5 Replies Latest reply on May 10, 2017 2:33 AM by Martin Choma

    Wildfly 10 and SPNEGO

    Cain Cain Newbie

      Hello,

       

      I've been doing to research on how to get Wildfly to use LDAP (active directory in our case).  I was able to create a security domain using the LdapExtLoginModule and log in to the application using that.  However, it would be nice if users didn't have to log in manually.  This lead me to SPNEGO, but I can't seem to get it working.  The first change I made was setting <auth-method>SPNEGO</auth-method> and adding <realm-name>MyRealm</realm-name> to the web.xml.  MyRealm references my newly converted ldap realm via jaas, which I used when using FORM authentication.  That didn't work so I did some research and discovered that I can create an ldap security realm, so I did that and added all the connection info in and updated my web.xml, but it also doesn't work.  Unfortunately I don't seem to get any message in the log file, despite adding logger categories for org.jboss.security and com.sun.jndi.ldap.

       

      <security-realm name="LdapRealm">  
        <authentication>  
        <ldap connection="LocalLdap" base-dn="ou=HQ,dc=domain,dc=com">  
        <username-filter attribute="sAMAccountName={0}"/>  
        </ldap>  
        </authentication>
        <authorization>  
        <ldap connection="LocalLdap">  
          <username-to-dn>  
          <username-is-dn />  
        </username-to-dn>  
        <group-search group-name="SIMPLE" iterative="true" group-dn-attribute="dn" group-name-attribute="uid">  
        <principal-to-group group-attribute="memberOf" />  
        </group-search>  
        </ldap>  
        </authorization>  
      </security-realm>  
      

       

      Is there a guide anywhere that I can follow to get SPNEGO set up?  As I previously mentioned, I did get ldap authentication working fine using FORM authentication, so I know I can connect to the ldap server fine.

        • 2. Re: Wildfly 10 and SPNEGO
          Cain Cain Newbie

          Ok I followed a couple guides and still can't get this to work.  Here's the guides, and here's what I did:

           

          Section 5: Active directory user creation: Negotiation User Guide

          Rest of the configuration including keytab export: Configuring JBoss Negotiation in an all Windows Domain

           

          I went through and followed the guide exactly and I just can't get past this check sum exception.

           

          standalone.xml

           

          <security-domain name="Kerberos">

            <authentication>

            <login-module code="com.sun.security.auth.module.Krb5LoginModule" module="org.jboss.security.negotiation" flag="sufficient">

            <module-option name="debug" value="true"/>

            <module-option name="storeKey" value="true"/>

            <module-option name="refreshKrb5Config" value="true"/>

            <module-option name="useKeyTab" value="true"/>

            <module-option name="doNotPrompt" value="true"/>

            <module-option name="principal" value="HTTP/wildflyhost@FOO.com"/>

            <module-option name="keyTab" value="C:/keytab/wildfly.keytab"/>

            </login-module>

            </authentication>

          </security-domain>

          <security-domain name="FOODomain" cache-type="default">

            <authentication>

            <login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" module="org.jboss.security.negotiation" flag="requisite">

            <module-option name="password-stacking" value="useFirstPass"/>

            <module-option name="serverSecurityDomain" value="Kerberos"/>

            </login-module>

            </authentication>

          </security-domain>

           

          Here's the exception I keep getting

           

          11:19:57,004 DEBUG [org.jboss.security] (default task-4) PBOX00206: Login failure: javax.security.auth.login.LoginException: Checksum failed

            at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804)

            at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)

            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

            at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

            at java.lang.reflect.Method.invoke(Method.java:498)

            at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)

            at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)

            at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)

            at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)

            at java.security.AccessController.doPrivileged(Native Method)

            at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)

            at javax.security.auth.login.LoginContext.login(LoginContext.java:587)

            at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.getServerSubject(SPNEGOLoginModule.java:332)

            at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.spnegoLogin(SPNEGOLoginModule.java:285)

            at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.innerLogin(SPNEGOLoginModule.java:229)

            at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:147)

