4 Replies Latest reply on Apr 14, 2010 11:25 AM by Sridhar Alapati

    Issues with JBoss Negotiation

    Daniel Messer Newbie

      I am having some serious configuration
      issues when trying to run the toolkit. I am running out of ideas and time to make it work so maybe you could point me to
      some directions on how to fix my problems.
      I am running security-negotiation-2.0.3.Beta2 with Jboss 4.2.3.GA on a Linux X86_64 machine.

      On the client side, I am using Firefox 2.0.0.7 on a Linux i686 desktop
      - I enabled GSSAPI:
      network.negotiate-auth.allow-proxies: true
      network.negotiate-auth.delegation-uris:
      network.negotiate-auth.gsslib:
      network.negotiate-auth.trusted-uris: http://
      network.negotiate-auth.using-native-gsslib: true

      - Security Domain test works fine
      - Basic negotiation fails with the following error:

      =============================================================
      HTTP Status 500 -

      type Exception report

      message

      description The server encountered an internal error () that prevented it from fulfilling this request.

      exception

      javax.servlet.ServletException: Unable to writeHeaderDetail
      org.jboss.security.negotiation.toolkit.BasicNegotiationServlet.doGet(BasicNegotiationServlet.java:106)
      javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
      javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
      org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)

      root cause

      java.io.IOException: Unexpected message type
      org.jboss.security.negotiation.spnego.encoding.NegTokenInitDecoder.decodeNegTokenInitSequence(NegTokenInitDecoder.java:112)
      org.jboss.security.negotiation.spnego.encoding.NegTokenInitDecoder.decode(NegTokenInitDecoder.java:144)
      org.jboss.security.negotiation.toolkit.BasicNegotiationServlet.writeHeaderDetail(BasicNegotiationServlet.java:137)
      org.jboss.security.negotiation.toolkit.BasicNegotiationServlet.doGet(BasicNegotiationServlet.java:96)
      javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
      javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
      org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)

      note The full stack trace of the root cause is available in the JBossWeb/2.0.1.GA logs.

      ============================================================

      On the server side the log shows:

      ============================================================
      2009-01-21 10:18:38,645 INFO [org.jboss.security.negotiation.toolkit.BasicNegotiationServlet] No Authorization Header, sending 401
      2009-01-21 10:18:38,655 INFO [org.jboss.security.negotiation.toolkit.BasicNegotiationServlet] Authorization header received - formatting web page response.
      2009-01-21 10:18:38,656 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/jboss-negotiation-toolkit].[BasicNegotiation]] Servlet.service() for ser
      vlet BasicNegotiation threw exception java.io.IOException: Unexpected message type
      at org.jboss.security.negotiation.spnego.encoding.NegTokenInitDecoder.decodeNegTokenInitSequence(NegTokenInitDecoder.java:112)
      at org.jboss.security.negotiation.spnego.encoding.NegTokenInitDecoder.decode(NegTokenInitDecoder.java:144)
      :
      :
      ============================================================

      The request header is:

      ============================================================
      Host lnx.americas.sgi.com:8080
      User-Agent Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7
      Accept text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
      Accept-Language en-us,en;q=0.5
      Accept-Encoding gzip,deflate
      Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7
      Keep-Alive 300
      Connection keep-alive
      Referer http://lnx.americas.sgi.com:8080/jboss-negotiation-toolkit/
      Cookie s_vi=[CS]v1|492193040000758D-A0208550000349F[CE]; SGISESSION=WeAsHAJ9%2FOd8g
      Authorization Negotiate
      YIICEAYJKoZIhvcSAQICAQBuggH/MIIB+6ADAgEFoQMCAQ6iBwMFAAAAAACjggEXYYIBEzCCAQ+gAwIBBaENGwtTTEMuU0dJLkNPTaInMCWgAwIBA6EeMBwbBEhUVFAbFGxueC5hbWVyaWNhcy5zZ2kuY29to4HPMIHMoAMCARChAwIBA6KBvwSBvAfti47NDZfzU6P4XcpFttlXz2aLrjg8Xgb3Ab002NJx47A+cWqDUivWpvpxWECH8x1ZbHEURHPkxtblWJ5W+xij/oMJnOg4Ywizb9C+7ICxwIMm3LGo+RnPrRPROaZH/ikyalhcYFKCFbXxh7wdTkLQHsgz2w5kGB7ajex7nutjzCNeERo0Kb0I6GWQaStAmJpVqjO/CQrkTvCNn3dA8tiPxmnVxWBrdYYKq2TldxZGvkrXCY14cSheOV3/pIHKMIHHoAMCARCigb8EgbwZYMcdmOpCrJjuwL4NA6MfET8SQ4lRz4BpPf0/DkKJOTdrqhf6M8yO6Z+79LSwFYSbOOusNTiZu+Ixy3wNNbotCZK2Lnl1J6E+TZr5YLm/VIgnC6PT0PA176Os/m19m5fyG9Dj/9UJaFU3QaAb3BXYbZTVGz1+8nh086tpzWnoOOec/lQWFgwsGp+Y51wlOT3RbIEnopH0pAOhOAqe+wIw8WEjDu5DT7e6LDSrFq8wNcTF7Ec8dlAKvAD1iQ==

      ===========================================================

      The login-config.xml configuration is:

      ===========================================================
      <application-policy name="host">

      <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
      <module-option name="storeKey">true</module-option>
      <module-option name="useKeyTab">true</module-option>
      <module-option name="principal">host/lnx.americas.sgi.com@SLC.SGI.COM</module-option>
      <module-option name="keyTab">/etc/krb5.keytab</module-option>
      <module-option name="doNotPrompt">true</module-option>
      <module-option name="debug">true</module-option>
      </login-module>

      </application-policy>

      <application-policy name="SPNEGO">

      <login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="requisite">
      <module-option name="password-stacking">useFirstPass</module-option>
      <module-option name="serverSecurityDomain">host</module-option>
      </login-module>
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
      <module-option name="password-stacking">useFirstPass</module-option>
      <module-option name="usersProperties">props/spnego-users.properties</module-option>
      <module-option name="rolesProperties">props/spnego-roles.properties</module-option>
      </login-module>

      </application-policy>

      ===============================================================

      - I got the tickets on the client side through kinit -p -f:
      klist -e
      Ticket cache: FILE:/tmp/krb5cc_10002
      Default principal: daniel@SLC.SGI.COM

      Valid starting Expires Service principal
      01/21/09 08:24:34 01/22/09 08:24:34 krbtgt/SLC.SGI.COM@SLC.SGI.COM
      Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1
      01/21/09 08:24:52 01/22/09 08:24:34 HTTP/lnx.americas.sgi.com@SLC.SGI.COM
      Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1
      01/21/09 08:47:26 01/22/09 08:24:34 host/lnx.americas.sgi.com@SLC.SGI.COM
      Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1


      Kerberos 4 ticket cache: /tmp/tkt10002
      klist: You have no tickets cached

      - On the server side the tickets are:
      # klist -e
      Ticket cache: FILE:/tmp/krb5cc_0
      Default principal: root@SLC.SGI.COM

      Valid starting Expires Service principal
      01/20/09 17:18:14 01/21/09 17:18:13 krbtgt/SLC.SGI.COM@SLC.SGI.COM
      Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1
      01/20/09 17:18:24 01/21/09 17:18:13 host/aphelion.americas.sgi.com@SLC.SGI.COM
      Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1


      Kerberos 4 ticket cache: /tmp/tkt0
      klist: You have no tickets cached

      - the kerberos configuration on the client side is:

      =========================================================
      [libdefaults]
      default_realm = SLC.SGI.COM
      forwardable = 1

