4 Replies Latest reply on Apr 30, 2010 10:24 AM by John Ruiz

    Bind Error with GSSAPI SASL using JBossNegotiate

    na na Newbie

      Hi jboss team,

      I am trying to integrate JbossNegotiate (Beta2 or 2.0.3GA) into my web applications. However I keep getting a bind error when I try performing a ldap search using the "GSSAPI" sasl mech.

      My setup is the following:

      Server1 (App Server)
      Computer Name: APPSERVER
      Jboss 4.2.3GA
      Windows 2003

      Server2 (Domain Controller)
      Computer Name: DOMAINCTRL01
      Windows 2003 Active Directory


      login-config.xml

       <application-policy name="host">
       <authentication>
       <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
       <module-option name="storeKey">true</module-option>
       <module-option name="useKeyTab">true</module-option>
       <module-option name="principal">host/testserver@DEV.MYDOMAIN.COM</module-option>
       <module-option name="keyTab">C:\testserver.keytab</module-option>
       <module-option name="doNotPrompt">true</module-option>
       <module-option name="debug">true</module-option>
       </login-module>
       </authentication>
       </application-policy>
      
       <application-policy name="SPNEGO">
       <authentication>
       <login-module code="org.jboss.security.negotiation.spnego.AdvancedLdapLoginModule" flag="required">
       <module-option name="password-stacking">useFirstPass</module-option>
      
       <module-option name="bindAuthentication">GSSAPI</module-option>
       <module-option name="jaasSecurityDomain">host</module-option>
       <module-option name="java.naming.provider.url">ldap://DOMAINCTRL01.dev.mydomain.com:389</module-option>
      
       <module-option name="baseCtxDN">DC=dev,DC=mydomain,DC=com</module-option>
       <module-option name="baseFilter">(userPrincipalName={0})</module-option>
      
       <module-option name="roleAttributeID">memberOf</module-option>
       <module-option name="roleAttributeIsDN">true</module-option>
       <module-option name="roleNameAttributeID">cn</module-option>
       <module-option name="recurseRoles">true</module-option>
       </login-module>
      
