1 2 Previous Next 18 Replies Latest reply on Aug 5, 2008 7:47 AM by Claus Hausberger

    Problem with SPNEGO Negotiation

    Claus Hausberger Newbie

      Hello

      I am trying to use SPNEGO Negotiation and can't get it to work.

      I think I did everything as explained in the pdf guide but when using the negotiatio toolkit to check if everything is ok, I get error messages like:

      Unsupported negotiation mechanism, possibly NTLM!

      and

      Testing security-domain 'host'
      Failed!
      javax.security.auth.login.LoginException - Unable to obtain password from user


      Where can I look for errors? What could be wrong here?

      As a principal I used "username@OUR_WINDOWS.DOMAIN". maybe this is wrong.
      in the example the principle is host/testserver@KERBEROS.JBOSS.ORG in the application-policy. Maybe I got that wrong (wrong syntax?).

      Please help, I don't know where to search for the error.

      thanks a lot!

      Claus

        • 1. Re: Problem with SPNEGO Negotiation
          Darran Lofthouse Master

          Your first problem is that your web browser is not trusting JBoss so is not even starting the SPNEGO process.

          Have you followed through the active directory chapter fully to properly map the service principal in active directory? Until this is done none of the settings in the browser will cause the browser to trust JBoss as one of the first check IE does is that it can obtain a ticket for the service principal.

          Secondly did you follow the Internet Explorer instructions so that the host name would be trusted?

          • 2. Re: Problem with SPNEGO Negotiation
            Claus Hausberger Newbie

            Thanks. I will check the active directory settings again.

            I was using Firefox, not IE, but I guess this applies to Firefox, too.

            Claus

            • 3. Re: Problem with SPNEGO Negotiation
              Darran Lofthouse Master

              Yes for Firefox there is another section in the user guide on the changes needed to the Firefox configuration and Firefox will also require the service principal to be correctly configured before it will start the negotiation process.

              • 4. Re: Problem with SPNEGO Negotiation
                Claus Hausberger Newbie

                Hello

                thanks a lot for the help.

                The Basic Negotiation and Security Domain Tests now work and everything is as described in the users guide.

                But when I test "Secured", I get
                HTTP Status 403 - Access to the requested resource has been denied

                first, I had no spnego-roles.properties and spnego-users.properties but I've added them now.
                I don't see any error messages in the stdout logging of the JBoss server (I've configured the logging as described in the users guide).

                Any idea what my error here could be?

                Claus

                • 5. Re: Problem with SPNEGO Negotiation
                  Darran Lofthouse Master

                  I think you need to double check the roles that the user is being associated with, if you have enabled TRACE logging for org.jboss.security you should see something similar to the following in the server.log after the authentication process has completed: -

                  2008-07-24 21:35:08,768 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
                   Principal: darranl@JBOSS.ORG
                   Principal: Roles(members:Trader,Users,Banker,ipausers)
                   Principal: CallerPrincipal(members:darranl@JBOSS.ORG)
                  , sc=org.jboss.security.SecurityAssociation$SubjectContext@c05c2{principal=A1C423689601B6D6CC7D7682CBFB0525,subject=17368622}
                  

                  If you are using the negotiation toolkit this requires the user to have the 'Users' role.

                  Also as you are using the UsersRolesLoginModule as the second login module in the chain verify that the principal name does match the values you are using in the roles properties file, this should be the first principal in the list - in the example above this is 'darranl@jboss.org'.

                  • 6. Re: Problem with SPNEGO Negotiation
                    Claus Hausberger Newbie

                    does this mean that I have to specifiy the principal for the windows user that get's authenticated via SPNEGO in both the spnego-roles.properties and in login-config.xml in the UsersRolesLoginModule ?