      [realms]
      SLC.SGI.COM = {
      default_domain = SLC.SGI.COM
      kdc = depot.americas.sgi.com:88
      kdc = aphelion.americas.sgi.com:88
      kdc = feanor.americas.sgi.com:88
      admin_server = depot.americas.sgi.com:749
      }

      [domain_realm]
      .americas.sgi.com = SLC.SGI.COM
      americas.sgi.com = SLC.SGI.COM

      [logging]
      kdc = FILE:/var/log/krb5kdc.log
      admin_server = FILE:/var/log/kadmin.log
      default = FILE:/var/log/krb5lib.log
      ============================================================

      - on the server side, the kerberos configuration is

      ============================================================
      [libdefaults]
      default_realm = SLC.SGI.COM
      forwardable = 1

      [realms]
      SLC.SGI.COM = {
      default_domain = SLC.SGI.COM
      kdc = depot.americas.sgi.com:88
      kdc = aphelion.americas.sgi.com:88
      kdc = feanor.americas.sgi.com:88
      admin_server = depot.americas.sgi.com:749
      }

      [domain_realm]
      .americas.sgi.com = SLC.SGI.COM
      americas.sgi.com = SLC.SGI.COM

      [logging]
      kdc = FILE:/var/log/krb5kdc.log
      admin_server = FILE:/var/log/kadmin.log
      default = FILE:/var/log/krb5lib.log
      ===========================================================

      Please let me know if you need more information.
      Your help would be greatly appreciated.

      Daniel

        • 1. Re: Issues with JBoss Negotiation
          Daniel Messer Newbie

          Darran,

          As per your suggestion, I upgraded Firefox to Firefox3. It still doesn't work but now I get the following error:
          Any ideas?
          Thanks