       </authentication>
       </application-policy>
      


      And this the trace (note: I added a some extra logging)
      2009-02-02 14:23:20,643 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Logged in 'host' LoginContext
      2009-02-02 14:23:20,643 TRACE [org.jboss.security.negotiation.MessageTrace.Request.Base64] oYIFYjCCBV6iggVaBIIFVmCCBVIGCSqGSIb3EgECAgEAboIFQTCCBT2gAwIBBaEDAgEOogcDBQAgAAAAo4IEY2GCBF8wggRboAMCAQWhExsRT0dDUy5IWURST09ORS5DT02iLTAroAMCAQKhJDAiGwRIVFRQGxpkYmFwcGkxYS5vZ2NzLmh5ZHJvb25lLmNvbaOCBA4wggQKoAMCARehAwIBBKKCA/wEggP4aKsot/NbmtNhabLt9TN1bd7IDuzbYL/abBw5Y1n32qcgXuZybZI4JJtdmhDFNYCjTvhq/YtDXSfqnm+mSSe+NO5wBvoj2jQCOeckUNzjqfqxh2dGAypnWHnkql3DGDlKRS0Ni9GS6J2PrOPJlUINOmtLAvoEhAklwKnnfPeFmQXMpWpRSg3e2K1/vUCJEFcgRYnobwr2RmJzQ4pVeafCWfKl0M6rpSqkG5Rx8YizY6bkRD8be0a6K+qteF+lGm0p1Ivij0O6/FybJhvGdSlQLcjMMX2jdC/NWLt+FNJ+3G6u0x1zB3gcCoAxcP7V5zd60RxuKcBVeKe4lyUi+rWrJfa1bEq6HAgUw0Zwd/5fWCMCfU1xWFCp5GZdOOCXVW5J2E4Oet7G7nuhFFCkqVada3S01BYVra36lOOj2BjCJV3HejsJzXdOu72fOYb1EFy4UODWxdZjPpzeV/hEM7S+FXCdAjMnUFXdEbTT1jI7u5JHS1eTTx8MzN3+ao6hbQr9abbAjX71A/DYobkwaTE2muvu0wvpoANbXGk/06UKiWe5OvPrdIFDSKqYzpwUR63gPhqU2Nj/LgTZwBqOM2LoLSAl2vvomWiRgv2VC4pLxOEOxMzscVGTHCfmsdrcxRFys3T4wQz8cNe3ab+kyPqlc7+00JT5JVH5JDK2AC/Bj9rTAyZ66WZoVS/sXZLD276Y+hEjE22g/QAvc4Kih91VcVkdmGXs3HuoOmiTniY4quMGQxM9WKY+tV84Wco5tjdNPte/uh4VVn6wdr0CwO6M9vH/ewFCS05RVYz3s/49CF/GhcVLVQ6FRxXQE3p2Qv0QtbHXYL6CpMfREWt1VDODQmurD4avccapePMOPSOIGHaK5XaFkPOn+Z5rjxba3VLxbplgEcVh7ev1+uaL5vdgO7xgaROKoRT6eF+eYTm9AYHlJ8nUormaaE33FRnDWbji8JiMsY8uzq1Xegzl1kIAgw3+nQLQcBBhKfC3WFMmS8l15dCfPTSKSDdVEc+RXs+USBitY3CW1EDV8PhJpIaZRJwAbUDC1PICfuTplYogwA6X2u57CUMyUK6PRF0/R04iTszE42Gmxep/TIzVYLUkOs1KW9X4BMlgX4JgFm6pIdpD0JMG7mmQDsA8BmHbyGpy7jVFpvMLMqeLKWqamjRe9l8Qi938C2UIqa9s6VNpl0Sy5qnJ3KQOxXL67eCmp1BJZV1EdksjP7ielihL/Wn1zHHv2dLPWraUZJ4AlShPIYyPLDePgVGEQP9OM/s+tWtYd6RmRGR+8W7CphRVTiEH+QGzYl2vppwOy3IJy5Y+24fQXHLHPBFsA/AdL2+Yf+YwC/ApbMCiMxikgcAwgb2gAwIBF6KBtQSBss9scUAOOcqpqCvTtNJJSFDJ+iYuGQfmpS5HIjwUzulU9Bl8du4A8CI+P3OYjtm9kIs8PUwlPacgsy7BfQSrRzeAU5yLq7lTyZhLWenD0ujmfiRX+51usTFd1vSL35iBQFRszAEgHtb9oYiVxpAFjysxCLn/yJ1skZwgVCqSsGQaWlLUYEb/dSRSHt6cUEcxWBgwQdwXF1HzDNsSMWCnhfXw2vLYdVsaMWzxLL8706bQqiU=
