1 Reply Latest reply on Oct 26, 2017 10:04 AM by Steven Hawkins

    Kerberos authentication with browsers

    Saravanan S Newbie

      Hi,

       

      I'm new to JBOSS and kerberos.

       

      By following steps in https://developer.jboss.org/wiki/HowToImplementKerberosAuthenticationWithASimpleRESTWebApp i have implemented kerberos with JBOSS server. It is working fine with curl command as http://primary.example.com:28080/CounterWebApp/ Im trying to use browser to get same result. Initially i have tried with firefox. But i was getting following exception as follows.

       

      ####[2017-10-23 19:21:44,273] TRACE [org.jboss.security.negotiation.NegotiationAuthenticator] (http-executor-threads - 23) Authenticating user

      ####[2017-10-23 19:21:44,273] DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator] (http-executor-threads - 23) Header - null

      ####[2017-10-23 19:21:44,273] DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator] (http-executor-threads - 23) No Authorization Header, initiating negotiation

      ####[2017-10-23 19:21:44,273] TRACE [org.jboss.security] (http-executor-threads - 23) PBOX000354: Setting security roles ThreadLocal: null

      ####[2017-10-23 19:21:44,280] TRACE [org.jboss.security.negotiation.NegotiationAuthenticator] (http-executor-threads - 23) Authenticating user

      ####[2017-10-23 19:21:44,280] DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator] (http-executor-threads - 23) Header - Negotiate TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==

      ####[2017-10-23 19:21:44,280] TRACE [org.jboss.security.negotiation.common.MessageTrace.Request.Base64] (http-executor-threads - 23) TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==

      ####[2017-10-23 19:21:44,280] TRACE [org.jboss.security.negotiation.common.MessageTrace.Request.Hex] (http-executor-threads - 23)  0x4e 0x54 0x4c 0x4d 0x53 0x53 0x50 0x00 0x01 0x00 0x00 0x00 0x97 0x82 0x08 0xe2 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x06 0x01 0xb1 0x1d 0x00 0x00 0x00 0x0f

      ####[2017-10-23 19:21:44,280] TRACE [org.jboss.security.negotiation.common.NegotiationContext] (http-executor-threads - 23) associate 1552217786

      ####[2017-10-23 19:21:44,280] TRACE [org.jboss.security] (http-executor-threads - 23) PBOX000200: Begin isValid, principal: wCiiZOqfrHJ7aGX7xGi1YKOR_1508779230593, cache entry: null

      ####[2017-10-23 19:21:44,280] TRACE [org.jboss.security] (http-executor-threads - 23) PBOX000209: defaultLogin, principal: wCiiZOqfrHJ7aGX7xGi1YKOR_1508779230593

      ####[2017-10-23 19:21:44,281] TRACE [org.jboss.security] (http-executor-threads - 23) PBOX000221: Begin getAppConfigurationEntry(EXAMPLE.COM), size: 5

      ####[2017-10-23 19:21:44,281] TRACE [org.jboss.security] (http-executor-threads - 23) PBOX000224: End getAppConfigurationEntry(EXAMPLE.COM), AuthInfo: AppConfigurationEntry[]:

      [0]

      LoginModule Class: org.jboss.security.negotiation.spnego.SPNEGOLoginModule

      ControlFlag: LoginModuleControlFlag: requisite

      Options:

      name=serverSecurityDomain, value=host

      name=password-stacking, value=useFirstPass

      [1]

      LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule

      ControlFlag: LoginModuleControlFlag: requisite

      Options:

      name=usersProperties, value=FILE:/var/lib/jboss/domains/DP-SDE-JBOSS_sde/configuration/application-users.properties

      name=defaultUsersProperties, value=FILE:/var/lib/jboss/domains/DP-SDE-JBOSS_sde/configuration/application-users.properties

      name=rolesProperties, value=FILE:/var/lib/jboss/domains/DP-SDE-JBOSS_sde/configuration/application-roles.properties

      name=defaultRolesProperties, value=FILE:/var/lib/jboss/domains/DP-SDE-JBOSS_sde/configuration/application-roles.properties

      name=password-stacking, value=useFirstPass

      [2]

