5 Replies Latest reply on May 11, 2017 11:31 AM by Cain Cain

    [WildFly 10] SSO and SPNEGO Problems

    Cain Cain Newbie

      I've been trying to get SSO working in WildFly, but I'm having many problems.  I have it to the point now that I think it's almost working, but it seems to get stuck in a loop when I try to access the application from a web browser.  I have follow the instructions at the these links

       

      Negotiation User Guide

      Configuring JBoss Negotiation in an all Windows Domain

       

      If anyone can help me out, it would be greatly appreciated.  I've been working on this for a few days now, so I'm rather frustrated that I haven't been able to get it to work.

       

      Relevant standalone.xml stuff

      <security-domain name="Kerberos">
          <authentication>
        <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="sufficient" module="org.jboss.security.negotiation">
           <module-option name="debug" value="true"/>
           <module-option name="storeKey" value="true"/>
           <module-option name="refreshKrb5Config" value="true"/>
           <module-option name="useKeyTab" value="true"/>
           <module-option name="doNotPrompt" value="false"/>
           <module-option name="principal" value="HTTP/jb2016.domain.com@DOMAIN.COM"/>
           <module-option name="keyTab" value="C:/temp/wildfly.keytab"/>
        </login-module>
          </authentication>
      </security-domain>
      <security-domain name="SPNEGO" cache-type="default">
          <authentication>
        <login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="requisite" module="org.jboss.security.negotiation">
           <module-option name="password-stacking" value="useFirstPass"/>
           <module-option name="serverSecurityDomain" value="Kerberos"/>
        </login-module>
          </authentication>
      </security-domain>
      </security-domains>
      

       

       

      kbr5.conf

      [code]
      [libdefaults]
        default_realm = DOMAIN.COM
        ticket_lifetime = 600
        default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
        default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
        permitted_enctypes  = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
      
      [realms]
        DOMAIN.COM = {
        kdc = dc2.domain.com
        admin_server = dc2.domain.com
        default_domain = DOMAIN.COM
      }
      
      
      [domain_realm]
        .domain.com = .DOMAIN.COM
        domain.com = DOMAIN.COM
      

       

      wildfly.keytab (verified KVNO is correct)

      KVNO Principal
      ---- ----------------------------------------------------------------------
        4 HTTP/jb2016.domain.com@DOMAIN.COM (18:AES256 CTS mode with HMAC SHA1-96)
        4 HTTP/jb2016.domain.com@DOMAIN.COM (17:AES128 CTS mode with HMAC SHA1-96)
        4 HTTP/jb2016.domain.com@DOMAIN.COM (16:DES3 CBC mode with SHA1-KD)
        4 HTTP/jb2016.domain.com@DOMAIN.COM (23:RC4 with HMAC)
      

       

      Exception loop

       

