6 Replies Latest reply on Jul 4, 2016 7:37 AM by scsynergy

Wildfly and SPNEGO

scsynergy Jul 1, 2016 7:53 AM

I have been trying for two weeks now to get SPNEGO SSO authentication working by following this article SPNego Authentication with JBoss - DZone Integration but I keep getting this error which I know not how to solve. For testing purposes I use jboss-negotiation/jboss-negotiation-toolkit at master · wildfly-security/jboss-negotiation · GitHub

Wildfly Server log file:

Options:

name=principal, value=HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID

name=debug, value=true

name=doNotPrompt, value=true

name=storeKey, value=true

name=keyTab, value=/opt/elementary/wildfly-10.0.0.Final/standalone/configuration/spnego.keytab

name=useKeyTab, value=true

name=refreshKrb5Config, value=true

2016-07-01 10:34:41,303 TRACE [org.jboss.security.negotiation.KerberosLoginModule] (default task-7) Wrapped Krb5LoginModule is 'com.sun.security.auth.module.Krb5LoginModule'

2016-07-01 10:34:41,303 TRACE [org.jboss.security.negotiation.KerberosLoginModule] (default task-7) delegationCredential=IGNORE

2016-07-01 10:34:41,323 INFO [stdout] (default task-7) Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /opt/elementary/wildfly-10.0.0.Final/standalone/configuration/spnego.keytab refreshKrb5Config is true principal is HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID tryFirstPass is false useFirstPass is false storePass is false clearPass is false

2016-07-01 10:34:41,324 TRACE [org.jboss.security.negotiation.KerberosLoginModule] (default task-7) Initialised wrapped login module.

2016-07-01 10:34:41,324 TRACE [org.jboss.security.negotiation.KerberosLoginModule] (default task-7) addGssCredential=false

2016-07-01 10:34:41,325 TRACE [org.jboss.security.negotiation.KerberosLoginModule] (default task-7) wrapGssCredential=false

2016-07-01 10:34:41,326 INFO [stdout] (default task-7) Refreshing Kerberos configuration

2016-07-01 10:34:41,336 INFO [stdout] (default task-7) Java config name: /etc/krb5.conf

2016-07-01 10:34:41,338 INFO [stdout] (default task-7) Loaded from Java config

2016-07-01 10:34:41,340 INFO [stdout] (default task-7) >>> KdcAccessibility: reset

2016-07-01 10:34:41,341 INFO [stdout] (default task-7) >>> KdcAccessibility: reset

2016-07-01 10:34:41,357 INFO [stdout] (default task-7) >>> KeyTabInputStream, readName(): SCSYNERGY.INVALID

2016-07-01 10:34:41,358 INFO [stdout] (default task-7) >>> KeyTabInputStream, readName(): HTTP

2016-07-01 10:34:41,358 INFO [stdout] (default task-7) >>> KeyTabInputStream, readName(): spnego.scsynergy.invalid

2016-07-01 10:34:41,362 INFO [stdout] (default task-7) >>> KeyTab: load() entry length: 82; type: 1

2016-07-01 10:34:41,363 INFO [stdout] (default task-7) >>> KeyTabInputStream, readName(): SCSYNERGY.INVALID

2016-07-01 10:34:41,363 INFO [stdout] (default task-7) >>> KeyTabInputStream, readName(): HTTP

2016-07-01 10:34:41,365 INFO [stdout] (default task-7) >>> KeyTabInputStream, readName(): spnego.scsynergy.invalid

2016-07-01 10:34:41,366 INFO [stdout] (default task-7) >>> KeyTab: load() entry length: 82; type: 3

2016-07-01 10:34:41,371 INFO [stdout] (default task-7) >>> KeyTabInputStream, readName(): SCSYNERGY.INVALID

2016-07-01 10:34:41,373 INFO [stdout] (default task-7) >>> KeyTabInputStream, readName(): HTTP

2016-07-01 10:34:41,374 INFO [stdout] (default task-7) >>> KeyTabInputStream, readName(): spnego.scsynergy.invalid

2016-07-01 10:34:41,374 INFO [stdout] (default task-7) >>> KeyTab: load() entry length: 90; type: 17

