociationTask.call(ClusterContext.java:390)

        at java.util.concurrent.FutureTask.run(FutureTask.java:262)

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

        at java.lang.Thread.run(Thread.java:744)

      Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

        at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:367)

        at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:229)

        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)

        at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189)

        at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103)

        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)

        at org.xnio.nio.NioHandle.run(NioHandle.java:90)

        at org.xnio.nio.WorkerThread.run(WorkerThread.java:187)

        at ...asynchronous invocation...(Unknown Source)

        at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:270)

        at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:386)

        at org.jboss.ejb.client.remoting.NetworkUtil.connect(NetworkUtil.java:152)

        at org.jboss.ejb.client.remoting.NetworkUtil.connect(NetworkUtil.java:133)

        at org.jboss.ejb.client.remoting.ConnectionPool.getConnection(ConnectionPool.java:75)

        ... 8 more

      JBoss EJB Client version 1.0.24.Final-redhat-1

       

       

      6. You can see from the above that it appears that:

      * The EJB client was able to connect and authenticate to the host master running on the domain controller

      * The EJB client appeared to have received the cluster topology ( both master and ubuntu1 are in the same cluster )

      * However, the EJB client could not authenticate to ubuntu1 ( 172.21.17.126 )

      * The EJB client was still able to invoke the method on the SFSB but one that is a proxy for the SFSB in master

       

       

      7. If I change  jboss-ejb-client.properties so that the host is property points to the slave ( non-domain controller )

       

      remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false

      remote.connections=ejb

      remote.connection.ejb.host=172.21.17.126

      remote.connection.ejb.port=4447

      remote.connection.ejb.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false

      remote.connection.ejb.username=onlineuser

      remote.connection.ejb.password=0nl!n345

       

       

      I get a similar, but different console output:

       

      XNIO Version 3.0.7.GA-redhat-1

      XNIO NIO Implementation Version 3.0.7.GA-redhat-1

      JBoss Remoting version 3.2.18.GA-redhat-1

      EJBCLIENT000017: Received server version 2 and marshalling strategies [river]

      EJBCLIENT000013: Successful version handshake completed for receiver context EJBReceiverContext{clientContext=org.jboss.ejb.client.EJBClientContext@3389e485, receiver=Remoting connection EJB receiver [connection=org.jboss.ejb.client.remoting.ConnectionPool$PooledConnection@21f9f232,channel=jboss.ejb,nodename=ubuntu1:server-one]} on channel Channel ID ca13cd64 (outbound) of Remoting connection 7651eaa2 to /172.21.17.126:4447

      EJBCLIENT000017: Received server version 2 and marshalling strategies [river]

      EJBCLIENT000013: Successful version handshake completed for receiver context EJBReceiverContext{clientContext=org.jboss.ejb.client.EJBClientContext@3389e485, receiver=Remoting connection EJB receiver [connection=org.jboss.ejb.client.remoting.ConnectionPool$PooledConnection@41f0d692,channel=jboss.ejb,nodename=master:server-one]} on channel Channel ID a4d334c4 (outbound) of Remoting connection 22c2e2dd to /172.21.17.142:4447

      JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

      Could not create a connection for cluster node ClusterNode{clusterName='ejb', nodeName='ubuntu1:server-one', clientMappings=[ClientMapping{sourceNetworkAddress=/0:0:0:0:0:0:0:0, sourceNetworkMaskBits=0, destinationAddress='172.21.17.126', destinationPort=4447}], resolvedDestination=[Destination address=172.21.17.126, destination port=4447]} in cluster ejb

      java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

        at org.jboss.ejb.client.remoting.IoFutureHelper.get(IoFutureHelper.java:92)

        at org.jboss.ejb.client.remoting.ConnectionPool.getConnection(ConnectionPool.java:77)

        at org.jboss.ejb.client.remoting.RemotingConnectionManager.getConnection(RemotingConnectionManager.java:51)

        at org.jboss.ejb.client.remoting.RemotingConnectionClusterNodeManager.getEJBReceiver(RemotingConnectionClusterNodeManager.java:77)

        at org.jboss.ejb.client.ClusterContext$EJBReceiverAssociationTask.call(ClusterContext.java:416)

        at org.jboss.ejb.client.ClusterContext$EJBReceiverAssociationTask.call(ClusterContext.java:390)

        at java.util.concurrent.FutureTask.run(FutureTask.java:262)

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

        at java.lang.Thread.run(Thread.java:744)

      Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

        at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:367)

        at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:229)