      2009-02-02 14:23:20,643 TRACE [org.jboss.security.negotiation.MessageTrace.Request.Hex] 0xa1 0x82 0x05 0x62 0x30 0x82 0x05 0x5e 0xa2 0x82 0x05 0x5a 0x04 0x82 0x05 0x56 0x60 0x82 0x05 0x52 0x06 0x09 0x2a 0x86 0x48 0x86 0xf7 0x12 0x01 0x02 0x02 0x01 0x00 0x6e 0x82 0x05 0x41 0x30 0x82 0x05 0x3d 0xa0 0x03 0x02 0x01 0x05 0xa1 0x03 0x02 0x01 0x0e 0xa2 0x07 0x03 0x05 0x00 0x20 0x00 0x00 0x00 0xa3 0x82 0x04 0x63 0x61 0x82 0x04 0x5f 0x30 0x82 0x04 0x5b 0xa0 0x03 0x02 0x01 0x05 0xa1 0x13 0x1b 0x11 0x4f 0x47 0x43 0x53 0x2e 0x48 0x59 0x44 0x52 0x4f 0x4f 0x4e 0x45 0x2e 0x43 0x4f 0x4d 0xa2 0x2d 0x30 0x2b 0xa0 0x03 0x02 0x01 0x02 0xa1 0x24 0x30 0x22 0x1b 0x04 0x48 0x54 0x54 0x50 0x1b 0x1a 0x64 0x62 0x61 0x70 0x70 0x69 0x31 0x61 0x2e 0x6f 0x67 0x63 0x73 0x2e 0x68 0x79 0x64 0x72 0x6f 0x6f 0x6e 0x65 0x2e 0x63 0x6f 0x6d 0xa3 0x82 0x04 0x0e 0x30 0x82 0x04 0x0a 0xa0 0x03 0x02 0x01 0x17 0xa1 0x03 0x02 0x01 0x04 0xa2 0x82 0x03 0xfc 0x04 0x82 0x03 0xf8 0x68 0xab 0x28 0xb7 0xf3 0x5b 0x9a 0xd3 0x61 0x69 0xb2 0xed 0xf5 0x33 0x75 0x6d 0xde 0xc8 0x0e 0xec 0xdb 0x60 0xbf 0xda 0x6c 0x1c 0x39 0x63 0x59 0xf7 0xda 0xa7 0x20 0x5e 0xe6 0x72 0x6d 0x92 0x38 0x24 0x9b 0x5d 0x9a 0x10 0xc5 0x35 0x80 0xa3 0x4e 0xf8 0x6a 0xfd 0x8b 0x43 0x5d 0x27 0xea 0x9e 0x6f 0xa6 0x49 0x27 0xbe 0x34 0xee 0x70 0x06 0xfa 0x23 0xda 0x34 0x02 0x39 0xe7 0x24 0x50 0xdc 0xe3 0xa9 0xfa 0xb1 0x87 0x67 0x46 0x03 0x2a 0x67 0x58 0x79 0xe4 0xaa 0x5d 0xc3 0x18 0x39 0x4a 0x45 0x2d 0x0d 0x8b 0xd1 0x92 0xe8 0x9d 0x8f 0xac 0xe3 0xc9 0x95 0x42 0x0d 0x3a 0x6b 0x4b 0x02 0xfa 0x04 0x84 0x09 0x25 0xc0 0xa9 0xe7 0x7c 0xf7 0x85 0x99 0x05 0xcc 0xa5 0x6a 0x51 0x4a 0x0d 0xde 0xd8 0xad 0x7f 0xbd 0x40 0x89 0x10 0x57 0x20 0x45 0x89 0xe8 0x6f 0x0a 0xf6 0x46 0x62 0x73 0x43 0x8a 0x55 0x79 0xa7 0xc2 0x59 0xf2 0xa5 0xd0 0xce 0xab 0xa5 0x2a 0xa4 0x1b 0x94 0x71 0xf1 0x88 0xb3 0x63 0xa6 0xe4 0x44 0x3f 0x1b 0x7b 0x46 0xba 0x2b 0xea 0xad 0x78 0x5f 0xa5 0x1a 0x6d 0x29 0xd4 0x8b 0xe2 0x8f 0x43 0xba 0xfc 0x5c 0x9b 0x26 0x1b 0xc6 0x75 0x29 0x50 0x2d 0xc8 0xcc 0x31 0x7d 0xa3 0x74 0x2f 0xcd 0x58 0xbb 0x7e 0x14 0xd2 0x7e 0xdc 0x6e 0xae 0xd3 0x1d 0x73 0x07 0x78 0x1c 0x0a 0x80 0x31 0x70 