      2017-05-09 15:49:29,847 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) removeRealmFromPrincipal=false
      2017-05-09 15:49:29,847 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) serverSecurityDomain=Kerberos
      2017-05-09 15:49:29,847 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) usernamePasswordDomain=null
      2017-05-09 15:49:29,909 INFO  [stdout] (default task-3) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is C:/temp/wildfly.keytab refreshKrb5Config is true principal is HTTP/jb2016.domain.com@DOMAIN.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
      2017-05-09 15:49:29,909 INFO  [stdout] (default task-3) Refreshing Kerberos configuration
      2017-05-09 15:49:29,909 INFO  [stdout] (default task-3) Java config name: C:/java/tools/wildfly/bin/krb5.conf
      2017-05-09 15:49:29,925 INFO  [stdout] (default task-3) Loaded from Java config
      2017-05-09 15:49:29,925 INFO  [stdout] (default task-3) >>> KdcAccessibility: reset
      2017-05-09 15:49:29,925 INFO  [stdout] (default task-3) >>> KdcAccessibility: reset
      2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): DOMAIN.COM
      2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): HTTP
      2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): jb2016.domain.com
      2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTab: load() entry length: 82; type: 18
      2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): DOMAIN.COM
      2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readNam(): HTTP
      2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): jb2016.domain.com
      2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTab: load() entry length: 66; type: 17
      2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): DOMAIN.COM
      2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): HTTP
      2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): jb2016.domain.com
      2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTab: load() entry length: 74; type: 16
      2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): DOMAIN.COM
      2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): HTTP
      2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTabInputStream, readName(): jb2016.domain.com
      2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) >>> KeyTab: load() entry length: 66; type: 23
      2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM
      2017-05-09 15:49:29,940 INFO  [stdout] (default task-3) Added key: 23version: 5
      2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Added key: 16version: 5
      2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Added key: 17version: 5
      2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Added key: 18version: 5
      2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM
      2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Added key: 23version: 5
      2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Added key: 16version: 5
      2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Added key: 17version: 5
      2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) Added key: 18version: 5
      2017-05-09 15:49:29,956 INFO  [stdout] (default task-3) default etypes for default_tkt_enctypes: 17 23 16.
      2017-05-09 15:49:29,972 INFO  [stdout] (default task-3) >>> KrbAsReq creating message
      2017-05-09 15:49:29,972 INFO  [stdout] (default task-3) >>> KrbKdcReq send: kdc=dc2.domain.com UDP:88, timeout=30000, number of retries =3, #bytes=153
      2017-05-09 15:49:30,003 INFO  [stdout] (default task-3) >>> KDCCommunication: kdc=dc2.domain.com UDP:88, timeout=30000,Attempt =1, #bytes=153
      2017-05-09 15:49:30,003 INFO  [stdout] (default task-3) >>> KrbKdcReq send: #bytes read=654
      2017-05-09 15:49:30,003 INFO  [stdout] (default task-3) >>> KdcAccessibility: remove dc2.domain.com
      2017-05-09 15:49:30,019 INFO  [stdout] (default task-3) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM
      2017-05-09 15:49:30,019 INFO  [stdout] (default task-3) Added key: 23version: 5
      2017-05-09 15:49:30,019 INFO  [stdout] (default task-3) Added key: 16version: 5
      2017-05-09 15:49:30,019 INFO  [stdout] (default task-3) Added key: 17version: 5
      2017-05-09 15:49:30,019 INFO  [stdout] (default task-3) Added key: 18version: 5
      2017-05-09 15:49:30,019 INFO  [stdout] (default task-3) >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
      2017-05-09 15:49:30,034 INFO  [stdout] (default task-3) >>> KrbAsRep cons in KrbAsReq.getReply HTTP/jb2016.domain.com
      2017-05-09 15:49:30,034 INFO  [stdout] (default task-3) principal is HTTP/jb2016.domain.com@DOMAIN.COM
      2017-05-09 15:49:30,034 INFO  [stdout] (default task-3) Will use keytab
      2017-05-09 15:49:30,034 INFO  [stdout] (default task-3) Commit Succeeded
      2017-05-09 15:49:30,034 INFO  [stdout] (default task-3)
      2017-05-09 15:49:30,034 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) Subject = Subject:
        Principal: HTTP/jb2016.domain.com@DOMAIN.COM
        Private Credential: Ticket (hex) =
      0000: 61 82 01 0C 30 82 01 08  A0 03 02 01 05 A1 0B 1B  a...0...........
      0010: 09 54 41 53 4B 45 2E 43  4F 4D A2 1E 30 1C A0 03  .DOMAIN.COM..0...
      0020: 02 01 02 A1 15 30 13 1B  06 6B 72 62 74 67 74 1B  .....0...krbtgt.
      0030: 09 54 41 53 4B 45 2E 43  4F 4D A3 81 D3 30 81 D0  .DOMAIN.COM...0..
      0040: A0 03 02 01 12 A1 03 02  01 03 A2 81 C3 04 81 C0  ................
      0050: 41 9B E9 A5 66 55 42 90  BD 32 8E D4 A1 82 68 40  A...fUB..2....h@
      0060: DE 57 CA 94 DC E1 1B C7  9E F0 A9 A5 B3 33 49 95  .W...........3I.
      0070: 8A A6 55 76 66 DB 43 4E  29 97 62 EF 57 74 FC C8  ..Uvf.CN).b.Wt..
      0080: 5D D0 70 62 AE EE BA C0  D1 BC D1 85 82 2A B6 4B  ].pb.........*.K
      0090: DA A9 4A 06 28 41 1F 7C  6F D6 9D 96 2E C6 9E 41  ..J.(A..o......A
      00A0: D0 0F BF BE 36 3E BC AD  03 CD D3 65 EE 16 DF 56  ....6>.....e...V
      00B0: 6A 69 8F F5 56 42 7E E4  40 6F 8E 26 C1 94 24 20  ji..VB..@o.&..$
      00C0: 18 44 40 0D 83 FD 97 B6  8D D9 E5 28 9F 34 16 BF  .D@........(.4..
      00D0: 94 79 66 42 28 18 DF 02  37 D3 65 EF D5 A6 0E 81  .yfB(...7.e.....
      00E0: 03 8E 5F C0 F4 1C 25 06  90 9A 83 E5 7F 78 45 6C  .._...%......xEl
      00F0: CE 45 64 6C D6 F7 82 CC  52 10 94 7B B3 69 5E FC  .Edl....R....i^.
      0100: 51 80 56 BD DE 48 78 05  3E D4 75 A6 A9 B2 35 6A  Q.V..Hx.>.u...5j
      
