-
1. Re: JBoss on Windows XP, Kerberos MIT on unix, SPNEGO issue
dlofthouse Feb 18, 2009 9:45 AM (in response to neoben)I have to say so far this is not a scenario that I have worked with yet, most of my MIT KDC testing was using FreeIPA and only Linux server and client so I have not yet tried a Windows client with a Linux/MIT KDC.
So far from experience the easiest way to analyse this further would be to use a tool like wireshark to monitor the network traffic between the Windows machine and the Linux/MIT KDC. At the point the web browser decides if it should trust the server it will send a TGS-REQ packet to the KDC and will trust the server if it gets a valid TGS-REP in response - using wireshark will let you double check what is being requested and what any failure message says. -
2. Re: JBoss on Windows XP, Kerberos MIT on unix, SPNEGO issue
neoben Feb 18, 2009 11:39 AM (in response to neoben)Excellent, I have the Basic Negociation working! WireShark showed that http/hostmane.mycompany.net@MYCOMPANY.NET was not correct. It should have been HTTP/hostmane.mycompany.net@MYCOMPANY.NET.
The Secured servlet still does not work though...and this time, wireshark is not so helpful...Server and client are on the same machine and I see AS-REQ, AS-REP, TGS-REQ, TGS-REP, and nothing else. The web page shows the classic HTTP 401.
JBoss logs are not very helpful as well:
16:38:04,763 DEBUG [NegotiationAuthenticator] Header - null
16:38:04,763 DEBUG [NegotiationAuthenticator] No Authorization Header, sending 401
16:38:13,435 DEBUG [NegotiationAuthenticator] Header - Negotiate YIICYgYGKwYBBQUCoIICVjCCAlKgHzAdBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBAgKiggItBIICKWCCAiUGCSqGSIb3EgECAgEAboICFDCCAhCgAwIBBaEDAgEOogcDBQAAAAAAo4IBJGGCASAwggEcoAMCAQWhEBsOSU5GT1JTRU5TRS5ORVSiKTAnoAMCAQOhIDAeGwRIVFRQGxZwY2hldW5nLmluZm9yc2Vuc2UubmV0o4HXMIHUoAMCARChAwIBA6KBxwSBxMN0tXxozo4FZAAj8ls+xYdEieWKovPbZpH3KbkuEUVzVmzVMCr6xk4I1n4q/vg4YgEP067G7tWWKpDo1p2e3yQBjfTdFwH/7G8fEoVDlLi2bkzzYdh4laxKfOSyeQTfypzYQ86DoO1QEWecYZtS1gGdn04kQRwtIDhAtA5DUFHyxX5b4XcsvIqdXM/f6ADlsh/gYRIp/GXHDxl04Y350uMmCwrhyEvaexZ87clNYtGmzedRz6SjGu9nPn+j2by21dXU6OykgdIwgc+gAwIBEKKBxwSBxPqz5XPUcOIPpVFWPhIgdPLQ/U/MR2voZzLqvNSLQiUB3hCtHKYjN7JElbp2rYfP19ZIxG3OiOrJfZxXAnnKVTFzcg6KBISc+mtcfdbhT8XW5rcZg436yXkodYLHKeZMmryzljKTyB6uuozSwJI/MXf7zw/Ilw4O9oGqBRKLqBsL7TUL/psHKz58mHyW1EcgGIn4Ckc8LYIE916lZpn6QQ8aiaVaCSkwECMVjDI6+A2VmZ1jLq5AOQ+iIR9WLr5v7RLrIHM=
16:38:13,498 DEBUG [NegotiationAuthenticator] Creating new NegotiationContext
16:38:13,576 DEBUG [SPNEGO] CallbackHandler: org.jboss.security.auth.callback.SecurityAssociationHandler@1dae16a
16:38:13,576 DEBUG [JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@104fb34
16:38:13,576 DEBUG [SPNEGO] CachePolicy set to: org.jboss.util.TimedCachePolicy@81371
16:38:13,576 DEBUG [JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@81371
16:38:13,592 DEBUG [JaasSecurityManagerService] Added SPNEGO, org.jboss.security.plugins.SecurityDomainContext@349826 to map
It looks like my user is not authorized to use the jboss service...arg... I created the keytab file using the command described in this page: http://www.jerkys.org/wiki/display/jerkysORG/Creating+a+Kerberos+Keytab+file+(UNIX) -
3. Re: JBoss on Windows XP, Kerberos MIT on unix, SPNEGO issue
neoben Feb 18, 2009 12:56 PM (in response to neoben)ok, it seems to work...
i did not change anything and the http 401 changed into http 403. I fixed the roles and done.
Thanks for your precious help.