2016-07-01 10:34:41,375 INFO [stdout] (default task-7) >>> KeyTabInputStream, readName(): SCSYNERGY.INVALID

2016-07-01 10:34:41,375 INFO [stdout] (default task-7) >>> KeyTabInputStream, readName(): HTTP

2016-07-01 10:34:41,381 INFO [stdout] (default task-7) >>> KeyTabInputStream, readName(): spnego.scsynergy.invalid

2016-07-01 10:34:41,381 INFO [stdout] (default task-7) >>> KeyTab: load() entry length: 106; type: 18

2016-07-01 10:34:41,381 INFO [stdout] (default task-7) >>> KeyTabInputStream, readName(): SCSYNERGY.INVALID

2016-07-01 10:34:41,382 INFO [stdout] (default task-7) >>> KeyTabInputStream, readName(): HTTP

2016-07-01 10:34:41,382 INFO [stdout] (default task-7) >>> KeyTabInputStream, readName(): spnego.scsynergy.invalid

2016-07-01 10:34:41,382 INFO [stdout] (default task-7) >>> KeyTab: load() entry length: 90; type: 23

2016-07-01 10:34:41,382 INFO [stdout] (default task-7) Looking for keys for: HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID

2016-07-01 10:34:41,384 INFO [stdout] (default task-7) Added key: 23version: 1

2016-07-01 10:34:41,384 INFO [stdout] (default task-7) Added key: 18version: 1

2016-07-01 10:34:41,385 INFO [stdout] (default task-7) Added key: 17version: 1

2016-07-01 10:34:41,385 INFO [stdout] (default task-7) Found unsupported keytype (3) for HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID

2016-07-01 10:34:41,387 INFO [stdout] (default task-7) Found unsupported keytype (1) for HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID

2016-07-01 10:34:41,399 INFO [stdout] (default task-7) Looking for keys for: HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID

2016-07-01 10:34:41,399 INFO [stdout] (default task-7) Added key: 23version: 1

2016-07-01 10:34:41,399 INFO [stdout] (default task-7) Added key: 18version: 1

2016-07-01 10:34:41,401 INFO [stdout] (default task-7) Added key: 17version: 1

2016-07-01 10:34:41,401 INFO [stdout] (default task-7) Found unsupported keytype (3) for HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID

2016-07-01 10:34:41,401 INFO [stdout] (default task-7) Found unsupported keytype (1) for HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID

2016-07-01 10:34:41,402 INFO [stdout] (default task-7) Using builtin default etypes for default_tkt_enctypes

2016-07-01 10:34:41,402 INFO [stdout] (default task-7) default etypes for default_tkt_enctypes: 18 17 16 23.

2016-07-01 10:34:41,407 INFO [stdout] (default task-7) >>> KrbAsReq creating message

2016-07-01 10:34:41,410 INFO [stdout] (default task-7) >>> KrbKdcReq send: kdc=192.168.17.2 UDP:88, timeout=30000, number of retries =3, #bytes=177

2016-07-01 10:34:41,414 INFO [stdout] (default task-7) >>> KDCCommunication: kdc=192.168.17.2 UDP:88, timeout=30000,Attempt =1, #bytes=177

2016-07-01 10:34:41,417 INFO [stdout] (default task-7) >>> KrbKdcReq send: #bytes read=174

2016-07-01 10:34:41,418 INFO [stdout] (default task-7) >>> KdcAccessibility: remove 192.168.17.2:88

2016-07-01 10:34:41,419 INFO [stdout] (default task-7) >>> KDCRep: init() encoding tag is 126 req type is 11

2016-07-01 10:34:41,420 INFO [stdout] (default task-7) >>>KRBError:

2016-07-01 10:34:41,421 INFO [stdout] (default task-7) sTime is Fri Jul 01 10:34:41 CEST 2016 1467362081000

2016-07-01 10:34:41,422 INFO [stdout] (default task-7) suSec is 419369

2016-07-01 10:34:41,424 INFO [stdout] (default task-7) error code is 6

2016-07-01 10:34:41,425 INFO [stdout] (default task-7) error Message is Client not found in Kerberos database

