1 Reply Latest reply on Aug 9, 2006 11:28 AM by kc7bfi

    Problems following NegotiateKerberos documentation.

    kc7bfi
    kc7bfi Aug 8, 2006 3:44 PM

      I have been trying to follow the NegotiateKerberos (http://wiki.jboss.org/wiki/Wiki.jsp?page=NegotiateKerberos) documentation but I'm having some trouble. First, The document references a security-service.xml in the deploy directory. I do not have one so I created one as follows:

      <?xml version="1.0" encoding="UTF-8"?>

<server>

 <!-- JAAS security manager and realm mapping -->
 <mbean code="org.jboss.security.plugins.JaasSecurityManagerService"
 name="jboss.security:service=JaasSecurityManager">
 <!-- A flag which indicates whether the SecurityAssociation server mode
 is set on service creation. This is true by default since the
 SecurityAssociation should be thread local for multi-threaded server
 operation.
 -->
 <attribute name="ServerMode">true</attribute>
 <attribute name="SecurityManagerClassName">org.jboss.security.plugins.JaasSecurityManager</attribute>
 <attribute name="DefaultUnauthenticatedPrincipal">anonymous</attribute>
 <!-- DefaultCacheTimeout: Specifies the default timed cache policy timeout
 in seconds.
 If you want to disable caching of security credentials, set this to 0 to
 force authentication to occur every time. This has no affect if the
 AuthenticationCacheJndiName has been changed from the default value.
 -->
 <attribute name="DefaultCacheTimeout">1800</attribute>
 <!-- DefaultCacheResolution: Specifies the default timed cache policy
 resolution in seconds. This controls the interval at which the cache
 current timestamp is updated and should be less than the DefaultCacheTimeout
 in order for the timeout to be meaningful. This has no affect if the
 AuthenticationCacheJndiName has been changed from the default value.
 -->
 <attribute name="DefaultCacheResolution">60</attribute>
 <attribute name="CallbackHandlerClassName">org.jboss.web.tomcat.security.AdvancedWebCallbackHandler</attribute>
 </mbean>

</server>


      I also had to set the login auth-method in my web.xml to BASIC, Negotiate was not recognised. 

       <login-config>
 <auth-method>BASIC</auth-method>
 <realm-name>Domain Login</realm-name>
 </login-config>


      When I try to login from a client, the login failes but I get no errors in the logs. I can see Security logs on my server and PDC that reference a kerberos login, but thats as far as I get.

      Has anyone successfully gotten kerberos login to work from the NegotiateKerberos documentation? Is there something I'm missing?

      I'm using JBoss 4.0.4.GA and Windows 2003/XP

      Thanks, David

      • 1864 Views
      • Tags:
        • 1. Re: Problems following NegotiateKerberos documentation. - Mo
          kc7bfi
          kc7bfi Aug 9, 2006 11:28 AM (in response to kc7bfi)

          I've made progress. Now, when I try to login, I get one of two errors. First, when trying to parse the SPNEGO token I sometimes get an IOException: Not a Type 3 message. Othertimes, it falls through the section of code NegotiateUtil.java where it says: // TODO: Implement SPNEGO Handling

          Any ideas?

          Thanks, Davud

            • Actions