6 Replies Latest reply on Jul 4, 2016 7:37 AM by Ronald Feicht

    Wildfly and SPNEGO

    Ronald Feicht Newbie

      I have been trying for two weeks now to get  SPNEGO SSO authentication working by following this article SPNego Authentication with JBoss - DZone Integration but I keep getting this error which I know not how to solve. For testing purposes I use jboss-negotiation/jboss-negotiation-toolkit at master · wildfly-security/jboss-negotiation · GitHub

      Wildfly Server log file:

      Options:

      name=principal, value=HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID

      name=debug, value=true

      name=doNotPrompt, value=true

      name=storeKey, value=true

      name=keyTab, value=/opt/elementary/wildfly-10.0.0.Final/standalone/configuration/spnego.keytab

      name=useKeyTab, value=true

      name=refreshKrb5Config, value=true

       

      2016-07-01 10:34:41,303 TRACE [org.jboss.security.negotiation.KerberosLoginModule] (default task-7) Wrapped Krb5LoginModule is 'com.sun.security.auth.module.Krb5LoginModule'

      2016-07-01 10:34:41,303 TRACE [org.jboss.security.negotiation.KerberosLoginModule] (default task-7) delegationCredential=IGNORE

      2016-07-01 10:34:41,323 INFO  [stdout] (default task-7) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /opt/elementary/wildfly-10.0.0.Final/standalone/configuration/spnego.keytab refreshKrb5Config is true principal is HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID tryFirstPass is false useFirstPass is false storePass is false clearPass is false

      2016-07-01 10:34:41,324 TRACE [org.jboss.security.negotiation.KerberosLoginModule] (default task-7) Initialised wrapped login module.

      2016-07-01 10:34:41,324 TRACE [org.jboss.security.negotiation.KerberosLoginModule] (default task-7) addGssCredential=false

      2016-07-01 10:34:41,325 TRACE [org.jboss.security.negotiation.KerberosLoginModule] (default task-7) wrapGssCredential=false

      2016-07-01 10:34:41,326 INFO  [stdout] (default task-7) Refreshing Kerberos configuration

      2016-07-01 10:34:41,336 INFO  [stdout] (default task-7) Java config name: /etc/krb5.conf

      2016-07-01 10:34:41,338 INFO  [stdout] (default task-7) Loaded from Java config

      2016-07-01 10:34:41,340 INFO  [stdout] (default task-7) >>> KdcAccessibility: reset

      2016-07-01 10:34:41,341 INFO  [stdout] (default task-7) >>> KdcAccessibility: reset

      2016-07-01 10:34:41,357 INFO  [stdout] (default task-7) >>> KeyTabInputStream, readName(): SCSYNERGY.INVALID

      2016-07-01 10:34:41,358 INFO  [stdout] (default task-7) >>> KeyTabInputStream, readName(): HTTP

      2016-07-01 10:34:41,358 INFO  [stdout] (default task-7) >>> KeyTabInputStream, readName(): spnego.scsynergy.invalid

      2016-07-01 10:34:41,362 INFO  [stdout] (default task-7) >>> KeyTab: load() entry length: 82; type: 1

      2016-07-01 10:34:41,363 INFO  [stdout] (default task-7) >>> KeyTabInputStream, readName(): SCSYNERGY.INVALID

      2016-07-01 10:34:41,363 INFO  [stdout] (default task-7) >>> KeyTabInputStream, readName(): HTTP

      2016-07-01 10:34:41,365 INFO  [stdout] (default task-7) >>> KeyTabInputStream, readName(): spnego.scsynergy.invalid

      2016-07-01 10:34:41,366 INFO  [stdout] (default task-7) >>> KeyTab: load() entry length: 82; type: 3

      2016-07-01 10:34:41,371 INFO  [stdout] (default task-7) >>> KeyTabInputStream, readName(): SCSYNERGY.INVALID

      2016-07-01 10:34:41,373 INFO  [stdout] (default task-7) >>> KeyTabInputStream, readName(): HTTP

      2016-07-01 10:34:41,374 INFO  [stdout] (default task-7) >>> KeyTabInputStream, readName(): spnego.scsynergy.invalid

      2016-07-01 10:34:41,374 INFO  [stdout] (default task-7) >>> KeyTab: load() entry length: 90; type: 17

      2016-07-01 10:34:41,375 INFO  [stdout] (default task-7) >>> KeyTabInputStream, readName(): SCSYNERGY.INVALID

