2 Replies Latest reply on Mar 13, 2009 6:34 PM by Laurent Mallet

    Error 401 in jboss Negotiation war for the secured test

    Laurent Mallet Newbie

      Hello,

      My full story with FreeIPA and jboss negotiation could be found on my blog: ellis2323.blogspot.com

      To do short:
      - i have installed to VM with Fedora Core 10
      - i have installed FreeIPA on the first
      - i have installed a server on the second

      Kerberos is working. I can use ssh without prompting ssh!!!

      My goal: build a webservice to browse a filesystem. I have already done it with python with "root" access. Now i want use impersonation with JAAS and Delegation with Kerberos to use the SSH service to access a filesystem.


      Now i have installed jboss and jboss-negotiation-toolkit.war (2.0.3GA).
      But i can't have the third test working. I have search during 3 days but
      no idea. The message is a checksum error :

      2:20:21,919 INFO [BasicNegotiationServlet] No Authorization Header, sending 401
      02:20:22,027 INFO [BasicNegotiationServlet] Authorization header received - decoding token.
      02:20:37,558 INFO [STDOUT] Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /usr/java/jboss/server/default/conf/test.keytab refreshKrb5Config is false principal is host/server1.scigems.org@SCIGEMS.ORG tryFirstPass is false useFirstPass is false storePass is false clearPass is false
      02:20:37,582 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG
      02:20:37,583 INFO [STDOUT] >>> KeyTabInputStream, readName(): HTTP
      02:20:37,583 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org
      02:20:37,585 INFO [STDOUT] >>> KeyTab: load() entry length: 87; type: 18
      02:20:37,585 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG
      02:20:37,586 INFO [STDOUT] >>> KeyTabInputStream, readName(): HTTP
      02:20:37,586 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org
      02:20:37,586 INFO [STDOUT] >>> KeyTab: load() entry length: 71; type: 17
      02:20:37,587 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG
      02:20:37,588 INFO [STDOUT] >>> KeyTabInputStream, readName(): HTTP
      02:20:37,588 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org
      02:20:37,588 INFO [STDOUT] >>> KeyTab: load() entry length: 79; type: 16
      02:20:37,589 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG
      02:20:37,589 INFO [STDOUT] >>> KeyTabInputStream, readName(): HTTP
      02:20:37,589 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org
      02:20:37,590 INFO [STDOUT] >>> KeyTab: load() entry length: 71; type: 23
      02:20:37,590 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG
      02:20:37,590 INFO [STDOUT] >>> KeyTabInputStream, readName(): HTTP
      02:20:37,590 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org
      02:20:37,591 INFO [STDOUT] >>> KeyTab: load() entry length: 63; type: 1
      02:20:37,591 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG
      02:20:37,591 INFO [STDOUT] >>> KeyTabInputStream, readName(): host
      02:20:37,591 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org
      02:20:37,593 INFO [STDOUT] >>> KeyTab: load() entry length: 87; type: 18
      02:20:37,593 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG
      02:20:37,605 INFO [STDOUT] >>> KeyTabInputStream, readName(): host
      02:20:37,605 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org
      02:20:37,606 INFO [STDOUT] >>> KeyTab: load() entry length: 71; type: 17
      02:20:37,607 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG
      02:20:37,607 INFO [STDOUT] >>> KeyTabInputStream, readName(): host
      02:20:37,608 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org
      02:20:37,609 INFO [STDOUT] >>> KeyTab: load() entry length: 79; type: 16
      02:20:37,609 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG
      02:20:37,611 INFO [STDOUT] >>> KeyTabInputStream, readName(): host
      02:20:37,611 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org
      02:20:37,611 INFO [STDOUT] >>> KeyTab: load() entry length: 71; type: 23
      02:20:37,612 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG
      02:20:37,612 INFO [STDOUT] >>> KeyTabInputStream, readName(): host
      02:20:37,613 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org
      02:20:37,613 INFO [STDOUT] >>> KeyTab: load() entry length: 63; type: 1
      02:20:37,621 INFO [STDOUT] Added key: 1version: 10
      02:20:37,623 INFO [STDOUT] Added key: 23version: 10
      02:20:37,623 INFO [STDOUT] Added key: 16version: 10
      02:20:37,623 INFO [STDOUT] Added key: 17version: 10
      02:20:37,624 INFO [STDOUT] Added key: 18version: 10
      02:20:37,624 INFO [STDOUT] Ordering keys wrt default_tkt_enctypes list
      02:20:37,630 INFO [STDOUT] Using builtin default etypes for default_tkt_enctypes