      
      Client Principal = HTTP/jb2016.domain.com@DOMAIN.COM
      Server Principal = krbtgt/DOMAIN.COM@DOMAIN.COM
      Session Key = EncryptionKey: keyType=17 keyBytes (hex dump)=
      0000: 00 B6 10 D3 DD 1A 8E 82  A7 5C 7C 90 3B DD 1D A3  .........\..;...
      
      
      
      
      Forwardable Ticket false
      Forwarded Ticket false
      Proxiable Ticket false
      Proxy Ticket false
      Postdated Ticket false
      Renewable Ticket false
      Initial Ticket false
      Auth Time = Tue May 09 19:49:29 UTC 2017
      Start Time = Tue May 09 19:49:29 UTC 2017
      End Time = Wed May 10 05:49:29 UTC 2017
      Renew Till = null
      Client Addresses  Null
        Private Credential: C:\temp\wildfly.keytab for HTTP/jb2016.domain.com@DOMAIN.COM
      
      
      2017-05-09 15:49:30,034 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) Logged in 'Kerberos' LoginContext
      2017-05-09 15:49:30,050 INFO  [stdout] (default task-3) [Krb5LoginModule]: Entering logout
      
      
      2017-05-09 15:49:30,050 INFO  [stdout] (default task-3) [Krb5LoginModule]: logged out Subject
      
      
      2017-05-09 15:49:30,050 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-3) NegotiationContext.setContinuationRequired(true)
      2017-05-09 15:49:30,050 DEBUG [org.jboss.security] (default task-3) PBOX00206: Login failure: javax.security.auth.login.LoginException: Continuation Required.
        at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:192)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.lang.reflect.Method.invoke(Unknown Source)
        at javax.security.auth.login.LoginContext.invoke(Unknown Source)
        at javax.security.auth.login.LoginContext.access$000(Unknown Source)
        at javax.security.auth.login.LoginContext$4.run(Unknown Source)
        at javax.security.auth.login.LoginContext$4.run(Unknown Source)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
        at javax.security.auth.login.LoginContext.login(Unknown Source)
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406)
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:323)
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)
        at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:123)
        at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:96)
        at org.jboss.security.negotiation.NegotiationMechanism.authenticate(NegotiationMechanism.java:101)
        at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:245)
        at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:263)
        at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:231)
        at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125)
        at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:99)
        at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92)
        at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
        at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53)
        at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
        at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
        at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)
        at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
        at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
        at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
        at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
        at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
        at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
        at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
        at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
        at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
        at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
        at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
        at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
        at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
        at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
        at io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
        at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
        at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
        at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
        at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
        at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:805)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
        at java.lang.Thread.run(Unknown Source)
      