          20:57:14,091 INFO [SPNEGOAuthenticator] Header - null
          20:57:14,187 INFO [SPNEGOAuthenticator] Header - Negotiate YIICTQYGKwYBBQUCoIICQTCCAj2gHzAdBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBAgKiggIYBIICFGCCAhAGCSqGSIb3EgECAgEAboIB/zCCAfugAwIBBaEDAgEOogcDBQAAAAAAo4IBF2GCARMwggEPoAMCAQWhDRsLU0xDLlNHSS5DT02iJzAloAMCAQOhHjAcGwRIVFRQGxRsbnguYW1lcmljYXMuc2dpLmNvbaOBzzCBzKADAgEQoQMCAQOigb8Egbw5tg/oKgy6xWSvNU7juU3zFBuOSf5C6P4Uowezrgqne53q5+LxA5X8FPyycisYeF1MF49hOOvj45elsmtkGL/7X5GiScnKaITtoSWkS7J8SAtWCj+HXUQpuJIUv8r0wjd572BlRELOvcPm7kdxTWD9txRTzSFEbnOvZIeRW71Mk+kZAl3NxiOiPJkUBj5s2Y4WPilU8f9eeXuls3CKXafYsJaFyFuhnV5ds920VOBoHTlkpJPp1qnoFpiqGqSByjCBx6ADAgEQooG/BIG8FFQkcwz6d/+/RsoYKXn+PqBwrmW0eZI3cKumgy9R3uvsNgmn3PcBOdEn6XtFVyhPT50YjaMEuzTT9EdSiHXqbjcg+HAEYC3a47Za/VkuGR6PDcrvO00M0lUk1ngBiTzcA1Su6ad6Pfy8jPnvm0UO0AGJsqg6ZXqjlvBiSgeZm769mv207jRFn1PXGgpAmj0F6jm0k58a6oHFTI+HEr6cy7xk9A9vwsGP61bo2kakE5NQog880Gn/odVPt5o=
          20:57:14,188 INFO [STDOUT] Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /etc/krb5.keytab refreshKrb5Config is false principal is host/lnx.americas.sgi.com@SLC.SGI.COM tryFirstPass is false useFirstPass is false storePass is false clearPass is false
          20:57:14,189 INFO [STDOUT] principal's key obtained from the keytab
          20:57:14,189 INFO [STDOUT] Acquire TGT using AS Exchange
          20:57:14,236 INFO [STDOUT] principal is host/lnx.americas.sgi.com@SLC.SGI.COM
          20:57:14,237 INFO [STDOUT] EncryptionKey: keyType=1 keyBytes (hex dump)=0000: EA 7F 1F 73 8F 89 7C 08
          20:57:14,237 INFO [STDOUT] EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 64 CD 57 D9 B0 C2 19 D0 85 DF 5E 0B 6D 43 CD 37 d.W.......^.mC.7
          0010: CD B3 CB B5 0D 5D DC 13
          20:57:14,237 INFO [STDOUT] Added server's keyKerberos Principal host/lnx.americas.sgi.com@SLC.SGI.COMKey Version 3key EncryptionKey: keyType=1 keyBytes (hex dump)=
          0000: EA 7F 1F 73 8F 89 7C 08
          20:57:14,237 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/lnx.americas.sgi.com@SLC.SGI.COM to Subject
          20:57:14,237 INFO [STDOUT] Added server's keyKerberos Principal host/lnx.americas.sgi.com@SLC.SGI.COMKey Version 3key EncryptionKey: keyType=16 keyBytes (hex dump)=
          0000: 64 CD 57 D9 B0 C2 19 D0 85 DF 5E 0B 6D 43 CD 37 d.W.......^.mC.7
          0010: CD B3 CB B5 0D 5D DC 13
          20:57:14,237 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/lnx.americas.sgi.com@SLC.SGI.COM to Subject
          20:57:14,237 INFO [STDOUT] Commit Succeeded
          20:57:14,241 ERROR [SPNEGOLoginModule] Unable to authenticate
          GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
          at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:730)
          at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:300)
          at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:246)
          at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:295)
          at java.security.AccessController.doPrivileged(Native Method)
          at javax.security.auth.Subject.doAs(Subject.java:337)
          at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:113)
          at sun.reflect.GeneratedMethodAccessor77.invoke(Unknown Source)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:585)
          at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
          at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
          at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
          at java.security.AccessController.doPrivileged(Native Method)
          at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
          at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
          at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
          at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
          at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
          at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
          at org.jboss.security.negotiation.spnego.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:103)
          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
          at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
          at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
          at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
          at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
          at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
          at java.lang.Thread.run(Thread.java:595)
          Caused by: KrbException: Checksum failed
          at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:77)
          at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:69)
          at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:167)
          at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
          at sun.security.krb5.KrbApReq.(KrbApReq.java:134)
          at sun.security.jgss.krb5.InitSecContextToken.(InitSecContextToken.java:79)
          at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:715)
          ... 31 more
          Caused by: java.security.GeneralSecurityException: Checksum failed
          at sun.security.krb5.internal.crypto.dk.DkCrypto.decrypt(DkCrypto.java:354)
          at sun.security.krb5.internal.crypto.Des3.decrypt(Des3.java:57)
          at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:75)
          ... 37 more
          20:57:14,243 INFO [STDOUT] [Krb5LoginModule]: Entering logout
          20:57:14,243 INFO [STDOUT] [Krb5LoginModule]: logged out Subject

          • 2. Re: Issues with JBoss Negotiation
            Daniel Messer Newbie

            Darran,

            I realized that Negitiation 2.0.3GA has been released. I updated JBoss with
            the new version.
            Now, Basic Negotiation, which used to work when I upgraded Firefox, is not working anymore with a new error:

            22:06:55,767 INFO [BasicNegotiationServlet] No Authorization Header, sending 401
            22:06:55,922 INFO [BasicNegotiationServlet] Authorization header received - decoding token.
            22:06:55,923 ERROR [[BasicNegotiation]] Servlet.service() for servlet BasicNegotiation threw exception
            java.lang.VerifyError: (class: org/jboss/security/negotiation/spnego/SPNEGOMessageFactory, method: createMessage signature: (Ljava/io/InputStream;)Lorg/jboss/security/negotiation/NegotiationMessage;) Wrong return type in function
            at java.lang.Class.getDeclaredConstructors0(Native Method)
            at java.lang.Class.privateGetDeclaredConstructors(Class.java:2357)
            at java.lang.Class.getConstructor0(Class.java:2671)
            at java.lang.Class.newInstance0(Class.java:321)
            at java.lang.Class.newInstance(Class.java:303)
            at org.jboss.security.negotiation.MessageFactory.newInstance(MessageFactory.java:110)
            at org.jboss.security.negotiation.MessageFactory.newInstance(MessageFactory.java:80)
            at org.jboss.security.negotiation.toolkit.BasicNegotiationServlet.doGet(BasicNegotiationServlet.java:105)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
            at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
            at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
            at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
            at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
            at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
            at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
            at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)
            at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
            at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
            at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
            at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
            at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
            at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
            at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
            at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
            at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
            at java.lang.Thread.run(Thread.java:595)

            Your help is greatly appreciated,
            Thanks,

            Daniel

            • 3. Re: Issues with JBoss Negotiation
              Darran Lofthouse Master

              Daniel,

              The latest error that you are showing looks as though you may have more than one version of the JBoss Negotiation library deployed - can you double check that you did completely remove the old version?

              • 4. Re: Issues with JBoss Negotiation
                Sridhar Alapati Newbie

                Hi Darran,

                I'm trying JBoss Negotiation as a proof of concept at my company. I'm trying to test this entirely on my workstation which runs on Linux. I have JBoss 4.2.3 GA deployed locally and I'm using latest firefox 3.6.3 as my browser. I downloaded JBoss Security Negotiation 2.0.3 GA and followed the instructions in the user guide to set things up. I thought I had it all set up and deployed the jboss-negotiation-toolkit locally to test my settings.

                I also configured my firefox's network.negotiate-auth.trusted-uris to be http://localhost:8080 (that's where my jboss is).

                 

                I'm able to test the "Security Domain Test" successfully. I get the expected "Authenticated" message for my security domain "host"

                I'm NOT able to test the "Basic Negotiation". I get "HTTP 401" error. "This request requires HTTP Authentication"

                I see this in the logs:

                         INFO  [org.jboss.security.negotiation.toolkit.BasicNegotiationServlet] No Authorization Header, sending 401

                 

                Could you figure out what I'm missing? Can we actually do this on a single workstation? Any help would be appreciated.

                 

                Below is my login-config.xml

                 

                <application-policy name="host">
                   <authentication>
                      <login-module code="com.sun.security.auth.module.Krb5LoginModule"
                         flag="required">
                         <module-option name="storeKey">true</module-option>
                         <module-option name="useKeyTab">true</module-option>                                                    
                         <module-option name="principal">jboss-process@MY.COMPANY.DOMAIN.COM</module-option>            
                         <module-option name="keyTab">/home/testuser/lhost.keytab</module-option>
                         <module-option name="doNotPrompt">true</module-option>
                         <module-option name="isInitiator">false</module-option>
                         <module-option name="debug">true</module-option>
                      </login-module>
                   </authentication>
                </application-policy>

                 

                <application-policy name="SPNEGO">
                   <authentication>
                      <login-module
                         code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule"
                         flag="requisite">
                         <module-option name="password-stacking">useFirstPass</module-option>
                         <module-option name="serverSecurityDomain">host</module-option>
                      </login-module>
                      <login-module
                         code="org.jboss.security.auth.spi.UsersRolesLoginModule"
                         flag="required">
                         <module-option name="password-stacking">useFirstPass</module-option>
                         <module-option name="usersProperties">props/spnego-users.properties</module-option>
                         <module-option name="rolesProperties">props/spnego-roles.properties</module-option>
                      </login-module>
                    </authentication>
                </application-policy>
                </policy>