2016-07-01 10:34:41,428 INFO [stdout] (default task-7) cname is HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID

2016-07-01 10:34:41,428 INFO [stdout] (default task-7) sname is krbtgt/SCSYNERGY.INVALID@SCSYNERGY.INVALID

2016-07-01 10:34:41,428 INFO [stdout] (default task-7) msgType is 30

2016-07-01 10:34:41,428 INFO [stdout] (default task-7) [Krb5LoginModule] authentication failed

2016-07-01 10:34:41,428 INFO [stdout] (default task-7) Client not found in Kerberos database (6)

2016-07-01 10:34:41,429 TRACE [org.jboss.security.negotiation.KerberosLoginModule] (default task-7) Calling wrapped login module to abort.

2016-07-01 10:34:41,431 TRACE [org.jboss.security] (default task-7) PBOX00244: Begin abort method, overall result: false

2016-07-01 10:34:41,432 DEBUG [org.jboss.security] (default task-7) PBOX00206: Login failure: javax.security.auth.login.LoginException: Client not found in Kerberos database (6)

at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)

at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)

at org.jboss.security.negotiation.KerberosLoginModule.login(KerberosLoginModule.java:190)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)

at javax.security.auth.login.LoginContext.login(LoginContext.java:587)

at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.getServerSubject(SPNEGOLoginModule.java:332)

at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.spnegoLogin(SPNEGOLoginModule.java:285)

at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.innerLogin(SPNEGOLoginModule.java:229)

at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:147)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)

at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)

at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)

at java.security.AccessController.doPrivileged(Native Method)

at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)

at javax.security.auth.login.LoginContext.login(LoginContext.java:587)

at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406)

at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)

at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333)

at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)

at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:123)

at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:96)

at org.jboss.security.negotiation.NegotiationMechanism.authenticate(NegotiationMechanism.java:99)

at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)

at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)

at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)

at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)

at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)

at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)

at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)

at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)

at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)

at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)

at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)

at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)

at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)

at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)

at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)

at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)

at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)

at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)

at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)

at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)

at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)

at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

at java.lang.Thread.run(Thread.java:745)

Caused by: KrbException: Client not found in Kerberos database (6)

at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:76)

at sun.security.krb5.KrbAsReqBuilder.send(KrbAsReqBuilder.java:316)

at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)

at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:776)

... 64 more

Caused by: KrbException: Identifier doesn't match expected value (906)

at sun.security.krb5.internal.KDCRep.init(KDCRep.java:140)

at sun.security.krb5.internal.ASRep.init(ASRep.java:64)

at sun.security.krb5.internal.ASRep.<init>(ASRep.java:59)

at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:60)

... 67 more

standalone.xml (just the relevant parts):

<system-properties>

</system-properties>

<security-domain name="SPNEGO" cache-type="default">

<login-module code="SPNEGO" flag="required">

<module-option name="password-stacking" value="useFirstPass"/>

<module-option name="serverSecurityDomain" value="host"/>

</login-module>

</authentication>

<mapping-module code="SimpleRoles" type="role">

<module-option name="Administrator@SCSYNERGY.INVALID" value="Admin"/>

</mapping-module>

</mapping>

</security-domain>

<security-domain name="host" cache-type="default">

<login-module code="Kerberos" flag="required" module="org.jboss.security.negotiation">

<module-option name="refreshKrb5Config" value="true"/>

<module-option name="doNotPrompt" value="true"/>

<module-option name="useKeyTab" value="true"/>

<module-option name="keyTab" value="${jboss.server.config.dir}/spnego.keytab"/>

<module-option name="storeKey" value="true"/>

<module-option name="principal" value="HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID"/>

<module-option name="debug" value="true"/>

</login-module>

</authentication>

</security-domain>

</security-domains>

/etc/krb5.conf:

[libdefaults]

default_realm = SCSYNERGY.INVALID

dns_lookup_realm = false

dns_lookup_kdc = false

forwardable = true

[realms]

SCSYNERGY.INVALID = {

kdc = 192.168.17.2:88

admin_server = 192.168.17.2

}

[domain_realm]