      02:20:37,631 INFO [STDOUT] default etypes for default_tkt_enctypes:
      02:20:37,631 INFO [STDOUT] 3
      02:20:37,631 INFO [STDOUT] 1
      02:20:37,632 INFO [STDOUT] 23
      02:20:37,632 INFO [STDOUT] 16
      02:20:37,632 INFO [STDOUT] 17
      02:20:37,633 INFO [STDOUT] 18
      02:20:37,633 INFO [STDOUT] .
      02:20:37,634 INFO [STDOUT] principal's key obtained from the keytab
      02:20:37,635 INFO [STDOUT] Acquire TGT using AS Exchange
      02:20:37,643 INFO [STDOUT] Using builtin default etypes for default_tkt_enctypes
      02:20:37,645 INFO [STDOUT] default etypes for default_tkt_enctypes:
      02:20:37,646 INFO [STDOUT] 3
      02:20:37,646 INFO [STDOUT] 1
      02:20:37,647 INFO [STDOUT] 23
      02:20:37,648 INFO [STDOUT] 16
      02:20:37,648 INFO [STDOUT] 17
      02:20:37,649 INFO [STDOUT] 18
      02:20:37,650 INFO [STDOUT] .
      02:20:37,650 INFO [STDOUT] >>> KrbAsReq calling createMessage
      02:20:37,650 INFO [STDOUT] >>> KrbAsReq in createMessage
      02:20:37,664 INFO [STDOUT] >>> KrbKdcReq send: kdc=ks.scigems.org UDP:88, timeout=30000, number of retries =3, #bytes=169
      02:20:37,741 INFO [STDOUT] >>> KDCCommunication: kdc=ks.scigems.org UDP:88, timeout=30000,Attempt =1, #bytes=169
      02:20:37,753 INFO [STDOUT] >>> KrbKdcReq send: #bytes read=274
      02:20:37,754 INFO [STDOUT] >>> KrbKdcReq send: #bytes read=274
      02:20:37,755 INFO [STDOUT] >>> KDCRep: init() encoding tag is 126 req type is 11
      02:20:37,759 INFO [STDOUT] >>>KRBError:
      02:20:37,760 INFO [STDOUT] cTime is Sun Sep 05 03:53:02 CEST 1976 210736382000
      02:20:37,760 INFO [STDOUT] sTime is Sun Mar 01 02:20:37 CET 2009 1235870437000
      02:20:37,760 INFO [STDOUT] suSec is 902837
      02:20:37,761 INFO [STDOUT] error code is 25
      02:20:37,763 INFO [STDOUT] error Message is Additional pre-authentication required
      02:20:37,763 INFO [STDOUT] crealm is SCIGEMS.ORG
      02:20:37,764 INFO [STDOUT] cname is host/server1.scigems.org
      02:20:37,764 INFO [STDOUT] realm is SCIGEMS.ORG
      02:20:37,765 INFO [STDOUT] sname is krbtgt/SCIGEMS.ORG
      02:20:37,765 INFO [STDOUT] eData provided.
      02:20:37,765 INFO [STDOUT] msgType is 30
      02:20:37,767 INFO [STDOUT] >>>Pre-Authentication Data:
      02:20:37,767 INFO [STDOUT] PA-DATA type = 2
      02:20:37,767 INFO [STDOUT] PA-ENC-TIMESTAMP
      02:20:37,769 INFO [STDOUT] >>>Pre-Authentication Data:
      02:20:37,769 INFO [STDOUT] PA-DATA type = 19
      02:20:37,770 INFO [STDOUT] PA-ETYPE-INFO2 etype = 18
      02:20:37,770 INFO [STDOUT] >>>Pre-Authentication Data:
      02:20:37,771 INFO [STDOUT] PA-DATA type = 13
      02:20:37,771 INFO [STDOUT] KRBError received: NEEDED_PREAUTH
      02:20:37,772 INFO [STDOUT] AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
      02:20:37,772 INFO [STDOUT] >>>KrbAsReq salt is SCIGEMS.ORGhostserver1.scigems.org
      02:20:37,772 INFO [STDOUT] Pre-Authenticaton: find key for etype = 18
      02:20:37,774 INFO [STDOUT] AS-REQ: Add PA_ENC_TIMESTAMP now
      02:20:37,775 INFO [STDOUT] >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
      02:20:38,016 INFO [STDOUT] >>> KrbAsReq calling createMessage
      02:20:38,017 INFO [STDOUT] >>> KrbAsReq in createMessage
      02:20:38,017 INFO [STDOUT] >>> KrbKdcReq send: kdc=ks.scigems.org UDP:88, timeout=30000, number of retries =3, #bytes=241
      02:20:38,018 INFO [STDOUT] >>> KDCCommunication: kdc=ks.scigems.org UDP:88, timeout=30000,Attempt =1, #bytes=241
      02:20:38,027 INFO [STDOUT] >>> KrbKdcReq send: #bytes read=609
      02:20:38,029 INFO [STDOUT] >>> KrbKdcReq send: #bytes read=609
      02:20:38,031 INFO [STDOUT] >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
      02:20:38,035 INFO [STDOUT] >>> KrbAsRep cons in KrbAsReq.getReply host/server1.scigems.org
      02:20:38,072 INFO [STDOUT] principal is host/server1.scigems.org@SCIGEMS.ORG
      02:20:38,073 INFO [STDOUT] EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 16 EA 98 02 F2 C4 51 9E
      02:20:38,074 INFO [STDOUT] EncryptionKey: keyType=23 keyBytes (hex dump)=0000: EE CF CF 55 CD 38 50 00 3E 4E 6A 7A E5 44 24 96 ...U.8P.>Njz.D$.
      02:20:38,075 INFO [STDOUT] EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 68 A7 70 31 31 01 45 3D AB 08 83 F2 20 67 EA 15 h.p11.E=.... g..
      0010: 64 FB EF 1A 97 45 4A B0
      02:20:38,075 INFO [STDOUT] EncryptionKey: keyType=17 keyBytes (hex dump)=0000: D8 C3 7C 67 C3 C7 60 60 56 43 31 96 67 3E 4A 53 ...g..``VC1.g>JS
      02:20:38,076 INFO [STDOUT] EncryptionKey: keyType=18 keyBytes (hex dump)=0000: 7C 7F 21 2C E9 3C 08 E7 8A 8B 36 F3 44 D6 2C 1A ..!,.<....6.D.,.
      0010: 96 16 75 46 62 04 60 22 C8 33 3E CD 15 6C 3E D7 ..uFb.`".3>..l>.
      02:20:38,115 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org@SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=1 keyBytes (hex dump)=
      0000: 16 EA 98 02 F2 C4 51 9E