      
      2017-05-09 15:49:30,081 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) removeRealmFromPrincipal=false
      2017-05-09 15:49:30,081 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) serverSecurityDomain=Kerberos
      2017-05-09 15:49:30,081 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) usernamePasswordDomain=null
      2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Debug is  true storeKey true useTicketCache false useKeyTab true doNotPrompt false ticketCache is null isInitiator true KeyTab is C:/temp/wildfly.keytab refreshKrb5Config is true principal is HTTP/jb2016.domain.com@DOMAIN.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
      2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Refreshing Kerberos configuration
      2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Java config name: C:/java/tools/wildfly/bin/krb5.conf
      2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Loaded from Java config
      2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) >>> KdcAccessibility: reset
      2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM
      2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 23version: 5
      2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 16version: 5
      2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 17version: 5
      2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 18version: 5
      2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM
      2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 23version: 5
      2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 16version: 5
      2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 17version: 5
      2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) Added key: 18version: 5
      2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) default etypes for default_tkt_enctypes: 17 23 16.
      2017-05-09 15:49:30,081 INFO  [stdout] (default task-4) >>> KrbAsReq creating message
      2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) >>> KrbKdcReq send: kdc=dc2.domain.com UDP:88, timeout=30000, number of retries =3, #bytes=153
      2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) >>> KDCCommunication: kdc=dc2.domain.com UDP:88, timeout=30000,Attempt =1, #bytes=153
      2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) >>> KrbKdcReq send: #bytes read=654
      2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) >>> KdcAccessibility: remove dc2.domain.com
      2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM
      2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) Added key: 23version: 5
      2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) Added key: 16version: 5
      2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) Added key: 17version: 5
      2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) Added key: 18version: 5
      2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
      2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) >>> KrbAsRep cons in KrbAsReq.getReply HTTP/jb2016.domain.com
      2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) principal is HTTP/jb2016.domain.com@DOMAIN.COM
      2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) Will use keytab
      2017-05-09 15:49:30,097 INFO  [stdout] (default task-4) Commit Succeeded
      2017-05-09 15:49:30,097 INFO  [stdout] (default task-4)
      2017-05-09 15:49:30,097 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) Subject = Subject:
        Principal: HTTP/jb2016.domain.com@DOMAIN.COM
        Private Credential: Ticket (hex) =
      0000: 61 82 01 0C 30 82 01 08  A0 03 02 01 05 A1 0B 1B  a...0...........
      0010: 09 54 41 53 4B 45 2E 43  4F 4D A2 1E 30 1C A0 03  .DOMAIN.COM..0...
      0020: 02 01 02 A1 15 30 13 1B  06 6B 72 62 74 67 74 1B  .....0...krbtgt.
      0030: 09 54 41 53 4B 45 2E 43  4F 4D A3 81 D3 30 81 D0  .DOMAIN.COM...0..
      0040: A0 03 02 01 12 A1 03 02  01 03 A2 81 C3 04 81 C0  ................
      0050: 00 50 D5 73 D8 70 D7 2E  AD 43 74 D9 A1 6A 74 2C  .P.s.p...Ct..jt,
      0060: 70 CB 23 3A 3A 58 A6 05  F4 31 5C 24 60 64 BD 9C  p.#::X...1\$`d..
      0070: B5 DB E5 63 A3 49 AF 2B  DC 8A 2E 43 39 03 59 BA  ...c.I.+...C9.Y.
      0080: A0 A7 A7 90 E5 8D A1 35  C5 E7 C6 79 83 A1 94 E2  .......5...y....
      0090: 54 77 AD A6 73 A2 8D 98  06 BD 0A 96 4A 0D D3 8C  Tw..s.......J...
      00A0: 08 21 D7 50 B0 C6 1B 2C  B3 13 F2 D7 5E 32 3D 24  .!.P...,....^2=$
      00B0: A0 18 51 82 6C E9 10 92  F7 DF 0A 6F 52 D7 72 53  ..Q.l......oR.rS
      00C0: 70 73 71 82 19 E3 56 73  CE 38 B7 6A CE 65 AF F6  psq...Vs.8.j.e..
      00D0: FC 05 01 50 82 50 82 5A  E9 DC F1 9B 18 9A 0B E3  ...P.P.Z........
      00E0: FF 55 31 EE 21 E7 1B 1A  A9 58 8A B3 50 F1 E7 1B  .U1.!....X..P...
      00F0: AB 96 F1 37 BC A8 1F EE  C8 54 FD 27 5E A7 4B CD  ...7.....T.'^.K.
      0100: 47 A6 B4 97 C9 EC 3C 3F  2B 2D 61 B7 05 1E D2 56  G.....<?+-a....V
      