0xfe 0xd5 0xe7 0x37 0x7a 0xd1 0x1c 0x6e 0x29 0xc0 0x55 0x78 0xa7 0xb8 0x97 0x25 0x22 0xfa 0xb5 0xab 0x25 0xf6 0xb5 0x6c 0x4a 0xba 0x1c 0x08 0x14 0xc3 0x46 0x70 0x77 0xfe 0x5f 0x58 0x23 0x02 0x7d 0x4d 0x71 0x58 0x50 0xa9 0xe4 0x66 0x5d 0x38 0xe0 0x97 0x55 0x6e 0x49 0xd8 0x4e 0x0e 0x7a 0xde 0xc6 0xee 0x7b 0xa1 0x14 0x50 0xa4 0xa9 0x56 0x9d 0x6b 0x74 0xb4 0xd4 0x16 0x15 0xad 0xad 0xfa 0x94 0xe3 0xa3 0xd8 0x18 0xc2 0x25 0x5d 0xc7 0x7a 0x3b 0x09 0xcd 0x77 0x4e 0xbb 0xbd 0x9f 0x39 0x86 0xf5 0x10 0x5c 0xb8 0x50 0xe0 0xd6 0xc5 0xd6 0x63 0x3e 0x9c 0xde 0x57 0xf8 0x44 0x33 0xb4 0xbe 0x15 0x70 0x9d 0x02 0x33 0x27 0x50 0x55 0xdd 0x11 0xb4 0xd3 0xd6 0x32 0x3b 0xbb 0x92 0x47 0x4b 0x57 0x93 0x4f 0x1f 0x0c 0xcc 0xdd 0xfe 0x6a 0x8e 0xa1 0x6d 0x0a 0xfd 0x69 0xb6 0xc0 0x8d 0x7e 0xf5 0x03 0xf0 0xd8 0xa1 0xb9 0x30 0x69 0x31 0x36 0x9a 0xeb 0xee 0xd3 0x0b 0xe9 0xa0 0x03 0x5b 0x5c 0x69 0x3f 0xd3 0xa5 0x0a 0x89 0x67 0xb9 0x3a 0xf3 0xeb 0x74 0x81 0x43 0x48 0xaa 0x98 0xce 0x9c 0x14 0x47 0xad 0xe0 0x3e 0x1a 0x94 0xd8 0xd8 0xff 0x2e 0x04 0xd9 0xc0 0x1a 0x8e 0x33 0x62 0xe8 0x2d 0x20 0x25 0xda 0xfb 0xe8 0x99 0x68 0x91 0x82 0xfd 0x95 0x0b 0x8a 0x4b 0xc4 0xe1 0x0e 0xc4 0xcc 0xec 0x71 0x51 0x93 0x1c 0x27 0xe6 0xb1 0xda 0xdc 0xc5 0x11 0x72 0xb3 0x74 0xf8 0xc1 0x0c 0xfc 0x70 0xd7 0xb7 0x69 0xbf 0xa4 0xc8 0xfa 0xa5 0x73 0xbf 0xb4 0xd0 0x94 0xf9 0x25 0x51 0xf9 0x24 0x32 0xb6 0x00 0x2f 0xc1 0x8f 0xda 0xd3 0x03 0x26 0x7a 0xe9 0x66 0x68 0x55 0x2f 0xec 0x5d 0x92 0xc3 0xdb 0xbe 0x98 0xfa 0x11 0x23 0x13 0x6d 0xa0 0xfd 0x00 0x2f 0x73 0x82 0xa2 0x87 0xdd 0x55 0x71 0x59 0x1d 0x98 0x65 0xec 0xdc 0x7b 0xa8 0x3a 0x68 0x93 0x9e 0x26 0x38 0xaa 0xe3 0x06 0x43 0x13 0x3d 0x58 0xa6 0x3e 0xb5 0x5f 0x38 0x59 0xca 0x39 0xb6 0x37 0x4d 0x3e 0xd7 0xbf 0xba 0x1e 0x15 0x56 0x7e 0xb0 0x76 0xbd 0x02 0xc0 0xee 0x8c 0xf6 0xf1 0xff 0x7b 0x01 0x42 0x4b 0x4e 0x51 0x55 0x8c 0xf7 0xb3 0xfe 0x3d 0x08 0x5f 0xc6 0x85 0xc5 0x4b 0x55 0x0e 0x85 0x47 0x15 0xd0 0x13 0x7a 0x76 0x42 0xfd 0x10 0xb5 0xb1 0xd7 0x60 0xbe 0x82 0xa4 0xc7 0xd1 0x11 0x6b 0x75 0x54 0x33 0x83 0x42 0x6b 0xab 0x0f 0x86 0xaf 0x71 0xc6 0xa9 0x78 0xf3 0x0e 0x3d 0x23 0x88 0x18 0x76 0x8a 0xe5 0x76 0x85 0x90 0xf3 0xa7 0xf9 0x9e 