      2016-07-01 10:34:41,375 INFO  [stdout] (default task-7) >>> KeyTabInputStream, readName(): HTTP

      2016-07-01 10:34:41,381 INFO  [stdout] (default task-7) >>> KeyTabInputStream, readName(): spnego.scsynergy.invalid

      2016-07-01 10:34:41,381 INFO  [stdout] (default task-7) >>> KeyTab: load() entry length: 106; type: 18

      2016-07-01 10:34:41,381 INFO  [stdout] (default task-7) >>> KeyTabInputStream, readName(): SCSYNERGY.INVALID

      2016-07-01 10:34:41,382 INFO  [stdout] (default task-7) >>> KeyTabInputStream, readName(): HTTP

      2016-07-01 10:34:41,382 INFO  [stdout] (default task-7) >>> KeyTabInputStream, readName(): spnego.scsynergy.invalid

      2016-07-01 10:34:41,382 INFO  [stdout] (default task-7) >>> KeyTab: load() entry length: 90; type: 23

      2016-07-01 10:34:41,382 INFO  [stdout] (default task-7) Looking for keys for: HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID

      2016-07-01 10:34:41,384 INFO  [stdout] (default task-7) Added key: 23version: 1

      2016-07-01 10:34:41,384 INFO  [stdout] (default task-7) Added key: 18version: 1

      2016-07-01 10:34:41,385 INFO  [stdout] (default task-7) Added key: 17version: 1

      2016-07-01 10:34:41,385 INFO  [stdout] (default task-7) Found unsupported keytype (3) for HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID

      2016-07-01 10:34:41,387 INFO  [stdout] (default task-7) Found unsupported keytype (1) for HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID

      2016-07-01 10:34:41,399 INFO  [stdout] (default task-7) Looking for keys for: HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID

      2016-07-01 10:34:41,399 INFO  [stdout] (default task-7) Added key: 23version: 1

      2016-07-01 10:34:41,399 INFO  [stdout] (default task-7) Added key: 18version: 1

      2016-07-01 10:34:41,401 INFO  [stdout] (default task-7) Added key: 17version: 1

      2016-07-01 10:34:41,401 INFO  [stdout] (default task-7) Found unsupported keytype (3) for HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID

      2016-07-01 10:34:41,401 INFO  [stdout] (default task-7) Found unsupported keytype (1) for HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID

      2016-07-01 10:34:41,402 INFO  [stdout] (default task-7) Using builtin default etypes for default_tkt_enctypes

      2016-07-01 10:34:41,402 INFO  [stdout] (default task-7) default etypes for default_tkt_enctypes: 18 17 16 23.

      2016-07-01 10:34:41,407 INFO  [stdout] (default task-7) >>> KrbAsReq creating message

      2016-07-01 10:34:41,410 INFO  [stdout] (default task-7) >>> KrbKdcReq send: kdc=192.168.17.2 UDP:88, timeout=30000, number of retries =3, #bytes=177

      2016-07-01 10:34:41,414 INFO  [stdout] (default task-7) >>> KDCCommunication: kdc=192.168.17.2 UDP:88, timeout=30000,Attempt =1, #bytes=177

      2016-07-01 10:34:41,417 INFO  [stdout] (default task-7) >>> KrbKdcReq send: #bytes read=174

      2016-07-01 10:34:41,418 INFO  [stdout] (default task-7) >>> KdcAccessibility: remove 192.168.17.2:88

      2016-07-01 10:34:41,419 INFO  [stdout] (default task-7) >>> KDCRep: init() encoding tag is 126 req type is 11

      2016-07-01 10:34:41,420 INFO  [stdout] (default task-7) >>>KRBError:

      2016-07-01 10:34:41,421 INFO  [stdout] (default task-7)          sTime is Fri Jul 01 10:34:41 CEST 2016 1467362081000

      2016-07-01 10:34:41,422 INFO  [stdout] (default task-7)          suSec is 419369

      2016-07-01 10:34:41,424 INFO  [stdout] (default task-7)          error code is 6

      2016-07-01 10:34:41,425 INFO  [stdout] (default task-7)          error Message is Client not found in Kerberos database

      2016-07-01 10:34:41,428 INFO  [stdout] (default task-7)          cname is HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID

      2016-07-01 10:34:41,428 INFO  [stdout] (default task-7)          sname is krbtgt/SCSYNERGY.INVALID@SCSYNERGY.INVALID

      2016-07-01 10:34:41,428 INFO  [stdout] (default task-7)          msgType is 30

      2016-07-01 10:34:41,428 INFO  [stdout] (default task-7)                 [Krb5LoginModule] authentication failed

      2016-07-01 10:34:41,428 INFO  [stdout] (default task-7) Client not found in Kerberos database (6)

      2016-07-01 10:34:41,429 TRACE [org.jboss.security.negotiation.KerberosLoginModule] (default task-7) Calling wrapped login module to abort.