      
      Client Principal = HTTP/jb2016.domain.com@DOMAIN.COM
      Server Principal = krbtgt/DOMAIN.COM@DOMAIN.COM
      Session Key = EncryptionKey: keyType=17 keyBytes (hex dump)=
      0000: 5D 63 BA 79 64 01 1D 8C  66 F4 6B 6F A9 80 85 BF  ]c.yd...f.ko....
      
      
      
      
      Forwardable Ticket false
      Forwarded Ticket false
      Proxiable Ticket false
      Proxy Ticket false
      Postdated Ticket false
      Renewable Ticket false
      Initial Ticket false
      Auth Time = Tue May 09 19:49:29 UTC 2017
      Start Time = Tue May 09 19:49:29 UTC 2017
      End Time = Wed May 10 05:49:29 UTC 2017
      Renew Till = null
      Client Addresses  Null
        Private Credential: C:\temp\wildfly.keytab for HTTP/jb2016.domain.com@DOMAIN.COM
      
      
      2017-05-09 15:49:30,112 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) Logged in 'Kerberos' LoginContext
      2017-05-09 15:49:30,112 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) Creating new GSSContext.
      2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Found KeyTab C:\temp\wildfly.keytab for HTTP/jb2016.domain.com@DOMAIN.COM
      2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Found KeyTab C:\temp\wildfly.keytab for HTTP/jb2016.domain.com@DOMAIN.COM
      2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Found ticket for HTTP/jb2016.domain.com@DOMAIN.COM to go to krbtgt/DOMAIN.COM@DOMAIN.COM expiring on Wed May 10 05:49:29 UTC 2017
      2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Entered Krb5Context.acceptSecContext with state=STATE_NEW
      2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Looking for keys for: HTTP/jb2016.domain.com@DOMAIN.COM
      2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Added key: 23version: 5
      2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Added key: 16version: 5
      2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Added key: 17version: 5
      2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) Added key: 18version: 5
      2017-05-09 15:49:30,190 INFO  [stdout] (default task-4) >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
      2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) default etypes for permitted_enctypes: 17 23 16.
      2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
      2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) MemoryCache: add 1494359370/000065/5D08B107F11CA334A023AAABC7B198BB/user@DOMAIN.COM to user@DOMAIN.COM|HTTP/jb2016.domain.com@DOMAIN.COM
      2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) >>> KrbApReq: authenticate succeed.
      2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) Krb5Context setting peerSeqNumber to: 1582590877
      2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) >>> EType: sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType
      2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) Krb5Context setting mySeqNumber to: 528134496
      2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) >>> Constrained deleg from GSSCaller{UNKNOWN}
      2017-05-09 15:49:30,206 INFO  [stdout] (default task-4) Found ticket for HTTP/jb2016.domain.com@DOMAIN.COM to go to krbtgt/DOMAIN.COM@DOMAIN.COM expiring on Wed May 10 05:49:29 UTC 2017
      2017-05-09 15:49:30,206 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) context.getCredDelegState() = true
      2017-05-09 15:49:30,206 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) context.getMutualAuthState() = true
      2017-05-09 15:49:30,206 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) context.getSrcName() = user@DOMAIN.COM
      2017-05-09 15:49:30,222 INFO  [stdout] (default task-4) [Krb5LoginModule]: Entering logout
      2017-05-09 15:49:30,222 INFO  [stdout] (default task-4) [Krb5LoginModule]: logged out Subject
      2017-05-09 15:49:30,222 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-4) Storing username 'user@DOMAIN.COM' and empty password