0x6b 0x8f 0x16 0xda 0xdd 0x52 0xf1 0x6e 0x99 0x60 0x11 0xc5 0x61 0xed 0xeb 0xf5 0xfa 0xe6 0x8b 0xe6 0xf7 0x60 0x3b 0xbc 0x60 0x69 0x13 0x8a 0xa1 0x14 0xfa 0x78 0x5f 0x9e 0x61 0x39 0xbd 0x01 0x81 0xe5 0x27 0xc9 0xd4 0xa2 0xb9 0x9a 0x68 0x4d 0xf7 0x15 0x19 0xc3 0x59 0xb8 0xe2 0xf0 0x98 0x8c 0xb1 0x8f 0x2e 0xce 0xad 0x57 0x7a 0x0c 0xe5 0xd6 0x42 0x00 0x83 0x0d 0xfe 0x9d 0x02 0xd0 0x70 0x10 0x61 0x29 0xf0 0xb7 0x58 0x53 0x26 0x4b 0xc9 0x75 0xe5 0xd0 0x9f 0x3d 0x34 0x8a 0x48 0x37 0x55 0x11 0xcf 0x91 0x5e 0xcf 0x94 0x48 0x18 0xad 0x63 0x70 0x96 0xd4 0x40 0xd5 0xf0 0xf8 0x49 0xa4 0x86 0x99 0x44 0x9c 0x00 0x6d 0x40 0xc2 0xd4 0xf2 0x02 0x7e 0xe4 0xe9 0x95 0x8a 0x20 0xc0 0x0e 0x97 0xda 0xee 0x7b 0x09 0x43 0x32 0x50 0xae 0x8f 0x44 0x5d 0x3f 0x47 0x4e 0x22 0x4e 0xcc 0xc4 0xe3 0x61 0xa6 0xc5 0xea 0x7f 0x4c 0x8c 0xd5 0x60 0xb5 0x24 0x3a 0xcd 0x4a 0x5b 0xd5 0xf8 0x04 0xc9 0x60 0x5f 0x82 0x60 0x16 0x6e 0xa9 0x21 0xda 0x43 0xd0 0x93 0x06 0xee 0x69 0x90 0x0e 0xc0 0x3c 0x06 0x61 0xdb 0xc8 0x6a 0x72 0xee 0x35 0x45 0xa6 0xf3 0x0b 0x32 0xa7 0x8b 0x29 0x6a 0x9a 0x9a 0x34 0x5e 0xf6 0x5f 0x10 0x8b 0xdd 0xfc 0x0b 0x65 0x08 0xa9 0xaf 0x6c 0xe9 0x53 0x69 0x97 0x44 0xb2 0xe6 0xa9 0xc9 0xdc 0xa4 0x0e 0xc5 0x72 0xfa 0xed 0xe0 0xa6 0xa7 0x50 0x49 0x65 0x5d 0x44 0x76 0x4b 0x23 0x3f 0xb8 0x9e 0x96 0x28 0x4b 0xfd 0x69 0xf5 0xcc 0x71 0xef 0xd9 0xd2 0xcf 0x5a 0xb6 0x94 0x64 0x9e 0x00 0x95 0x28 0x4f 0x21 0x8c 0x8f 0x2c 0x37 0x8f 0x81 0x51 0x84 0x40 0xff 0x4e 0x33 0xfb 0x3e 0xb5 0x6b 0x58 0x77 0xa4 0x66 0x44 0x64 0x7e 0xf1 0x6e 0xc2 0xa6 0x14 0x55 0x4e 0x21 0x07 0xf9 0x01 0xb3 0x62 0x5d 0xaf 0xa6 0x9c 0x0e 0xcb 0x72 0x09 0xcb 0x96 0x3e 0xdb 0x87 0xd0 0x5c 0x72 0xc7 0x3c 0x11 0x6c 0x03 0xf0 0x1d 0x2f 0x6f 0x98 0x7f 0xe6 0x30 0x0b 0xf0 0x29 0x6c 0xc0 0xa2 0x33 0x18 0xa4 0x81 0xc0 0x30 0x81 0xbd 0xa0 0x03 0x02 0x01 0x17 0xa2 0x81 0xb5 0x04 0x81 0xb2 0xcf 0x6c 0x71 0x40 0x0e 0x39 0xca 0xa9 0xa8 0x2b 0xd3 0xb4 0xd2 0x49 0x48 0x50 0xc9 0xfa 0x26 0x2e 0x19 0x07 0xe6 0xa5 0x2e 0x47 0x22 0x3c 0x14 0xce 0xe9 0x54 0xf4 0x19 0x7c 0x76 0xee 0x00 0xf0 0x22 0x3e 0x3f 0x73 0x98 0x8e 0xd9 0xbd 0x90 0x8b 0x3c 0x3d 0x4c 0x25 0x3d 0xa7 0x20 0xb3 0x2e 0xc1 0x7d 0x04 0xab 