Kerberos / JBoss Negotiate issues and questions
ejb3workshop Sep 18, 2008 4:59 AMI have deployed JBoss Negotiate onto JBoss 4.2.3. Initially I tried to create the server users account using a generic name such as JBoss instead of the hostname of the machine. I couldn't get this working. After creating a username whose name matched the hostname of the JBoss server I was able to complete the Basic Negotiation and the Security Domain Test from another client. I am still not able to perform those from the server itself. IE works from the other clients, but neither IE, nor Firefox work on my client.
I read some suggestions to clear the cache, but I haven't found instructions on doing this.
When I try the Secured test I get the exception below. I wonder if there is a problem on my system which also runs the JBoss server which could be causing this ?
09:54:39,905 TRACE [UsersRolesLoginModule] Properties file=file:/C:/jboss-4.2.3.GA/server/default/conf/props/spnego-roles.properties, defaults=null 09:54:39,905 DEBUG [UsersRolesLoginModule] Loaded properties, users=[operator, ahartner@TH.local, vreddy@TH, user, ahartner@TH, jamesm@TH, other, vreddy@TH.local, jamesm@TH.local, sysop] 09:54:39,905 TRACE [UsersRolesLoginModule] abort 09:54:39,920 TRACE [SPNEGO] Login failure javax.security.auth.login.LoginException: Continuation Required. at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:156) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:579) at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603) at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537) at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344) at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491) at org.jboss.security.negotiation.spnego.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:103) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446) at java.lang.Thread.run(Thread.java:619) 09:54:40,030 TRACE [SPNEGO] End isValid, false 09:54:40,030 DEBUG [SPNEGOAuthenticator] authenticated principal = null 09:54:40,030 TRACE [SPNEGOContext] clear 31752641 09:54:40,030 TRACE [SecurityAssociation] clear, server=true 09:54:40,045 TRACE [SPNEGOAuthenticator] Authenticating user 09:54:40,045 INFO [SPNEGOAuthenticator] Header - Negotiate oYIF2zCCBdeiggXTBIIFz2CCBcsGCSqGSIb3EgECAgEAboIFujCCBbagAwIBBaEDAgEOogcDBQAgAAAAo4IE5WGCBOEwggTdoAMCAQWhChsIVEguTE9DQUyiITAfoAMCAQKhGDAWGwRI
...
0xcf 0x0e 0x1a 0x1b 0xbd 0xaa 0xa1 0x63 09:54:40,546 DEBUG [SPNEGOLoginModule] Creating new GSSContext. 09:54:40,686 TRACE [SPNEGOLoginModule] Result - GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC) 09:54:40,686 ERROR [SPNEGOLoginModule] Unable to authenticate GSSException: Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC) at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323) at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267) at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:295) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:337) at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:113) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:579) at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603) at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537) at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344) at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491) at org.jboss.security.negotiation.spnego.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:103) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446) at java.lang.Thread.run(Thread.java:619) Caused by: KrbException: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:262) at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134) at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79) at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724) ... 32 more 09:54:40,827 INFO [STDOUT] [Krb5LoginModule]: Entering logout 09:54:40,843 INFO [STDOUT] [Krb5LoginModule]: logged out Subject 09:54:40,843 TRACE [SPNEGOLoginModule] abort 09:54:40,843 TRACE [UsersRolesLoginModule] initialize, instance=@12914915 09:54:40,843 TRACE [UsersRolesLoginModule] Security domain: SPNEGO 09:54:40,858 TRACE [UsersRolesLoginModule] findResource: null 09:54:40,858 TRACE [UsersRolesLoginModule] Properties file=file:/C:/jboss-4.2.3.GA/server/default/conf/props/spnego-users.properties, defaults=null 09:54:40,858 DEBUG [UsersRolesLoginModule] Loaded properties, users=[] 09:54:40,858 TRACE [UsersRolesLoginModule] findResource: null 09:54:40,858 TRACE [UsersRolesLoginModule] Properties file=file:/C:/jboss-4.2.3.GA/server/default/conf/props/spnego-roles.properties, defaults=null 09:54:40,874 DEBUG [UsersRolesLoginModule] Loaded properties, users=[operator, ahartner@TH.local, vreddy@TH, user, ahartner@TH, jamesm@TH, other, vreddy@TH.local, jamesm@TH.local, sysop] 09:54:40,874 TRACE [UsersRolesLoginModule] abort 09:54:40,874 TRACE [SPNEGO] Login failure javax.security.auth.login.LoginException: Unable to authenticate - Failure unspecified at GSS-API level (Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - RC4 with HMAC) at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:136) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:579) at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603) at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537) at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344) at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491) at org.jboss.security.negotiation.spnego.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:103) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446) at java.lang.Thread.run(Thread.java:619) 09:54:40,999 TRACE [SPNEGO] End isValid, false 09:54:40,999 DEBUG [SPNEGOAuthenticator] authenticated principal = null