            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

            at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

            at java.lang.reflect.Method.invoke(Method.java:498)

            at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)

            at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)

            at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)

            at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)

            at java.security.AccessController.doPrivileged(Native Method)

            at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)

            at javax.security.auth.login.LoginContext.login(LoginContext.java:587)

            at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406)

            at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)

            at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:323)

            at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)

            at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:123)

            at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:96)

            at org.jboss.security.negotiation.NegotiationMechanism.authenticate(NegotiationMechanism.java:101)

            at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245)

            at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:263)

            at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:231)

            at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125)

            at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:99)

            at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92)

            at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)

            at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)

            at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

            at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)

            at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)

            at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)

            at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)

            at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)

            at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)

            at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)

            at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)

            at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

            at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)

            at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

            at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

            at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)

            at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)

            at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)

            at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)

            at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)

            at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)

            at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)

            at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)

            at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)

            at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)

            at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)

            at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)

            at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)

            at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)

            at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)

            at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)

            at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:805)

            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

            at java.lang.Thread.run(Thread.java:745)

          Caused by: KrbException: Checksum failed

            at sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128CtsHmacSha1EType.java:102)

            at sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128CtsHmacSha1EType.java:94)

            at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175)

            at sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:149)

            at sun.security.krb5.KrbAsRep.decryptUsingKeyTab(KrbAsRep.java:121)

            at sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:285)

            at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361)

            at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:776)

            ... 75 more

          Caused by: java.security.GeneralSecurityException: Checksum failed

            at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451)

            at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:272)

            at sun.security.krb5.internal.crypto.Aes128.decrypt(Aes128.java:76)

            at sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128CtsHmacSha1EType.java:100)

            ... 82 more

          • 3. Re: Wildfly 10 and SPNEGO
            Cain Cain Newbie

            It looks like I'm getting closer.  When I try to log in now, I keep getting a PBOX00206: Login failure: javax.security.auth.login.LoginException: Continuation Required. that repeats over and over until IE says the page cannot be displayed.  Chrome gives an error saying there too many redirects.  I also get an entry in the log that says 'Storing username 'user@domain.com' and empty password'.  I think I'm almost there, just need to get over this last hurdle.

             

            EDIT:  For reference here's what I'm doing

             

            1. Create new user called wildfly in Active Directory (Server 2008) with login name wildfly

            2. Open properties for the user, check no pre-authorization

             

            map principal to server

            ktpass -princ HTTP/jb2016.foo.com@FOO.COM -pass * -mapuser FOO_DOMAIN\wildfly -ptype KRB5_NT_PRINCIPAL -crypto ALL

             

            reset password for wildfly (otherwise the ktab command won't generate the correct checksum)

             

            determine KVNO for use with ktab command

            dsquery * -filter sAMAccountName=wildfly -attr msDS-KeyVersionNumber

             

            create keytab file

            ktab -k wildfly.keytab -a HTTP/jb2016.foo.com@FOO.COM -n <KVNO>

             

            verify the appropriate stuff is in the keytab file

            ktab -l -e -k wildfly.keytab

             

            KVNO Principal

            ---- ----------------------------------------------------------------------

               4 HTTP/jb2016.foo.com@FOO.COM (18:AES256 CTS mode with HMAC SHA1-96)

               4 HTTP/jb2016.foo.com@FOO.COM (17:AES128 CTS mode with HMAC SHA1-96)

               4 HTTP/jb2016.foo.com@FOO.COM (16:DES3 CBC mode with SHA1-KD)

               4 HTTP/jb2016.foo.com@FOO.COM (23:RC4 with HMAC)

             

            set principal in standalone.xml

            <module-option name="principal" value="HTTP/jb2016.foo.com@FOO.COM"/>

            • 4. Re: Wildfly 10 and SPNEGO
              Cain Cain Newbie

              Another update, so people don't try to help with outdated information.