0x47 0x37 0x80 0x53 0x9c 0x8b 0xab 0xb9 0x53 0xc9 0x98 0x4b 0x59 0xe9 0xc3 0xd2 0xe8 0xe6 0x7e 0x24 0x57 0xfb 0x9d 0x6e 0xb1 0x31 0x5d 0xd6 0xf4 0x8b 0xdf 0x98 0x81 0x40 0x54 0x6c 0xcc 0x01 0x20 0x1e 0xd6 0xfd 0xa1 0x88 0x95 0xc6 0x90 0x05 0x8f 0x2b 0x31 0x08 0xb9 0xff 0xc8 0x9d 0x6c 0x91 0x9c 0x20 0x54 0x2a 0x92 0xb0 0x64 0x1a 0x5a 0x52 0xd4 0x60 0x46 0xff 0x75 0x24 0x52 0x1e 0xde 0x9c 0x50 0x47 0x31 0x58 0x18 0x30 0x41 0xdc 0x17 0x17 0x51 0xf3 0x0c 0xdb 0x12 0x31 0x60 0xa7 0x85 0xf5 0xf0 0xda 0xf2 0xd8 0x75 0x5b 0x1a 0x31 0x6c 0xf1 0x2c 0xbf 0x3b 0xd3 0xa6 0xd0 0xaa 0x25
      2009-02-02 14:23:20,643 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Creating new GSSContext.
      2009-02-02 14:23:20,658 TRACE [org.jboss.security.negotiation.MessageTrace.Response.Base64] oW0wa6JpBGdgZQYJKoZIhvcSAQICAgBvVjBUoAMCAQWhAwIBD6JIMEagAwIBF6I/BD23xV6Qxq6o
      jEmMvPOH+cbT0cWHZC43tZamt5IkKyKvQAF1vl3jWTez4+lAZU5t1/s4zX9mRNleEes9ROxj
      2009-02-02 14:23:20,658 TRACE [org.jboss.security.negotiation.MessageTrace.Response.Hex] 0xa1 0x6d 0x30 0x6b 0xa2 0x69 0x04 0x67 0x60 0x65 0x06 0x09 0x2a 0x86 0x48 0x86 0xf7 0x12 0x01 0x02 0x02 0x02 0x00 0x6f 0x56 0x30 0x54 0xa0 0x03 0x02 0x01 0x05 0xa1 0x03 0x02 0x01 0x0f 0xa2 0x48 0x30 0x46 0xa0 0x03 0x02 0x01 0x17 0xa2 0x3f 0x04 0x3d 0xb7 0xc5 0x5e 0x90 0xc6 0xae 0xa8 0x8c 0x49 0x8c 0xbc 0xf3 0x87 0xf9 0xc6 0xd3 0xd1 0xc5 0x87 0x64 0x2e 0x37 0xb5 0x96 0xa6 0xb7 0x92 0x24 0x2b 0x22 0xaf 0x40 0x01 0x75 0xbe 0x5d 0xe3 0x59 0x37 0xb3 0xe3 0xe9 0x40 0x65 0x4e 0x6d 0xd7 0xfb 0x38 0xcd 0x7f 0x66 0x44 0xd9 0x5e 0x11 0xeb 0x3d 0x44 0xec 0x63
      2009-02-02 14:23:20,658 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] context.getCredDelegState() = false
      2009-02-02 14:23:20,658 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] context.getMutualAuthState() = true
      2009-02-02 14:23:20,658 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] context.getSrcName() = testserver@DEV.MYDOMAIN.COM
      2009-02-02 14:23:20,658 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Result - true
      2009-02-02 14:23:20,658 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Storing username 'testserver@DEV.MYDOMAIN.COM' and empty password