      LoginModule Class: org.jboss.security.auth.spi.RoleMappingLoginModule

      ControlFlag: LoginModuleControlFlag: optional

      Options:

      name=rolesProperties, value=FILE:/var/lib/jboss/domains/DP-SDE-JBOSS_sde/configuration/application-roles.properties

       

       

      ####[2017-10-23 19:21:44,281] TRACE [org.jboss.security] (http-executor-threads - 23) PBOX000236: Begin initialize method

      ####[2017-10-23 19:21:44,281] DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (http-executor-threads - 23) removeRealmFromPrincipal=false

      ####[2017-10-23 19:21:44,281] DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (http-executor-threads - 23) serverSecurityDomain=host

      ####[2017-10-23 19:21:44,281] DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (http-executor-threads - 23) usernamePasswordDomain=null

      ####[2017-10-23 19:21:44,281] TRACE [org.jboss.security] (http-executor-threads - 23) PBOX000240: Begin login method

      ####[2017-10-23 19:21:44,281] WARN  [org.jboss.security.auth.spi.AbstractServerLoginModule] (http-executor-threads - 23) Unsupported negotiation mechanism 'NTLM'.

      ####[2017-10-23 19:21:44,282] TRACE [org.jboss.security] (http-executor-threads - 23) PBOX000244: Begin abort method

      ####[2017-10-23 19:21:44,282] TRACE [org.jboss.security] (http-executor-threads - 23) PBOX000236: Begin initialize method

      ####[2017-10-23 19:21:44,283] TRACE [org.jboss.security] (http-executor-threads - 23) PBOX000288: Properties file FILE:/var/lib/jboss/domains/DP-SDE-JBOSS_sde/configuration/application-users.properties loaded, users: [HTTP/primary.example.com@EXAMPLE.COM, rareddy@EXAMPLE.COM]

      ####[2017-10-23 19:21:44,283] TRACE [org.jboss.security] (http-executor-threads - 23) PBOX000288: Properties file FILE:/var/lib/jboss/domains/DP-SDE-JBOSS_sde/configuration/application-users.properties loaded, users: [HTTP/primary.example.com@EXAMPLE.COM, rareddy@EXAMPLE.COM]

      ####[2017-10-23 19:21:44,283] TRACE [org.jboss.security] (http-executor-threads - 23) PBOX000288: Properties file FILE:/var/lib/jboss/domains/DP-SDE-JBOSS_sde/configuration/application-roles.properties loaded, users: [HTTP/primary.example.com@EXAMPLE.COM, rareddy@EXAMPLE.COM]

      ####[2017-10-23 19:21:44,284] TRACE [org.jboss.security] (http-executor-threads - 23) PBOX000288: Properties file FILE:/var/lib/jboss/domains/DP-SDE-JBOSS_sde/configuration/application-roles.properties loaded, users: [HTTP/primary.example.com@EXAMPLE.COM, rareddy@EXAMPLE.COM]

      ####[2017-10-23 19:21:44,284] TRACE [org.jboss.security] (http-executor-threads - 23) PBOX000244: Begin abort method

      ####[2017-10-23 19:21:44,284] TRACE [org.jboss.security] (http-executor-threads - 23) PBOX000236: Begin initialize method

      ####[2017-10-23 19:21:44,284] TRACE [org.jboss.security] (http-executor-threads - 23) PBOX000244: Begin abort method

      ####[2017-10-23 19:21:44,284] DEBUG [org.jboss.security] (http-executor-threads - 23) PBOX000206: Login failure: javax.security.auth.login.LoginException: Unsupported negotiation mechanism 'NTLM'.