      2016-07-01 10:34:41,431 TRACE [org.jboss.security] (default task-7) PBOX00244: Begin abort method, overall result: false

      2016-07-01 10:34:41,432 DEBUG [org.jboss.security] (default task-7) PBOX00206: Login failure: javax.security.auth.login.LoginException: Client not found in Kerberos database (6)

              at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)

              at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)

              at org.jboss.security.negotiation.KerberosLoginModule.login(KerberosLoginModule.java:190)

              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

              at java.lang.reflect.Method.invoke(Method.java:498)

              at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)

              at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)

              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)

              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)

              at java.security.AccessController.doPrivileged(Native Method)

              at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)

              at javax.security.auth.login.LoginContext.login(LoginContext.java:587)

              at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.getServerSubject(SPNEGOLoginModule.java:332)

              at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.spnegoLogin(SPNEGOLoginModule.java:285)

              at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.innerLogin(SPNEGOLoginModule.java:229)

              at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:147)

              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

              at java.lang.reflect.Method.invoke(Method.java:498)

              at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)

              at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)

              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)

              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)

              at java.security.AccessController.doPrivileged(Native Method)

              at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)

              at javax.security.auth.login.LoginContext.login(LoginContext.java:587)

              at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406)

              at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)

              at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333)

              at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)

              at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:123)

              at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:96)

              at org.jboss.security.negotiation.NegotiationMechanism.authenticate(NegotiationMechanism.java:99)

              at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)

              at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)

              at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)

              at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)

              at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)

              at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)

              at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)

              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

              at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)

              at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)

              at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)

              at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)

              at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)

              at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)

              at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)

              at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)

              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

              at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)

              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

              at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

              at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)

              at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)

              at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)

              at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)

              at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)

              at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)

              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

              at java.lang.Thread.run(Thread.java:745)

      Caused by: KrbException: Client not found in Kerberos database (6)

              at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)

              at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)

              at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)

              at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:776)

              ... 64 more

      Caused by: KrbException: Identifier doesn't match expected value (906)

              at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)

              at sun.security.krb5.internal.ASRep.init(ASRep.java:64)

              at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)

              at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)

              ... 67 more

       

      standalone.xml (just the relevant parts):

      <system-properties>

              <property name="grape.root" value="${jboss.server.base.dir}"/>

              <property name="java.security.krb5.conf" value="/etc/krb5.conf"/>

              <property name="java.security.krb5.debug" value="true"/>

              <property name="jboss.security.disable.secdomain.option" value="true"/>

          </system-properties>

       

      <security-domain name="SPNEGO" cache-type="default">

                          <authentication>

                              <login-module code="SPNEGO" flag="required">

                                  <module-option name="password-stacking" value="useFirstPass"/>

                                  <module-option name="serverSecurityDomain" value="host"/>

                              </login-module>

                          </authentication>

                          <mapping>

                              <mapping-module code="SimpleRoles" type="role">

                                  <module-option name="Administrator@SCSYNERGY.INVALID" value="Admin"/>

                              </mapping-module>

                          </mapping>

                      </security-domain>

                      <security-domain name="host" cache-type="default">

                          <authentication>

                              <login-module code="Kerberos" flag="required" module="org.jboss.security.negotiation">

                                  <module-option name="refreshKrb5Config" value="true"/>

                                  <module-option name="doNotPrompt" value="true"/>

                                  <module-option name="useKeyTab" value="true"/>

                                  <module-option name="keyTab" value="${jboss.server.config.dir}/spnego.keytab"/>

                                  <module-option name="storeKey" value="true"/>

                                  <module-option name="principal" value="HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID"/>

                                  <module-option name="debug" value="true"/>

                              </login-module>

                          </authentication>

                      </security-domain>

                  </security-domains>

       

      /etc/krb5.conf:

      [libdefaults]

              default_realm = SCSYNERGY.INVALID

              dns_lookup_realm = false

              dns_lookup_kdc = false

              forwardable = true

      [realms]

              SCSYNERGY.INVALID = {

                      kdc = 192.168.17.2:88

                      admin_server = 192.168.17.2

              }

      [domain_realm]

              .scsynergy.invalid = SCSYNERGY.INVALID

              scsynergy.invalid = SCSYNERGY.INVALID

       

      I use Samba for Active Directory according to this article https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller

      I created a keytab file with the following commands:

      samba-tool user add --use-username-as-cn spnego

      samba-tool spn add HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID spnego

      samba-tool domain exportkeytab spnego.keytab --principal=HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID

       

      I had to add Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for JDK/JRE 8 Download to my JRE or otherwise Java was not able to handle the encryption types (Found unsupported keytype (3) for HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID)

       

      I can kinit as any user without problems, the browser does the SPNEGO negotiation but then fails when trying to authenticate to the 'host' security domain with the above error. I have tried putting Wildfly and Samba on the same machine, different machines, tried using the webpage from a separate third PC or the same PC as Wildfly is running on, tried changing user names, domains configuration values ... all to no avail - though by playing around I did notice that anything except the current values would brake it more than it is now..

       

      I attached some files which show what computers, SPNs and users Samba 'Active Directory' has.

       

      Any help in solving this issue would be greatly appreciated!

        • 1. Re: Wildfly and SPNEGO
          Martin Choma Expert

          Hi,

           

          You see, you get "Client not found in Kerberos database" in moment of HTTP ticket obtaining. So please double check HTTP/spnego.scsynergy.invalid and krbtgt configuration in Active Directory.

           

          For example servicePrincipalName: kadmin/changepw of krbtgt seems strange to me.

           

          Are you testing on http://spnego.scsynergy.invalid:{port}/{app} ?

          Does setspn -l spnego returns HTTP/spnego.scsynergy.invalid ?

           

          Otherwise EAP configuration seem OK to me.

           

          Martin

          • 2. Re: Wildfly and SPNEGO
            Ronald Feicht Newbie

            The service principal name of krbtgt is probably the default value that Samba configured since I did not touch that. I am not really apt at Windows stuff - more of a Unix expert - but since kinit works on any of the three machines (debian = client with Firefox, spnego = Wildfly, ad = Samba Active Directory) I assume that krbtgt is configured correctly?

            root@debian:~# kinit Administrator@SCSYNERGY.INVALID

            Password for Administrator@SCSYNERGY.INVALID:

            Warning: Your password will expire in 32 days on Fri 05 Aug 2016 01:41:38 PM CEST

            root@debian:~# klist

            Ticket cache: FILE:/tmp/krb5cc_0

            Default principal: Administrator@SCSYNERGY.INVALID

            Valid starting       Expires              Service principal

            07/04/2016 10:19:49  07/04/2016 20:19:49  krbtgt/SCSYNERGY.INVALID@SCSYNERGY.INVALID

                    renew until 07/05/2016 10:19:45

             

            root@spnego:/opt/elementary/wildfly-10.0.0.Final/standalone/configuration# kinit spnego@SCSYNERGY.INVALID

            Password for spnego@SCSYNERGY.INVALID:

            Warning: Your password will expire in 39 days on Fri 12 Aug 2016 10:26:16 AM CEST

            root@spnego:/opt/elementary/wildfly-10.0.0.Final/standalone/configuration# klist

            Ticket cache: FILE:/tmp/krb5cc_0

            Default principal: spnego@SCSYNERGY.INVALID

            Valid starting       Expires              Service principal

            07/04/2016 10:01:01  07/04/2016 20:01:01  krbtgt/SCSYNERGY.INVALID@SCSYNERGY.INVALID

                    renew until 07/05/2016 10:00:58

             

            root@ad:~# kinit Administrator@SCSYNERGY.INVALID

            Password for Administrator@SCSYNERGY.INVALID:

            Warning: Your password will expire in 32 days on Fri 05 Aug 2016 01:41:38 PM CEST

            root@ad:~# klist

            Ticket cache: FILE:/tmp/krb5cc_0

            Default principal: Administrator@SCSYNERGY.INVALID

            Valid starting       Expires              Service principal

            07/04/2016 10:21:45  07/04/2016 20:21:45  krbtgt/SCSYNERGY.INVALID@SCSYNERGY.INVALID

                    renew until 07/05/2016 10:21:42

             

             

            The URI I enter into Firefox for testing is https://spnego.scsynergy.invalid:8443/jboss-negotiation-toolkit/ . I added 'https://,http://' to network.negotiate-auth.trusted-uris via Firefox's 'about:config'.