      02:20:38,122 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org@SCIGEMS.ORG to Subject
      02:20:38,123 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org@SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=23 keyBytes (hex dump)=
      0000: EE CF CF 55 CD 38 50 00 3E 4E 6A 7A E5 44 24 96 ...U.8P.>Njz.D$.
      02:20:38,125 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org@SCIGEMS.ORG to Subject
      02:20:38,126 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org@SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=16 keyBytes (hex dump)=
      0000: 68 A7 70 31 31 01 45 3D AB 08 83 F2 20 67 EA 15 h.p11.E=.... g..
      0010: 64 FB EF 1A 97 45 4A B0
      02:20:38,126 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org@SCIGEMS.ORG to Subject
      02:20:38,127 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org@SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=17 keyBytes (hex dump)=
      0000: D8 C3 7C 67 C3 C7 60 60 56 43 31 96 67 3E 4A 53 ...g..``VC1.g>JS
      02:20:38,127 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org@SCIGEMS.ORG to Subject
      02:20:38,129 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org@SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=18 keyBytes (hex dump)=
      0000: 7C 7F 21 2C E9 3C 08 E7 8A 8B 36 F3 44 D6 2C 1A ..!,.<....6.D.,.
      0010: 96 16 75 46 62 04 60 22 C8 33 3E CD 15 6C 3E D7 ..uFb.`".3>..l>.
      02:20:38,135 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org@SCIGEMS.ORG to Subject
      02:20:38,136 INFO [STDOUT] Commit Succeeded
      02:20:38,263 INFO [STDOUT] Found key for host/server1.scigems.org@SCIGEMS.ORG(18)
      02:20:38,264 INFO [STDOUT] Found key for host/server1.scigems.org@SCIGEMS.ORG(1)
      02:20:38,264 INFO [STDOUT] Found key for host/server1.scigems.org@SCIGEMS.ORG(23)
      02:20:38,264 INFO [STDOUT] Found key for host/server1.scigems.org@SCIGEMS.ORG(16)
      02:20:38,265 INFO [STDOUT] Found key for host/server1.scigems.org@SCIGEMS.ORG(17)
      02:20:38,296 INFO [STDOUT] Entered Krb5Context.acceptSecContext with state=STATE_NEW
      02:20:38,301 INFO [STDOUT] >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
      02:20:38,306 ERROR [STDERR] Checksum failed !
      02:20:38,311 ERROR [SPNEGOLoginModule] Unable to authenticate
      GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
       at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:757)
       at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:341)
       at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
       at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:294)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.Subject.doAs(Subject.java:357)
       at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:118)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
       at java.lang.reflect.Method.invoke(Method.java:616)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
       at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
       at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
       at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
       at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
       at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
       at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)
       at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)
       at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
       at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
       at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
       at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
       at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
       at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
       at java.lang.Thread.run(Thread.java:636)
      Caused by: KrbException: Checksum failed
       at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102)
       at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:94)
       at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:176)
       at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
       at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:145)
       at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:103)
       at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:740)
       ... 36 more
      Caused by: java.security.GeneralSecurityException: Checksum failed
       at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:446)
       at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:269)
       at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:76)
       at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:100)
       ... 42 more
      02:20:38,316 INFO [STDOUT] [Krb5LoginModule]: Entering logout
      02:20:38,317 INFO [STDOUT] [Krb5LoginModule]: logged out Subject
      