      at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.spnegoLogin(SPNEGOLoginModule.java:261) [jboss-negotiation-spnego-2.3.12.Final-redhat-1.jar:2.3.12.Final-redhat-1]

      at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.innerLogin(SPNEGOLoginModule.java:210) [jboss-negotiation-spnego-2.3.12.Final-redhat-1.jar:2.3.12.Final-redhat-1]

      at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:145) [jboss-negotiation-spnego-2.3.12.Final-redhat-1.jar:2.3.12.Final-redhat-1]

      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_131]

      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_131]

      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_131]

      at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_131]

      at javax.security.auth.login.LoginContext.invoke(LoginContext.java:762) [rt.jar:1.7.0_131]

      at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_131]

      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690) [rt.jar:1.7.0_131]

      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688) [rt.jar:1.7.0_131]

      at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_131]

      at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:687) [rt.jar:1.7.0_131]

      at javax.security.auth.login.LoginContext.login(LoginContext.java:595) [rt.jar:1.7.0_131]

      at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:399) [picketbox-infinispan-4.1.3.Final-redhat-1.jar:4.1.3.Final-redhat-1]

      at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:338) [picketbox-infinispan-4.1.3.Final-redhat-1.jar:4.1.3.Final-redhat-1]

      at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:326) [picketbox-infinispan-4.1.3.Final-redhat-1.jar:4.1.3.Final-redhat-1]

      at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:142) [picketbox-infinispan-4.1.3.Final-redhat-1.jar:4.1.3.Final-redhat-1]

      at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:217) [jboss-as-web-7.5.13.Final-redhat-2.jar:7.5.13.Final-redhat-2]

      at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:276) [jboss-negotiation-common-2.3.12.Final-redhat-1.jar:2.3.12.Final-redhat-1]

      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [jbossweb-7.5.20.Final-redhat-1.jar:7.5.20.Final-redhat-1]

      at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.5.13.Final-redhat-2.jar:7.5.13.Final-redhat-2]

      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150) [jbossweb-7.5.20.Final-redhat-1.jar:7.5.20.Final-redhat-1]

      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.5.20.Final-redhat-1.jar:7.5.20.Final-redhat-1]

      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.5.20.Final-redhat-1.jar:7.5.20.Final-redhat-1]

      at com.ericsson.container.clb.proxy.http.util.ClbHttpValve.invoke(ClbHttpValve.java:39)

      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.5.20.Final-redhat-1.jar:7.5.20.Final-redhat-1]

      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854) [jbossweb-7.5.20.Final-redhat-1.jar:7.5.20.Final-redhat-1]

      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:656) [jbossweb-7.5.20.Final-redhat-1.jar:7.5.20.Final-redhat-1]

      at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:511) [jbossweb-7.5.20.Final-redhat-1.jar:7.5.20.Final-redhat-1]

      at org.jboss.threads.SimpleDirectExecutor.execute(SimpleDirectExecutor.java:33)

      at org.jboss.threads.QueueExecutor.runTask(QueueExecutor.java:808)

      at org.jboss.threads.QueueExecutor.access$100(QueueExecutor.java:45)

      at org.jboss.threads.QueueExecutor$Worker.run(QueueExecutor.java:849)

      at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_131]

      at org.jboss.threads.JBossThread.run(JBossThread.java:122)

       

       

      ####[2017-10-23 19:21:44,286] TRACE [org.jboss.security] (http-executor-threads - 23) PBOX000201: End isValid, result = false

      ####[2017-10-23 19:21:44,286] TRACE [org.jboss.security.negotiation.common.NegotiationContext] (http-executor-threads - 23) clear 1552217786

      ####[2017-10-23 19:21:44,286] DEBUG [org.jboss.security.negotiation.NegotiationAuthenticator] (http-executor-threads - 23) SPNEGO based authentication failed...initiating negotiation

      ####[2017-10-23 19:21:44,286] TRACE [org.jboss.security] (http-executor-threads - 23) PBOX000354: Setting security roles ThreadLocal: null

       

      Please help me to solve this issue. It is urgent. Thanks in advance

       

      Regards

      Saravanan