      2009-02-02 14:23:20,658 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] super.loginOk true
      2009-02-02 14:23:20,658 TRACE [org.jboss.security.negotiation.spnego.AdvancedLdapLoginModule] initialize, instance=@19532245
      2009-02-02 14:23:20,658 TRACE [org.jboss.security.negotiation.spnego.AdvancedLdapLoginModule] Security domain: SPNEGO
      2009-02-02 14:23:20,658 TRACE [org.jboss.security.negotiation.spnego.AdvancedLdapLoginModule] Using GSSAPI to connect to LDAP
      2009-02-02 14:23:20,658 DEBUG [org.jboss.security.negotiation.spnego.AdvancedLdapLoginModule] Subject = Subject:
       Principal: host/testserver@DEV.MYDOMAIN.COM
       Private Credential: Ticket (hex) =
      0000: 61 82 01 1A 30 82 01 16 A0 03 02 01 05 A1 13 1B a...0...........
      0010: 11 4F 47 43 53 2E 48 59 44 52 4F 4F 4E 45 2E 43 .DEV.MYDOMAIN.C
      0020: 4F 4D A2 26 30 24 A0 03 02 01 02 A1 1D 30 1B 1B OM.&0$.......0..
      0030: 06 6B 72 62 74 67 74 1B 11 4F 47 43 53 2E 48 59 .krbtgt..DEV.MY
      0040: 44 52 4F 4F 4E 45 2E 43 4F 4D A3 81 D1 30 81 CE DOMAIN.COM...0..
      0050: A0 03 02 01 17 A1 03 02 01 02 A2 81 C1 04 81 BE ................
      0060: 56 FA 17 41 51 93 7E 4B 4E 2D C6 51 23 64 C6 92 V..AQ..KN-.Q#d..
      0070: 8B B6 79 72 6B 6A 56 8D FB AE 39 58 A6 58 A2 50 ..yrkjV...9X.X.P
      0080: E1 70 3D 34 07 8C 92 7E 9F F3 51 D0 D9 36 7B 7C .p=4......Q..6..
      0090: BB EB 27 3A EC 03 09 B5 4B 82 8D BB 60 C8 2D F3 ..':....K...`.-.
      00A0: A9 FF 0F 98 0B A4 8E A7 E3 05 D7 1F 43 CF 84 E2 ............C...
      00B0: 8A 6E 3B 05 E6 33 6E 0F 0D 3E B0 30 3B 91 3D CA .n;..3n..>.0;.=.
      00C0: B2 84 95 83 B8 06 E0 CC 86 AB BD 85 3A E4 E1 55 ............:..U
      00D0: 17 1A 8F D2 7B 89 38 B1 12 55 4E 5A 4C B7 D2 9D ......8..UNZL...
      00E0: C7 8B 5C 41 71 6F 98 EA BF 1E C5 D1 F6 39 44 D1 ..\Aqo.......9D.
      00F0: ED D8 21 2A DC BF 22 0D A1 FA 6A 1C 42 EA EA BE ..!*.."...j.B...
      0100: 55 FE 46 D6 29 49 46 4F DF 5B 64 A8 75 89 6A 9C U.F.)IFO.[d.u.j.
      0110: 37 51 69 A5 51 7C 4E AB 5E F0 5B CD 43 95 7Qi.Q.N.^.[.C.
      