               

              I'm now at the point where the keytab is set up correctly (i believe) and it tries to authenticate, but then it goes into a loop of exceptions.

               

              Relevant standalone.xml stuff

              <security-domain name="Kerberos">
                  <authentication>
                <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="sufficient" module="org.jboss.security.negotiation">
                   <module-option name="debug" value="true"/>
                   <module-option name="storeKey" value="true"/>
                   <module-option name="refreshKrb5Config" value="true"/>
                   <module-option name="useKeyTab" value="true"/>
                   <module-option name="doNotPrompt" value="false"/>
                   <module-option name="principal" value="HTTP/jb2016.domain.com@DOMAIN.COM"/>
                   <module-option name="keyTab" value="C:/temp/wildfly.keytab"/>
                </login-module>
                  </authentication>
              </security-domain>
              <security-domain name="SPNEGO" cache-type="default">
                  <authentication>
                <login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="requisite" module="org.jboss.security.negotiation">
                   <module-option name="password-stacking" value="useFirstPass"/>
                   <module-option name="serverSecurityDomain" value="Kerberos"/>
                </login-module>
                  </authentication>
              </security-domain>
              </security-domains>
              

               

               

              kbr5.conf

              [code]
              [libdefaults]
                default_realm = DOMAIN.COM
                ticket_lifetime = 600
                default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
                default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
                permitted_enctypes  = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
              
              [realms]
                DOMAIN.COM = {
                kdc = dc2.domain.com
                admin_server = dc2.domain.com
                default_domain = DOMAIN.COM
              }
              
              
              [domain_realm]
                .domain.com = .DOMAIN.COM
                domain.com = DOMAIN.COM
              

               

              wildfly.keytab

              KVNO Principal
              ---- ----------------------------------------------------------------------
                4 HTTP/jb2016.domain.com@DOMAIN.COM (18:AES256 CTS mode with HMAC SHA1-96)
                4 HTTP/jb2016.domain.com@DOMAIN.COM (17:AES128 CTS mode with HMAC SHA1-96)
                4 HTTP/jb2016.domain.com@DOMAIN.COM (16:DES3 CBC mode with SHA1-KD)
                4 HTTP/jb2016.domain.com@DOMAIN.COM (23:RC4 with HMAC)
              

               

              Exception loop

               