             

            And the SPN seems OK to me, too:

            root@ad:~# samba-tool spn list spnego

            spnego

            User CN=spnego,CN=Users,DC=scsynergy,DC=invalid has the following servicePrincipalName:

                     HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID

            • 3. Re: Wildfly and SPNEGO
              Martin Choma Expert

              Regarding krbtgt, right, i realized it after I posted the reply.

               

              It seems to me this is similar to your problem ubuntu - keytab auth against samba 4 DC: Client not found in Kerberos database while getting initial credentials - Serve… Can you try? Can you use setspn command instead of samba-tool command?

               

              I wonder, is any of points mentioned in this blog Blog of 'Brian Murphy-Booth' a.k.a. 'Brian Booth' - The biggest mistake: ServicePrincipalName’s relevant for you? E.g in your case, is wildfly running with user spnego?

              • 4. Re: Wildfly and SPNEGO
                Ronald Feicht Newbie

                It seems to me that the problem described in your first link was already fixed by the Samba team. Oh, by the way, I cannot use the setspn command because these are not Windows machines. Regarding the second link you gave, I had already read that and I had understood its content so, that an SPN does not necessarily have to be a mapping of the user under which Wildfly runs to the AD user - but just to rule that possibility out I recreated the keytab file to map the keytab entry to the AD user 'wildlfy' under which Wildfly runs, but the error stays the same

                # wildfly, Users, scsynergy.invalid

                dn: CN=wildfly,CN=Users,DC=scsynergy,DC=invalid

                objectClass: top

                objectClass: person

                objectClass: organizationalPerson

                objectClass: user

                cn: wildfly

                instanceType: 4

                whenCreated: 20160704091736.0Z

                uSNCreated: 3880

                name: wildfly

                objectGUID:: myAx1v/8z0qVoaR258WrBg==

                badPwdCount: 0

                codePage: 0

                countryCode: 0

                badPasswordTime: 0

                lastLogoff: 0

                lastLogon: 0

                primaryGroupID: 513

                objectSid:: AQUAAAAAAAUVAAAAl9Tl9DVIzKocotHaVQQAAA==

                accountExpires: 9223372036854775807

                logonCount: 0

                sAMAccountName: wildfly

                sAMAccountType: 805306368

                userPrincipalName: wildfly@scsynergy.invalid

                objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=scsynergy,DC=invalid

                pwdLastSet: 131120974560000000

                userAccountControl: 512

                servicePrincipalName: HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID

                whenChanged: 20160704091824.0Z

                uSNChanged: 3883

                distinguishedName: CN=wildfly,CN=Users,DC=scsynergy,DC=invalid

                • 5. Re: Wildfly and SPNEGO
                  Martin Choma Expert

                  But I can see in your ldap search results, that userPrincipalName doesnt reflect servicePrincipleName

                  Can you, though, try this as described in above link:

                  • 6. Re: Wildfly and SPNEGO
                    Ronald Feicht Newbie

                    Ah, the userPrincipalName, I had overlooked that entry even existed and had only compared the servicePrincipalName. Now that I changed the userPrincipalName of the user to which the SPN is associated like so:

                    root@debian:/tmp# ldapmodify -h ad.scsynergy.invalid -W -x -D "CN=Administrator,CN=Users,DC=scsynergy,DC=invalid"

                    dn: CN=wildfly,CN=Users,DC=scsynergy,DC=invalid

                    changetype: modify

                    replace: userPrincipalName 

                    userPrincipalName: HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID                       

                    modifying entry "CN=wildfly,CN=Users,DC=scsynergy,DC=invalid"

                     

                    Now, I finally get

                    Negotiation Toolkit

                    Security Domain Test

                    Testing security-domain 'host'

                    Authenticated

                    Subject:
                    Principal: HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID
                    Private Credential: Ticket (hex) =
                    0000: 61 82 03 D7 30 82 03 D3 A0 03 02 01 05 A1 13 1B a...0...........
                    0010: 11 53 43 53 59 4E 45 52 47 59 2E 49 4E 56 41 4

                    .

                    .

                    .

                    .

                    .

                    Thank you Martin for your kind support!