.scsynergy.invalid = SCSYNERGY.INVALID

scsynergy.invalid = SCSYNERGY.INVALID

I use Samba for Active Directory according to this article https://wiki.samba.org/index.php/Setup_a_Samba_Active_Directory_Domain_Controller

I created a keytab file with the following commands:

samba-tool user add --use-username-as-cn spnego

samba-tool spn add HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID spnego

samba-tool domain exportkeytab spnego.keytab --principal=HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID

I had to add Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for JDK/JRE 8 Download to my JRE or otherwise Java was not able to handle the encryption types (Found unsupported keytype (3) for HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID)

I can kinit as any user without problems, the browser does the SPNEGO negotiation but then fails when trying to authenticate to the 'host' security domain with the above error. I have tried putting Wildfly and Samba on the same machine, different machines, tried using the webpage from a separate third PC or the same PC as Wildfly is running on, tried changing user names, domains configuration values ... all to no avail - though by playing around I did notice that anything except the current values would brake it more than it is now..

I attached some files which show what computers, SPNs and users Samba 'Active Directory' has.

Any help in solving this issue would be greatly appreciated!

1. Re: Wildfly and SPNEGO

mchoma Jul 4, 2016 2:07 AM (in response to scsynergy)

Hi,

You see, you get "Client not found in Kerberos database" in moment of HTTP ticket obtaining. So please double check HTTP/spnego.scsynergy.invalid and krbtgt configuration in Active Directory.

For example servicePrincipalName: kadmin/changepw of krbtgt seems strange to me.

Are you testing on http://spnego.scsynergy.invalid:{port}/{app} ?
Does setspn -l spnego returns HTTP/spnego.scsynergy.invalid ?

Otherwise EAP configuration seem OK to me.

Martin
Actions
2. Re: Wildfly and SPNEGO

scsynergy Jul 4, 2016 4:26 AM (in response to mchoma)

The service principal name of krbtgt is probably the default value that Samba configured since I did not touch that. I am not really apt at Windows stuff - more of a Unix expert - but since kinit works on any of the three machines (debian = client with Firefox, spnego = Wildfly, ad = Samba Active Directory) I assume that krbtgt is configured correctly?
root@debian:~# kinit Administrator@SCSYNERGY.INVALID
Password for Administrator@SCSYNERGY.INVALID:
Warning: Your password will expire in 32 days on Fri 05 Aug 2016 01:41:38 PM CEST
root@debian:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@SCSYNERGY.INVALID
Valid starting       Expires              Service principal
07/04/2016 10:19:49 07/04/2016 20:19:49 krbtgt/SCSYNERGY.INVALID@SCSYNERGY.INVALID
        renew until 07/05/2016 10:19:45

root@spnego:/opt/elementary/wildfly-10.0.0.Final/standalone/configuration# kinit spnego@SCSYNERGY.INVALID
Password for spnego@SCSYNERGY.INVALID:
Warning: Your password will expire in 39 days on Fri 12 Aug 2016 10:26:16 AM CEST
root@spnego:/opt/elementary/wildfly-10.0.0.Final/standalone/configuration# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: spnego@SCSYNERGY.INVALID
Valid starting       Expires              Service principal
07/04/2016 10:01:01 07/04/2016 20:01:01 krbtgt/SCSYNERGY.INVALID@SCSYNERGY.INVALID
        renew until 07/05/2016 10:00:58

root@ad:~# kinit Administrator@SCSYNERGY.INVALID
Password for Administrator@SCSYNERGY.INVALID:
Warning: Your password will expire in 32 days on Fri 05 Aug 2016 01:41:38 PM CEST
root@ad:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@SCSYNERGY.INVALID
Valid starting       Expires              Service principal
07/04/2016 10:21:45 07/04/2016 20:21:45 krbtgt/SCSYNERGY.INVALID@SCSYNERGY.INVALID
        renew until 07/05/2016 10:21:42

The URI I enter into Firefox for testing is https://spnego.scsynergy.invalid:8443/jboss-negotiation-toolkit/ . I added 'https://,http://' to network.negotiate-auth.trusted-uris via Firefox's 'about:config'.