              2017-05-09 15:49:29,847 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) removeRealmFromPrincipal=false
              2017-05-09 15:49:29,847 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) serverSecurityDomain=Kerberos
              2017-05-09 15:49:29,847 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) usernamePasswordDomain=null
              2017-05-09 15:49:29,909 INFO  [stdout] (default task-3) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is C:/temp/wildfly.keytab refreshKrb5Config is true principal is HTTP/jb2016.domain.com@DOMAIN.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
              2017-05-09 15:49:29,909 INFO  [stdout] (default task-3) Refreshing Kerberos configuration
              2017-05-09 15:49:29,909 INFO  [stdout] (default task-3) Java config name: C:/java/tools/wildfly/bin/krb5.conf
              2017-05-09 15:49:29,925 INFO  [stdout] (default task-3) Loaded from Java config
              2017-05-09 15:49:29,925 INFO  [stdout] (default task-3) >>> KdcAccessibility: reset
              2017-05-09 15:49:29,925 INFO  [stdout] (default task-3) >>> KdcAccessibility: reset
              2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): DOMAIN.COM
              2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): HTTP
              2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): jb2016.domain.com
              2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTab: load() entry length: 82; type: 18
              2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): DOMAIN.COM
              2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readNam(): HTTP
              2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): jb2016.domain.com
              2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTab: load() entry length: 66; type: 17
              2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): DOMAIN.COM
              2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): HTTP
              2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): jb2016.domain.com
              2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTab: load() entry length: 74; type: 16
              2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): DOMAIN.COM
              2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): HTTP
              2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): jb2016.domain.com
              2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTab: load() entry length: 66; type: 23
              2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM
              2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) Added key: 23version: 5
              2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Added key: 16version: 5
              2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Added key: 17version: 5
              2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Added key: 18version: 5
              2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM
              2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Added key: 23version: 5
              2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Added key: 16version: 5
              2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Added key: 17version: 5
              2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Added key: 18version: 5
              2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) default etypes for default_tkt_enctypes: 17 23 16.
              2017-05-09 15:49:29,972 INFO  [stdout] (default task-3) >>> KrbAsReq creating message
              2017-05-09 15:49:29,972 INFO  [stdout] (default task-3) >>> KrbKdcReq send: kdc=dc2.domain.com UDP:88, timeout=30000, number of retries =3, #bytes=153
              2017-05-09 15:49:30,003 INFO  [stdout] (default task-3) >>> KDCCommunication: kdc=dc2.domain.com UDP:88, timeout=30000,Attempt =1, #bytes=153
              2017-05-09 15:49:30,003 INFO  [stdout] (default task-3) >>> KrbKdcReq send: #bytes read=654
              2017-05-09 15:49:30,003 INFO  [stdout] (default task-3) >>> KdcAccessibility: remove dc2.domain.com
              2017-05-09 15:49:30,019 INFO  [stdout] (default task-3) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM
              2017-05-09 15:49:30,019 INFO  [stdout] (default task-3) Added key: 23version: 5
              2017-05-09 15:49:30,019 INFO  [stdout] (default task-3) Added key: 16version: 5
              2017-05-09 15:49:30,019 INFO  [stdout] (default task-3) Added key: 17version: 5
              2017-05-09 15:49:30,019 INFO  [stdout] (default task-3) Added key: 18version: 5
              2017-05-09 15:49:30,019 INFO  [stdout] (default task-3) >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
              2017-05-09 15:49:30,034 INFO  [stdout] (default task-3) >>> KrbAsRep cons in KrbAsReq.getReply HTTP/jb2016.domain.com
              2017-05-09 15:49:30,034 INFO  [stdout] (default task-3) principal is HTTP/jb2016.domain.com@DOMAIN.COM
              2017-05-09 15:49:30,034 INFO  [stdout] (default task-3) Will use keytab
              2017-05-09 15:49:30,034 INFO  [stdout] (default task-3) Commit Succeeded
              2017-05-09 15:49:30,034 INFO  [stdout] (default task-3)
              2017-05-09 15:49:30,034 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) Subject = Subject:
                Principal: HTTP/jb2016.domain.com@DOMAIN.COM
                Private Credential: Ticket (hex) =
              0000: 61 82 01 0C 30 82 01 08  A0 03 02 01 05 A1 0B 1B  a...0...........
              0010: 09 54 41 53 4B 45 2E 43  4F 4D A2 1E 30 1C A0 03  .DOMAIN.COM..0...
              0020: 02 01 02 A1 15 30 13 1B  06 6B 72 62 74 67 74 1B  .....0...krbtgt.
              0030: 09 54 41 53 4B 45 2E 43  4F 4D A3 81 D3 30 81 D0  .DOMAIN.COM...0..
              0040: A0 03 02 01 12 A1 03 02  01 03 A2 81 C3 04 81 C0  ................
              0050: 41 9B E9 A5 66 55 42 90  BD 32 8E D4 A1 82 68 40  A...fUB..2....h@
              0060: DE 57 CA 94 DC E1 1B C7  9E F0 A9 A5 B3 33 49 95  .W...........3I.
              0070: 8A A6 55 76 66 DB 43 4E  29 97 62 EF 57 74 FC C8  ..Uvf.CN).b.Wt..
              0080: 5D D0 70 62 AE EE BA C0  D1 BC D1 85 82 2A B6 4B  ].pb.........*.K
              0090: DA A9 4A 06 28 41 1F 7C  6F D6 9D 96 2E C6 9E 41  ..J.(A..o......A
              00A0: D0 0F BF BE 36 3E BC AD  03 CD D3 65 EE 16 DF 56  ....6>.....e...V
              00B0: 6A 69 8F F5 56 42 7E E4  40 6F 8E 26 C1 94 24 20  ji..VB..@o.&..$
              00C0: 18 44 40 0D 83 FD 97 B6  8D D9 E5 28 9F 34 16 BF  .D@........(.4..
              00D0: 94 79 66 42 28 18 DF 02  37 D3 65 EF D5 A6 0E 81  .yfB(...7.e.....
              00E0: 03 8E 5F C0 F4 1C 25 06  90 9A 83 E5 7F 78 45 6C  .._...%......xEl
              00F0: CE 45 64 6C D6 F7 82 CC  52 10 94 7B B3 69 5E FC  .Edl....R....i^.
              0100: 51 80 56 BD DE 48 78 05  3E D4 75 A6 A9 B2 35 6A  Q.V..Hx.>.u...5j
              