        • 1. Re: Error 401 in jboss Negotiation war for the secured test
          Laurent Mallet Newbie

          i have changed my krb5.conf with :

          [libdefaults]
           default_realm = SCIGEMS.ORG
           dns_lookup_realm = true
           dns_lookup_kdc = true
           ticket_lifetime = 24h
           forwardable = yes
           default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
           default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
           permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
          

          But this isn't better.
          17:25:45,212 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org@SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=1 keyBytes (hex dump)=
          0000: 16 EA 98 02 F2 C4 51 9E
          17:25:45,212 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org@SCIGEMS.ORG to Subject
          17:25:45,212 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org@SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=23 keyBytes (hex dump)=
          0000: EE CF CF 55 CD 38 50 00 3E 4E 6A 7A E5 44 24 96 ...U.8P.>Njz.D$.
          17:25:45,213 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org@SCIGEMS.ORG to Subject
          17:25:45,213 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org@SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=16 keyBytes (hex dump)=
          0000: 68 A7 70 31 31 01 45 3D AB 08 83 F2 20 67 EA 15 h.p11.E=.... g..
          0010: 64 FB EF 1A 97 45 4A B0
          17:25:45,213 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org@SCIGEMS.ORG to Subject
          17:25:45,213 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org@SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=17 keyBytes (hex dump)=
          0000: D8 C3 7C 67 C3 C7 60 60 56 43 31 96 67 3E 4A 53 ...g..``VC1.g>JS
          17:25:45,213 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org@SCIGEMS.ORG to Subject
          17:25:45,214 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org@SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=18 keyBytes (hex dump)=
          0000: 7C 7F 21 2C E9 3C 08 E7 8A 8B 36 F3 44 D6 2C 1A ..!,.<....6.D.,.
          0010: 96 16 75 46 62 04 60 22 C8 33 3E CD 15 6C 3E D7 ..uFb.`".3>..l>.
          17:25:45,216 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org@SCIGEMS.ORG to Subject
          17:25:45,217 INFO [STDOUT] Commit Succeeded
          17:25:45,282 INFO [STDOUT] Found key for host/server1.scigems.org@SCIGEMS.ORG(18)
          17:25:45,282 INFO [STDOUT] Found key for host/server1.scigems.org@SCIGEMS.ORG(1)
          17:25:45,283 INFO [STDOUT] Found key for host/server1.scigems.org@SCIGEMS.ORG(23)
          17:25:45,283 INFO [STDOUT] Found key for host/server1.scigems.org@SCIGEMS.ORG(16)
          17:25:45,284 INFO [STDOUT] Found key for host/server1.scigems.org@SCIGEMS.ORG(17)
          17:25:45,286 INFO [STDOUT] Entered Krb5Context.acceptSecContext with state=STATE_NEW
          17:25:45,291 INFO [STDOUT] >>> EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType
          17:25:45,294 ERROR [SPNEGOLoginModule] Unable to authenticate
          GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
           at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:757)
           at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:341)
           at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
           at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:294)
           at java.security.AccessController.doPrivileged(Native Method)
           at javax.security.auth.Subject.doAs(Subject.java:357)
           at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:118)
           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
           at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
           at java.lang.reflect.Method.invoke(Method.java:616)
           at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
           at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
           at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
           at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
           at java.security.AccessController.doPrivileged(Native Method)
           at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
           at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
           at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
           at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
           at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
           at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
           at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)
           at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)
           at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
           at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
           at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
           at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
           at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
           at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
           at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
           at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
           at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
           at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828)
           at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
           at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
           at java.lang.Thread.run(Thread.java:636)
          Caused by: KrbException: Checksum failed
           at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:96)
           at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:88)
           at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:176)
           at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
           at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:145)
           at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:103)
           at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:740)
           ... 36 more
          Caused by: java.security.GeneralSecurityException: Checksum failed
           at sun.security.krb5.internal.crypto.dk.DkCrypto.decrypt(DkCrypto.java:362)
           at sun.security.krb5.internal.crypto.Des3.decrypt(Des3.java:79)
           at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:94)
           ... 42 more
          17:25:45,298 INFO [STDOUT] [Krb5LoginModule]: Entering logout
          17:25:45,298 INFO [STDOUT] [Krb5LoginModule]: logged out Subject
          


          • 2. Re: Error 401 in jboss Negotiation war for the secured test
            Laurent Mallet Newbie

            Solved.

            It was a mistake in my kerberos configuration. The encoding algorithms defined in krb5.conf on the kerberos server must be present in the krb5.conf on the client. Otherwise, Jboss (or Glashfish) used aes256 as default encoding.

            Ellis