And the SPN seems OK to me, too:
root@ad:~# samba-tool spn list spnego
spnego
User CN=spnego,CN=Users,DC=scsynergy,DC=invalid has the following servicePrincipalName:
         HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID
Actions
3. Re: Wildfly and SPNEGO

mchoma Jul 4, 2016 5:12 AM (in response to scsynergy)

Regarding krbtgt, right, i realized it after I posted the reply.

It seems to me this is similar to your problem ubuntu - keytab auth against samba 4 DC: Client not found in Kerberos database while getting initial credentials - Serve… Can you try? Can you use setspn command instead of samba-tool command?

I wonder, is any of points mentioned in this blog Blog of 'Brian Murphy-Booth' a.k.a. 'Brian Booth' - The biggest mistake: ServicePrincipalName’s relevant for you? E.g in your case, is wildfly running with user spnego?
Actions
4. Re: Wildfly and SPNEGO

scsynergy Jul 4, 2016 6:09 AM (in response to mchoma)
It seems to me that the problem described in your first link was already fixed by the Samba team. Oh, by the way, I cannot use the setspn command because these are not Windows machines. Regarding the second link you gave, I had already read that and I had understood its content so, that an SPN does not necessarily have to be a mapping of the user under which Wildfly runs to the AD user - but just to rule that possibility out I recreated the keytab file to map the keytab entry to the AD user 'wildlfy' under which Wildfly runs, but the error stays the same
# wildfly, Users, scsynergy.invalid
dn: CN=wildfly,CN=Users,DC=scsynergy,DC=invalid
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: wildfly
instanceType: 4
whenCreated: 20160704091736.0Z
uSNCreated: 3880
name: wildfly
objectGUID:: myAx1v/8z0qVoaR258WrBg==
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAl9Tl9DVIzKocotHaVQQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: wildfly
sAMAccountType: 805306368
userPrincipalName: wildfly@scsynergy.invalid
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=scsynergy,DC=invalid
pwdLastSet: 131120974560000000
userAccountControl: 512
servicePrincipalName: HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID
whenChanged: 20160704091824.0Z
uSNChanged: 3883
distinguishedName: CN=wildfly,CN=Users,DC=scsynergy,DC=invalid

ldapsearch-all.txt.zip 23.3 KB

ldapsearch-computer.txt.zip 1.3 KB

ldapsearch-user.txt.zip 1.3 KB

ldapsearch-spn-http.txt.zip 827 bytes
Actions
5. Re: Wildfly and SPNEGO

mchoma Jul 4, 2016 6:55 AM (in response to scsynergy)
But I can see in your ldap search results, that userPrincipalName doesnt reflect servicePrincipleName
Can you, though, try this as described in above link:
find the just created user Edit "userPrincipalName" to reflect servicePrincipleName + REALM (in my case http/myserver.mycompany.com@MYCOMPANY.COM)
export keytab
Actions
6. Re: Wildfly and SPNEGO

scsynergy Jul 4, 2016 7:37 AM (in response to mchoma)

Ah, the userPrincipalName, I had overlooked that entry even existed and had only compared the servicePrincipalName. Now that I changed the userPrincipalName of the user to which the SPN is associated like so:
root@debian:/tmp# ldapmodify -h ad.scsynergy.invalid -W -x -D "CN=Administrator,CN=Users,DC=scsynergy,DC=invalid"
dn: CN=wildfly,CN=Users,DC=scsynergy,DC=invalid
changetype: modify
replace: userPrincipalName
userPrincipalName: HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID
modifying entry "CN=wildfly,CN=Users,DC=scsynergy,DC=invalid"

Now, I finally get
Negotiation Toolkit
Security Domain Test
Testing security-domain 'host'
Authenticated
Subject: Principal: HTTP/spnego.scsynergy.invalid@SCSYNERGY.INVALID Private Credential: Ticket (hex) = 0000: 61 82 03 D7 30 82 03 D3 A0 03 02 01 05 A1 13 1B a...0........... 0010: 11 53 43 53 59 4E 45 52 47 59 2E 49 4E 56 41 4
.
.
.
.
.
Thank you Martin for your kind support!
Actions

Go to original post

Negotiation Toolkit

Security Domain Test

Authenticated