              
              Client Principal = HTTP/jb2016.domain.com@DOMAIN.COM
              Server Principal = krbtgt/DOMAIN.COM@DOMAIN.COM
              Session Key = EncryptionKey: keyType=17 keyBytes (hex dump)=
              0000: 00 B6 10 D3 DD 1A 8E 82  A7 5C 7C 90 3B DD 1D A3  .........\..;...
              
              
              
              
              Forwardable Ticket false
              Forwarded Ticket false
              Proxiable Ticket false
              Proxy Ticket false
              Postdated Ticket false
              Renewable Ticket false
              Initial Ticket false
              Auth Time = Tue May 09 19:49:29 UTC 2017
              Start Time = Tue May 09 19:49:29 UTC 2017
              End Time = Wed May 10 05:49:29 UTC 2017
              Renew Till = null
              Client Addresses  Null
                Private Credential: C:\temp\wildfly.keytab for HTTP/jb2016.domain.com@DOMAIN.COM
              
              
              2017-05-09 15:49:30,034 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) Logged in 'Kerberos' LoginContext
              2017-05-09 15:49:30,050 INFO  [stdout] (default task-3) [Krb5LoginModule]: Entering logout
              
              
              2017-05-09 15:49:30,050 INFO  [stdout] (default task-3) [Krb5LoginModule]: logged out Subject
              
              
              2017-05-09 15:49:30,050 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) NegotiationContext.setContinuationRequired(true)
              2017-05-09 15:49:30,050 DEBUG [org.jboss.security] (default task-3) PBOX00206: Login failure: javax.security.auth.login.LoginException: Continuation Required.
                at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:192)
                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
                at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
                at java.lang.reflect.Method.invoke(Unknown Source)
                at javax.security.auth.login.LoginContext.invoke(Unknown Source)
                at javax.security.auth.login.LoginContext.access$000(Unknown Source)
                at javax.security.auth.login.LoginContext$4.run(Unknown Source)
                at javax.security.auth.login.LoginContext$4.run(Unknown Source)
                at java.security.AccessController.doPrivileged(Native Method)
                at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
                at javax.security.auth.login.LoginContext.login(Unknown Source)
                at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406)
                at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)
                at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:323)
                at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)
                at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:123)
                at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:96)
                at org.jboss.security.negotiation.NegotiationMechanism.authenticate(NegotiationMechanism.java:101)
                at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245)
                at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:263)
                at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:231)
                at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125)
                at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:99)
                at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92)
                at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
                at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
                at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
                at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
                at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
                at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
                at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
                at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
                at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
                at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
                at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
                at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
                at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
                at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
                at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
                at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
                at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
                at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
                at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
                at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
                at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
                at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
                at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
                at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
                at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
                at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
                at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
                at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
                at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
                at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
                at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
                at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:805)
                at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
                at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
                at java.lang.Thread.run(Unknown Source)
              