                    My UsersRolesLoginModule looks like this:

                    </login-module>
                    <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
                    flag="required">
                    <module-option name="password-stacking">useFirstPass</module-option>
                    <module-option name="principal">hausberger@MYDOMAIN</module-option>
                    <module-option name="usersProperties">props/spnego-users.properties</module-option>
                    <module-option name="rolesProperties">props/spnego-roles.properties</module-option>
                    </login-module>


                    and my spnego-roles.properties like this:
                    hausberger@MYDOMAIN=Users


                    when I access the negotion toolkit page I get this in the server.log:

                    2008-07-31 16:45:33,865 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, sub
                    Principal: hausbergers@MYDOMAIN
                    Principal: Roles(members)
                    Principal: CallerPrincipal(members:hausbergers@MYDOMAIN)


                    when I access the "Secured" page, I get this in the server.log:

                    2008-07-31 16:47:13,205 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
                    2008-07-31 16:47:13,205 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
                    2008-07-31 16:47:13,205 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
                    2008-07-31 16:47:14,046 TRACE [org.jboss.security.negotiation.spnego.SPNEGOAuthenticator] Authenticating user
                    2008-07-31 16:47:14,046 TRACE [org.jboss.security.negotiation.spnego.SPNEGOAuthenticator] Already authenticated 'hausbergers@MYDOMAIN'
                    2008-07-31 16:47:14,046 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
                    2008-07-31 16:47:14,126 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
                    2008-07-31 16:47:14,127 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
                    2008-07-31 16:47:14,127 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
                    2008-07-31 16:47:14,129 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
                    2008-07-31 16:47:14,129 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
                    2008-07-31 16:47:14,129 TRACE [org.jboss.security.SecurityAssociation] clear, server=true



                    does this mean that the user has the "members" role? where would I add the "Users" role?
                    the log also says "already authenticated".

                    sorry for all the questions, I am new to JBoss.

                    Claus





                    • 7. Re: Problem with SPNEGO Negotiation
                      Darran Lofthouse Master

                      Did you cut and paste those examples or type by hand?

                      In your properties file you have: -

                      hausberger@MYDOMAIN=Users

                      But in the log you have: -

                      hausbergers@MYDOMAIN

                      So there is a 's' missing before the '@'

                      You may also need to restart your JBossAS instance as it could be possible that the original credentials are being cached.

                      No need to apologise for the questions, I am currently putting together the candidate release ready to GA the library I can take some of these points and add them to the troubleshooting section of the user guide.


                      • 8. Re: Problem with SPNEGO Negotiation
                        Claus Hausberger Newbie

                        Hi Darran

                        thanks a lot. This was just a typo here in the forum. The principals are equal in my configuration, so there must be another error.
                        I restarted the server 2 times. no change. still the same error.

                        looking forward to the GA. This is really a great tool and exactly what I was lookingn for.

                        Claus

                        • 9. Re: Problem with SPNEGO Negotiation
                          Darran Lofthouse Master

                          We will keep the actual discussion within the forum but would it be possible for you to please zip up the server.log and your login-config.xml and e-mail both to me - I will have a quick look, at this stage I think it sounds like a minor error is stopping the roles from being correctly loaded.

                          • 11. Re: Problem with SPNEGO Negotiation
                            Darran Lofthouse Master

                            Thanks for the files, I have just had a look at the logs.

                            I see the following output when the spnego-roles.properties file is read: -

                            2008-07-31 16:44:11,259 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[hausberger@MYDOMAIN]


                            The format of the 'spnego-roles.properties' file should actually be.

                            hausberger@MYDOMAIN=Users


                            So the user principal comes first and then after the '=' is a comma separated list of the users roles which in this example is just the 'Users' role.

                            I also see in the configuration for the UsersRoleLoginModule you have: -

                            <module-option name="principal">hausberger@MYDOMAIN</module-option>


                            This is not required and should be removed.

                            • 12. Re: Problem with SPNEGO Negotiation
                              Claus Hausberger Newbie

                              thanks for the answer.

                              my spnego-roles.properties looks like this:

                              hausberger@MYDOMAIN=Users

                              so, this seems to be correct.

                              I still get "HTTP Status 403 - Access to the requested resource has been denied".

                              Claus

                              • 13. Re: Problem with SPNEGO Negotiation
                                Darran Lofthouse Master

                                Can you just double check that the case of the complete username before the '=' matches exactly the case of the user that is being returned after the SPNEGO negotiation - re-reading your log it is looking to me as though the first letter may be upper case but in your properties it is lower case.

                                • 14. Re: Problem with SPNEGO Negotiation
                                  Claus Hausberger Newbie

                                  Hi Darran

                                  I checked again and indeed it was the wrong case. Now it works.

                                  what's weird: the principal is "Hausberger@MYDOMAIN", but my windows login is "hausberger" which is lowercase "h".
                                  where does the upper case come frome? Active Directoy?

                                  Claus

                                  1 2 Previous Next