      Client Principal = host/testserver@DEV.MYDOMAIN.COM
      Server Principal = krbtgt/DEV.MYDOMAIN.COM@DEV.MYDOMAIN.COM
      Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=
      0000: E9 C8 85 EF F9 C2 FE 90 14 7A CA C0 5B 28 2F C3 .........z..[(/.
      
      
      Forwardable Ticket false
      Forwarded Ticket false
      Proxiable Ticket false
      Proxy Ticket false
      Postdated Ticket false
      Renewable Ticket false
      Initial Ticket false
      Auth Time = Mon Feb 02 14:23:20 GMT-05:00 2009
      Start Time = Mon Feb 02 14:23:20 GMT-05:00 2009
      End Time = Tue Feb 03 00:23:20 GMT-05:00 2009
      Renew Till = null
      Client Addresses Null
       Private Credential: Kerberos Principal host/testserver@DEV.MYDOMAIN.COMKey Version 7key EncryptionKey: keyType=23 keyBytes (hex dump)=
      0000: 7D F7 11 2D D5 EE B5 B9 EF 63 02 3A D2 51 78 C1 ...-.....c.:.Qx.
      
      
      
      2009-02-02 14:23:20,658 DEBUG [org.jboss.security.negotiation.spnego.AdvancedLdapLoginModule] Logged in 'javax.security.auth.login.LoginContext@1ecfcd9' LoginContext
      2009-02-02 14:23:20,658 DEBUG [org.jboss.security.negotiation.spnego.AdvancedLdapLoginModule] Executing innerlogin()
      2009-02-02 14:23:20,658 TRACE [org.jboss.security.negotiation.spnego.AdvancedLdapLoginModule] login
      2009-02-02 14:23:20,658 TRACE [org.jboss.security.negotiation.spnego.AdvancedLdapLoginModule] Identity - testserver@DEV.MYDOMAIN.COM
      2009-02-02 14:23:20,658 TRACE [org.jboss.security.negotiation.spnego.AdvancedLdapLoginModule] Logging into LDAP server, env={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, roleNameAttributeID=cn, password-stacking=useFirstPass, baseCtxDN=DC=dev,DC=mydomain,DC=com, roleAttributeID=memberOf, baseFilter=(userPrincipalName={0}), jboss.security.security_domain=SPNEGO, bindAuthentication=GSSAPI, java.naming.provider.url=ldap://DOMAINCNTRL01.dev.mydomain.com:389, roleAttributeIsDN=true, jaasSecurityDomain=host, java.naming.security.authentication=GSSAPI, recurseRoles=true}
      2009-02-02 14:23:20,705 DEBUG [org.jboss.security.negotiation.spnego.AdvancedLdapLoginModule] Obtained LdapContext
      2009-02-02 14:23:20,705 DEBUG [org.jboss.security.negotiation.spnego.AdvancedLdapLoginModule] Performing search...
      2009-02-02 14:23:20,705 DEBUG [org.jboss.security.negotiation.spnego.AdvancedLdapLoginModule] Unable to find user DN
      javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece ]; remaining name 'DC=dev,DC=mydomain,DC=com'
       at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3045)
       at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2951)
       at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2758)
       at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1812)
       at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1735)
       at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1752)
       at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:394)
       at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:376)
       at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
       at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
       at org.jboss.security.negotiation.spnego.AdvancedLdapLoginModule.findUserDN(AdvancedLdapLoginModule.java:509)
       at org.jboss.security.negotiation.spnego.AdvancedLdapLoginModule.innerLogin(AdvancedLdapLoginModule.java:343)
       at org.jboss.security.negotiation.spnego.AdvancedLdapLoginModule$AuthorizeAction.run(AdvancedLdapLoginModule.java:742)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.Subject.doAs(Subject.java:337)
       at org.jboss.security.negotiation.spnego.AdvancedLdapLoginModule.login(AdvancedLdapLoginModule.java:279)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
       at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
       at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
       at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
       at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
       at org.jboss.security.negotiation.spnego.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:103)
       at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
       at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
       at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
       at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
       at java.lang.Thread.run(Thread.java:619)
      2009-02-02 14:23:20,705 TRACE [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] abort
      2009-02-02 14:23:20,705 TRACE [org.jboss.security.negotiation.spnego.AdvancedLdapLoginModule] abort
      2009-02-02 14:23:20,705 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOAuthenticator] authenticated principal = null
      2009-02-02 14:23:20,705 TRACE [org.jboss.security.negotiation.spnego.SPNEGOContext] clear 30621423
      



      Anyone have any ideas as to where I went wrong? Any help would be greatly appreciated.

        • 1. Re: Bind Error with GSSAPI SASL using JBossNegotiate
          Darran Lofthouse Master

          Looking at your configuration I don't see anything that jumps out at me as being wrong.

          The error message that you have shown is something that is coming back from Active Directory, I have found the following page that contains some information on how to obtain further logging from Active Directory to start to diagnose why a request is failing.

          http://support.microsoft.com/default.aspx?scid=kb;en-us;314980&sd=tech

          We can see from your logs that your host security domain is able to successfully authenticate using the keytab so I don't suspect a problem there.

          If possible do you have anything like Wireshark available to trace the network traffic between Server1 and Server2, one possible area to configure is that it may be a problem with the "java.naming.provider.url" - is this exactly the same name that you used to specify the KDC? If not it is possible that is it a case-sensitive comparison which is making the "java.naming.provider.url" look as though it is not trusted so the GSSAPI mechanism is not being used. Traces from Wireshark should show additional Kerberos requests that may illustrate if this is the problem.

          • 2. Re: Bind Error with GSSAPI SASL using JBossNegotiate
            David Wade Newbie

            nulltransfer/darran

            I also can't get this working. It just silently fails. Testing with the toolkit war passes the first two tests but on the secured.

            I also rebuild the jboss-negotiation-2.0.3.GA.jar to add the same logging I see that you did and found that the bind is failing with exactly the same error as you had. This exception logging need to be added to the release.

            Did you resolve why it was not working for you ?

            Darran suggested I create a wireshark capture, but I see no way to attach it here. Any suggestion where I should put it.

            Will work on the active directory debugging now. Will post what we find, but project timescales will soon dictate a switch of app server if this is not resolved soon.

            • 3. Re: Bind Error with GSSAPI SASL using JBossNegotiate
              Parag Jaripatke Newbie

              Hi nulltransfer,

              I had similar type of issue.

              On Domain Controller unchecking the checkbox in service user's settings (Account tab -> Account settings) which says "Do not require Kerberos Preauthentication" and it worked.

              Let me know whether it helps.

              • 4. Re: Bind Error with GSSAPI SASL using JBossNegotiate
                John Ruiz Newbie

                I currently have a similar issue, and I do have "do not require kerberos preauthentication" checked on the service account,

                 

                I've posted a thread about my issue here: http://community.jboss.org/thread/151329?tstart=0 and it does include a summarized wireshark capture.