3 Replies Latest reply on Feb 18, 2009 12:56 PM by benjamin coiffe

    JBoss on Windows XP, Kerberos MIT on unix, SPNEGO issue

    benjamin coiffe Newbie


      I am trying to deploy a simple test environment for the Jboss login module supporting SPNEGO authenthication (Jboss-negotiation.2.0.3.GA).
      I have installed Kerberos MIT 5 on a debian box and created the realm MYCOMPANY.NET, plus a user and a service principal for jboss.

      The Jboss server is running on my winXP workstation which I log in using a local account. It is accessible at the URL: http://hostname.mycompany.net:15000/. The test security domain on the toolkit works well.

      I installed MIT kerberos on the same winXP workstation and I use it to get Kerberos Tickets. I configured firefox and change the following properties:
      - network.auth.use-sspi=false;
      - network.negotiate-auth.gsslib=C:\Program Files\MIT\Kerberos\bin\gssapi32.dll
      - network.negotiate-auth.trusted-uris=.mycompany.net
      With the configuration above, when I try the Basic negotiation servlet, it brings the KerberosMIT client in the front and prompt for a usersname and password for the realm MYCOMPANY.NET. But whatever the ticket i get back from kerberos, I get a HTTP 401...
      If I only change network.negotiate-auth.trusted-uris=.mycompany.net and leave everything else on the default value, I get the documented error page for the basic negociation. I don't understand why my browser does not trust the server...

      Any help appreciated!

        • 1. Re: JBoss on Windows XP, Kerberos MIT on unix, SPNEGO issue
          Darran Lofthouse Master

          I have to say so far this is not a scenario that I have worked with yet, most of my MIT KDC testing was using FreeIPA and only Linux server and client so I have not yet tried a Windows client with a Linux/MIT KDC.

          So far from experience the easiest way to analyse this further would be to use a tool like wireshark to monitor the network traffic between the Windows machine and the Linux/MIT KDC. At the point the web browser decides if it should trust the server it will send a TGS-REQ packet to the KDC and will trust the server if it gets a valid TGS-REP in response - using wireshark will let you double check what is being requested and what any failure message says.

          • 2. Re: JBoss on Windows XP, Kerberos MIT on unix, SPNEGO issue
            benjamin coiffe Newbie

            Excellent, I have the Basic Negociation working! WireShark showed that http/hostmane.mycompany.net@MYCOMPANY.NET was not correct. It should have been HTTP/hostmane.mycompany.net@MYCOMPANY.NET.

            The Secured servlet still does not work though...and this time, wireshark is not so helpful...Server and client are on the same machine and I see AS-REQ, AS-REP, TGS-REQ, TGS-REP, and nothing else. The web page shows the classic HTTP 401.

            JBoss logs are not very helpful as well:

            16:38:04,763 DEBUG [NegotiationAuthenticator] Header - null
            16:38:04,763 DEBUG [NegotiationAuthenticator] No Authorization Header, sending 401
            16:38:13,435 DEBUG [NegotiationAuthenticator] Header - Negotiate YIICYgYGKwYBBQUCoIICVjCCAlKgHzAdBgkqhkiG9xIBAgIGBSsFAQUCBgkqhkiC9xIBAgKiggItBIICKWCCAiUGCSqGSIb3EgECAgEAboICFDCCAhCgAwIBBaEDAgEOogcDBQAAAAAAo4IBJGGCASAwggEcoAMCAQWhEBsOSU5GT1JTRU5TRS5ORVSiKTAnoAMCAQOhIDAeGwRIVFRQGxZwY2hldW5nLmluZm9yc2Vuc2UubmV0o4HXMIHUoAMCARChAwIBA6KBxwSBxMN0tXxozo4FZAAj8ls+xYdEieWKovPbZpH3KbkuEUVzVmzVMCr6xk4I1n4q/vg4YgEP067G7tWWKpDo1p2e3yQBjfTdFwH/7G8fEoVDlLi2bkzzYdh4laxKfOSyeQTfypzYQ86DoO1QEWecYZtS1gGdn04kQRwtIDhAtA5DUFHyxX5b4XcsvIqdXM/f6ADlsh/gYRIp/GXHDxl04Y350uMmCwrhyEvaexZ87clNYtGmzedRz6SjGu9nPn+j2by21dXU6OykgdIwgc+gAwIBEKKBxwSBxPqz5XPUcOIPpVFWPhIgdPLQ/U/MR2voZzLqvNSLQiUB3hCtHKYjN7JElbp2rYfP19ZIxG3OiOrJfZxXAnnKVTFzcg6KBISc+mtcfdbhT8XW5rcZg436yXkodYLHKeZMmryzljKTyB6uuozSwJI/MXf7zw/Ilw4O9oGqBRKLqBsL7TUL/psHKz58mHyW1EcgGIn4Ckc8LYIE916lZpn6QQ8aiaVaCSkwECMVjDI6+A2VmZ1jLq5AOQ+iIR9WLr5v7RLrIHM=
            16:38:13,498 DEBUG [NegotiationAuthenticator] Creating new NegotiationContext
            16:38:13,576 DEBUG [SPNEGO] CallbackHandler: org.jboss.security.auth.callback.SecurityAssociationHandler@1dae16a
            16:38:13,576 DEBUG [JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@104fb34
            16:38:13,576 DEBUG [SPNEGO] CachePolicy set to: org.jboss.util.TimedCachePolicy@81371
            16:38:13,576 DEBUG [JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@81371
            16:38:13,592 DEBUG [JaasSecurityManagerService] Added SPNEGO, org.jboss.security.plugins.SecurityDomainContext@349826 to map

            It looks like my user is not authorized to use the jboss service...arg... I created the keytab file using the command described in this page: http://www.jerkys.org/wiki/display/jerkysORG/Creating+a+Kerberos+Keytab+file+(UNIX)

            • 3. Re: JBoss on Windows XP, Kerberos MIT on unix, SPNEGO issue
              benjamin coiffe Newbie

              ok, it seems to work...
              i did not change anything and the http 401 changed into http 403. I fixed the roles and done.
              Thanks for your precious help.