              
              2017-05-09 15:49:30,081 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) removeRealmFromPrincipal=false
              2017-05-09 15:49:30,081 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) serverSecurityDomain=Kerberos
              2017-05-09 15:49:30,081 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) usernamePasswordDomain=null
              2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is C:/temp/wildfly.keytab refreshKrb5Config is true principal is HTTP/jb2016.domain.com@DOMAIN.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
              2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Refreshing Kerberos configuration
              2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Java config name: C:/java/tools/wildfly/bin/krb5.conf
              2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Loaded from Java config
              2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) >>> KdcAccessibility: reset
              2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM
              2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 23version: 5
              2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 16version: 5
              2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 17version: 5
              2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 18version: 5
              2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM
              2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 23version: 5
              2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 16version: 5
              2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 17version: 5
              2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 18version: 5
              2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) default etypes for default_tkt_enctypes: 17 23 16.
              2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) >>> KrbAsReq creating message
              2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) >>> KrbKdcReq send: kdc=dc2.domain.com UDP:88, timeout=30000, number of retries =3, #bytes=153
              2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) >>> KDCCommunication: kdc=dc2.domain.com UDP:88, timeout=30000,Attempt =1, #bytes=153
              2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) >>> KrbKdcReq send: #bytes read=654
              2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) >>> KdcAccessibility: remove dc2.domain.com
              2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM
              2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) Added key: 23version: 5
              2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) Added key: 16version: 5
              2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) Added key: 17version: 5
              2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) Added key: 18version: 5
              2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
              2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) >>> KrbAsRep cons in KrbAsReq.getReply HTTP/jb2016.domain.com
              2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) principal is HTTP/jb2016.domain.com@DOMAIN.COM
              2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) Will use keytab
              2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) Commit Succeeded
              2017-05-09 15:49:30,097 INFO  [stdout] (default task-4)
              2017-05-09 15:49:30,097 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) Subject = Subject:
                Principal: HTTP/jb2016.domain.com@DOMAIN.COM
                Private Credential: Ticket (hex) =
              0000: 61 82 01 0C 30 82 01 08  A0 03 02 01 05 A1 0B 1B  a...0...........
              0010: 09 54 41 53 4B 45 2E 43  4F 4D A2 1E 30 1C A0 03  .DOMAIN.COM..0...
              0020: 02 01 02 A1 15 30 13 1B  06 6B 72 62 74 67 74 1B  .....0...krbtgt.
              0030: 09 54 41 53 4B 45 2E 43  4F 4D A3 81 D3 30 81 D0  .DOMAIN.COM...0..
              0040: A0 03 02 01 12 A1 03 02  01 03 A2 81 C3 04 81 C0  ................
              0050: 00 50 D5 73 D8 70 D7 2E  AD 43 74 D9 A1 6A 74 2C  .P.s.p...Ct..jt,
              0060: 70 CB 23 3A 3A 58 A6 05  F4 31 5C 24 60 64 BD 9C  p.#::X...1\$`d..
              0070: B5 DB E5 63 A3 49 AF 2B  DC 8A 2E 43 39 03 59 BA  ...c.I.+...C9.Y.
              0080: A0 A7 A7 90 E5 8D A1 35  C5 E7 C6 79 83 A1 94 E2  .......5...y....
              0090: 54 77 AD A6 73 A2 8D 98  06 BD 0A 96 4A 0D D3 8C  Tw..s.......J...
              00A0: 08 21 D7 50 B0 C6 1B 2C  B3 13 F2 D7 5E 32 3D 24  .!.P...,....^2=$
              00B0: A0 18 51 82 6C E9 10 92  F7 DF 0A 6F 52 D7 72 53  ..Q.l......oR.rS
              00C0: 70 73 71 82 19 E3 56 73  CE 38 B7 6A CE 65 AF F6  psq...Vs.8.j.e..
              00D0: FC 05 01 50 82 50 82 5A  E9 DC F1 9B 18 9A 0B E3  ...P.P.Z........
              00E0: FF 55 31 EE 21 E7 1B 1A  A9 58 8A B3 50 F1 E7 1B  .U1.!....X..P...
              00F0: AB 96 F1 37 BC A8 1F EE  C8 54 FD 27 5E A7 4B CD  ...7.....T.'^.K.
              0100: 47 A6 B4 97 C9 EC 3C 3F  2B 2D 61 B7 05 1E D2 56  G.....<?+-a....V
              
