1 Reply Latest reply on Aug 9, 2006 11:28 AM by David Robison

    Problems following NegotiateKerberos documentation.

    David Robison Novice

      I have been trying to follow the NegotiateKerberos (http://wiki.jboss.org/wiki/Wiki.jsp?page=NegotiateKerberos) documentation but I'm having some trouble. First, The document references a security-service.xml in the deploy directory. I do not have one so I created one as follows:

      <?xml version="1.0" encoding="UTF-8"?>
      
      <server>
      
       <!-- JAAS security manager and realm mapping -->
       <mbean code="org.jboss.security.plugins.JaasSecurityManagerService"
       name="jboss.security:service=JaasSecurityManager">
       <!-- A flag which indicates whether the SecurityAssociation server mode
       is set on service creation. This is true by default since the
       SecurityAssociation should be thread local for multi-threaded server
       operation.
       -->
       <attribute name="ServerMode">true</attribute>
       <attribute name="SecurityManagerClassName">org.jboss.security.plugins.JaasSecurityManager</attribute>
       <attribute name="DefaultUnauthenticatedPrincipal">anonymous</attribute>
       <!-- DefaultCacheTimeout: Specifies the default timed cache policy timeout
       in seconds.
       If you want to disable caching of security credentials, set this to 0 to
       force authentication to occur every time. This has no affect if the
       AuthenticationCacheJndiName has been changed from the default value.
       -->
       <attribute name="DefaultCacheTimeout">1800</attribute>
       <!-- DefaultCacheResolution: Specifies the default timed cache policy
       resolution in seconds. This controls the interval at which the cache
       current timestamp is updated and should be less than the DefaultCacheTimeout
       in order for the timeout to be meaningful. This has no affect if the
       AuthenticationCacheJndiName has been changed from the default value.
       -->
       <attribute name="DefaultCacheResolution">60</attribute>
       <attribute name="CallbackHandlerClassName">org.jboss.web.tomcat.security.AdvancedWebCallbackHandler</attribute>
       </mbean>
      
      </server>
      


      I also had to set the login auth-method in my web.xml to BASIC, Negotiate was not recognised.

       <login-config>
       <auth-method>BASIC</auth-method>
       <realm-name>Domain Login</realm-name>
       </login-config>
      


      When I try to login from a client, the login failes but I get no errors in the logs. I can see Security logs on my server and PDC that reference a kerberos login, but thats as far as I get.

      Has anyone successfully gotten kerberos login to work from the NegotiateKerberos documentation? Is there something I'm missing?

      I'm using JBoss 4.0.4.GA and Windows 2003/XP

      Thanks, David