        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)

        at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189)

        at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103)

        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)

        at org.xnio.nio.NioHandle.run(NioHandle.java:90)

        at org.xnio.nio.WorkerThread.run(WorkerThread.java:187)

        at ...asynchronous invocation...(Unknown Source)

        at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:270)

        at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:386)

        at org.jboss.ejb.client.remoting.NetworkUtil.connect(NetworkUtil.java:152)

        at org.jboss.ejb.client.remoting.NetworkUtil.connect(NetworkUtil.java:133)

        at org.jboss.ejb.client.remoting.ConnectionPool.getConnection(ConnectionPool.java:75)

        ... 8 more

      JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

      Could not create a connection for cluster node ClusterNode{clusterName='ejb', nodeName='ubuntu1:server-one', clientMappings=[ClientMapping{sourceNetworkAddress=/0:0:0:0:0:0:0:0, sourceNetworkMaskBits=0, destinationAddress='172.21.17.126', destinationPort=4447}], resolvedDestination=[Destination address=172.21.17.126, destination port=4447]} in cluster ejb

      java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

        at org.jboss.ejb.client.remoting.IoFutureHelper.get(IoFutureHelper.java:92)

        at org.jboss.ejb.client.remoting.ConnectionPool.getConnection(ConnectionPool.java:77)

        at org.jboss.ejb.client.remoting.RemotingConnectionManager.getConnection(RemotingConnectionManager.java:51)

        at org.jboss.ejb.client.remoting.RemotingConnectionClusterNodeManager.getEJBReceiver(RemotingConnectionClusterNodeManager.java:77)

        at org.jboss.ejb.client.ClusterContext$EJBReceiverAssociationTask.call(ClusterContext.java:416)

        at org.jboss.ejb.client.ClusterContext$EJBReceiverAssociationTask.call(ClusterContext.java:390)

        at java.util.concurrent.FutureTask.run(FutureTask.java:262)

        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

        at java.lang.Thread.run(Thread.java:744)

      Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

        at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:367)

        at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:229)

        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)

        at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189)

        at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103)

        at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)

        at org.xnio.nio.NioHandle.run(NioHandle.java:90)

        at org.xnio.nio.WorkerThread.run(WorkerThread.java:187)

        at ...asynchronous invocation...(Unknown Source)

        at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:270)

        at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:386)

        at org.jboss.ejb.client.remoting.NetworkUtil.connect(NetworkUtil.java:152)

        at org.jboss.ejb.client.remoting.NetworkUtil.connect(NetworkUtil.java:133)

        at org.jboss.ejb.client.remoting.ConnectionPool.getConnection(ConnectionPool.java:75)

        ... 8 more

      JBoss EJB Client version 1.0.24.Final-redhat-1

       

      8. If I shutdown master, and only leave the slave running and run the EJB client as per properties file in step [7] ( host property points to ubuntu1 ), the console output is:

       

      XNIO Version 3.0.7.GA-redhat-1

      XNIO NIO Implementation Version 3.0.7.GA-redhat-1

      JBoss Remoting version 3.2.18.GA-redhat-1

      JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

       

      9. If I shutdown the slave / ubuntu1 and only leave the master running, the EJB client connects successfully:

       

      XNIO Version 3.0.7.GA-redhat-1

      XNIO NIO Implementation Version 3.0.7.GA-redhat-1

      JBoss Remoting version 3.2.18.GA-redhat-1

      EJBCLIENT000017: Received server version 2 and marshalling strategies [river]

      EJBCLIENT000013: Successful version handshake completed for receiver context EJBReceiverContext{clientContext=org.jboss.ejb.client.EJBClientContext@51133572, receiver=Remoting connection EJB receiver [connection=org.jboss.ejb.client.remoting.ConnectionPool$PooledConnection@4419f8f3,channel=jboss.ejb,nodename=master:server-one]} on channel Channel ID 8712cef6 (outbound) of Remoting connection 629ca8b8 to /172.21.17.142:4447

      JBoss EJB Client version 1.0.24.Final-redhat-1

       

      10. So it appears that the host.xml in the slave / ubuntu1 has something wrong.

      But I tried copying the domain/configuration/application-users.properties and domain/configuration/application-roles.properties

      from the domain controller master to the slave ubuntu1 and restarted the whole domain ( even the host controllers on both just to be sure ) ... but I still have this "javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed" error message.

       

      FWIW ... I'm trying this out on JBossEAP 6.2 / JBoss7.3