              
              Client Principal = HTTP/jb2016.domain.com@DOMAIN.COM
              Server Principal = krbtgt/DOMAIN.COM@DOMAIN.COM
              Session Key = EncryptionKey: keyType=17 keyBytes (hex dump)=
              0000: 5D 63 BA 79 64 01 1D 8C  66 F4 6B 6F A9 80 85 BF  ]c.yd...f.ko....
              
              
              
              
              Forwardable Ticket false
              Forwarded Ticket false
              Proxiable Ticket false
              Proxy Ticket false
              Postdated Ticket false
              Renewable Ticket false
              Initial Ticket false
              Auth Time = Tue May 09 19:49:29 UTC 2017
              Start Time = Tue May 09 19:49:29 UTC 2017
              End Time = Wed May 10 05:49:29 UTC 2017
              Renew Till = null
              Client Addresses  Null
                Private Credential: C:\temp\wildfly.keytab for HTTP/jb2016.domain.com@DOMAIN.COM
              
              
              2017-05-09 15:49:30,112 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) Logged in 'Kerberos' LoginContext
              2017-05-09 15:49:30,112 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) Creating new GSSContext.
              2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Found KeyTab C:\temp\wildfly.keytab for HTTP/jb2016.domain.com@DOMAIN.COM
              2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Found KeyTab C:\temp\wildfly.keytab for HTTP/jb2016.domain.com@DOMAIN.COM
              2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Found ticket for HTTP/jb2016.domain.com@DOMAIN.COM to go to krbtgt/DOMAIN.COM@DOMAIN.COM expiring on Wed May 10 05:49:29 UTC 2017
              2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Entered Krb5Context.acceptSecContext with state=STATE_NEW
              2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM
              2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Added key: 23version: 5
              2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Added key: 16version: 5
              2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Added key: 17version: 5
              2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Added key: 18version: 5
              2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
              2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) default etypes for permitted_enctypes: 17 23 16.
              2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
              2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) MemoryCache: add 1494359370/000065/5D08B107F11CA334A023AAABC7B198BB/user@DOMAIN.COM to user@DOMAIN.COM|HTTP/jb2016.domain.com@DOMAIN.COM
              2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) >>> KrbApReq: authenticate succeed.
              2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) Krb5Context setting peerSeqNumber to: 1582590877
              2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
              2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) Krb5Context setting mySeqNumber to: 528134496
              2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) >>> Constrained deleg from GSSCaller{UNKNOWN}
              2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) Found ticket for HTTP/jb2016.domain.com@DOMAIN.COM to go to krbtgt/DOMAIN.COM@DOMAIN.COM expiring on Wed May 10 05:49:29 UTC 2017
              2017-05-09 15:49:30,206 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) context.getCredDelegState() = true
              2017-05-09 15:49:30,206 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) context.getMutualAuthState() = true
              2017-05-09 15:49:30,206 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) context.getSrcName() = user@DOMAIN.COM
              2017-05-09 15:49:30,222 INFO  [stdout] (default task-4) [Krb5LoginModule]: Entering logout
              2017-05-09 15:49:30,222 INFO  [stdout] (default task-4) [Krb5LoginModule]: logged out Subject
              2017-05-09 15:49:30,222 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) Storing username 'user@DOMAIN.COM' and empty password