2 Replies Latest reply on Mar 13, 2009 6:34 PM by ellis2323

Error 401 in jboss Negotiation war for the secured test

ellis2323 Feb 28, 2009 8:48 PM

Hello,

My full story with FreeIPA and jboss negotiation could be found on my blog: ellis2323.blogspot.com

To do short:
- i have installed to VM with Fedora Core 10
- i have installed FreeIPA on the first
- i have installed a server on the second

Kerberos is working. I can use ssh without prompting ssh!!!

My goal: build a webservice to browse a filesystem. I have already done it with python with "root" access. Now i want use impersonation with JAAS and Delegation with Kerberos to use the SSH service to access a filesystem.

Now i have installed jboss and jboss-negotiation-toolkit.war (2.0.3GA).
But i can't have the third test working. I have search during 3 days but
no idea. The message is a checksum error :

2:20:21,919 INFO [BasicNegotiationServlet] No Authorization Header, sending 401
02:20:22,027 INFO [BasicNegotiationServlet] Authorization header received - decoding token.
02:20:37,558 INFO [STDOUT] Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /usr/java/jboss/server/default/conf/test.keytab refreshKrb5Config is false principal is host/server1.scigems.org@SCIGEMS.ORG tryFirstPass is false useFirstPass is false storePass is false clearPass is false
02:20:37,582 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG
02:20:37,583 INFO [STDOUT] >>> KeyTabInputStream, readName(): HTTP
02:20:37,583 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org
02:20:37,585 INFO [STDOUT] >>> KeyTab: load() entry length: 87; type: 18
02:20:37,585 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG
02:20:37,586 INFO [STDOUT] >>> KeyTabInputStream, readName(): HTTP
02:20:37,586 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org
02:20:37,586 INFO [STDOUT] >>> KeyTab: load() entry length: 71; type: 17
02:20:37,587 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG
02:20:37,588 INFO [STDOUT] >>> KeyTabInputStream, readName(): HTTP
02:20:37,588 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org
02:20:37,588 INFO [STDOUT] >>> KeyTab: load() entry length: 79; type: 16
02:20:37,589 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG
02:20:37,589 INFO [STDOUT] >>> KeyTabInputStream, readName(): HTTP
02:20:37,589 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org
02:20:37,590 INFO [STDOUT] >>> KeyTab: load() entry length: 71; type: 23
02:20:37,590 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG
02:20:37,590 INFO [STDOUT] >>> KeyTabInputStream, readName(): HTTP
02:20:37,590 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org
02:20:37,591 INFO [STDOUT] >>> KeyTab: load() entry length: 63; type: 1
02:20:37,591 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG
02:20:37,591 INFO [STDOUT] >>> KeyTabInputStream, readName(): host
02:20:37,591 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org
02:20:37,593 INFO [STDOUT] >>> KeyTab: load() entry length: 87; type: 18
02:20:37,593 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG
02:20:37,605 INFO [STDOUT] >>> KeyTabInputStream, readName(): host
02:20:37,605 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org
02:20:37,606 INFO [STDOUT] >>> KeyTab: load() entry length: 71; type: 17
02:20:37,607 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG
02:20:37,607 INFO [STDOUT] >>> KeyTabInputStream, readName(): host
02:20:37,608 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org
02:20:37,609 INFO [STDOUT] >>> KeyTab: load() entry length: 79; type: 16
02:20:37,609 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG
02:20:37,611 INFO [STDOUT] >>> KeyTabInputStream, readName(): host
02:20:37,611 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org
02:20:37,611 INFO [STDOUT] >>> KeyTab: load() entry length: 71; type: 23
02:20:37,612 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG
02:20:37,612 INFO [STDOUT] >>> KeyTabInputStream, readName(): host
02:20:37,613 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org
02:20:37,613 INFO [STDOUT] >>> KeyTab: load() entry length: 63; type: 1
02:20:37,621 INFO [STDOUT] Added key: 1version: 10
02:20:37,623 INFO [STDOUT] Added key: 23version: 10
02:20:37,623 INFO [STDOUT] Added key: 16version: 10
02:20:37,623 INFO [STDOUT] Added key: 17version: 10
02:20:37,624 INFO [STDOUT] Added key: 18version: 10
02:20:37,624 INFO [STDOUT] Ordering keys wrt default_tkt_enctypes list
02:20:37,630 INFO [STDOUT] Using builtin default etypes for default_tkt_enctypes
02:20:37,631 INFO [STDOUT] default etypes for default_tkt_enctypes:
02:20:37,631 INFO [STDOUT] 3
02:20:37,631 INFO [STDOUT] 1
02:20:37,632 INFO [STDOUT] 23
02:20:37,632 INFO [STDOUT] 16
02:20:37,632 INFO [STDOUT] 17
02:20:37,633 INFO [STDOUT] 18
02:20:37,633 INFO [STDOUT] .
02:20:37,634 INFO [STDOUT] principal's key obtained from the keytab
02:20:37,635 INFO [STDOUT] Acquire TGT using AS Exchange
02:20:37,643 INFO [STDOUT] Using builtin default etypes for default_tkt_enctypes
02:20:37,645 INFO [STDOUT] default etypes for default_tkt_enctypes:
02:20:37,646 INFO [STDOUT] 3
02:20:37,646 INFO [STDOUT] 1
02:20:37,647 INFO [STDOUT] 23
02:20:37,648 INFO [STDOUT] 16
02:20:37,648 INFO [STDOUT] 17
02:20:37,649 INFO [STDOUT] 18
02:20:37,650 INFO [STDOUT] .
02:20:37,650 INFO [STDOUT] >>> KrbAsReq calling createMessage
02:20:37,650 INFO [STDOUT] >>> KrbAsReq in createMessage
02:20:37,664 INFO [STDOUT] >>> KrbKdcReq send: kdc=ks.scigems.org UDP:88, timeout=30000, number of retries =3, #bytes=169
02:20:37,741 INFO [STDOUT] >>> KDCCommunication: kdc=ks.scigems.org UDP:88, timeout=30000,Attempt =1, #bytes=169
02:20:37,753 INFO [STDOUT] >>> KrbKdcReq send: #bytes read=274
02:20:37,754 INFO [STDOUT] >>> KrbKdcReq send: #bytes read=274
02:20:37,755 INFO [STDOUT] >>> KDCRep: init() encoding tag is 126 req type is 11
02:20:37,759 INFO [STDOUT] >>>KRBError:
02:20:37,760 INFO [STDOUT] cTime is Sun Sep 05 03:53:02 CEST 1976 210736382000
02:20:37,760 INFO [STDOUT] sTime is Sun Mar 01 02:20:37 CET 2009 1235870437000
02:20:37,760 INFO [STDOUT] suSec is 902837
02:20:37,761 INFO [STDOUT] error code is 25
02:20:37,763 INFO [STDOUT] error Message is Additional pre-authentication required
02:20:37,763 INFO [STDOUT] crealm is SCIGEMS.ORG
02:20:37,764 INFO [STDOUT] cname is host/server1.scigems.org
02:20:37,764 INFO [STDOUT] realm is SCIGEMS.ORG
02:20:37,765 INFO [STDOUT] sname is krbtgt/SCIGEMS.ORG
02:20:37,765 INFO [STDOUT] eData provided.
02:20:37,765 INFO [STDOUT] msgType is 30
02:20:37,767 INFO [STDOUT] >>>Pre-Authentication Data:
02:20:37,767 INFO [STDOUT] PA-DATA type = 2
02:20:37,767 INFO [STDOUT] PA-ENC-TIMESTAMP
02:20:37,769 INFO [STDOUT] >>>Pre-Authentication Data:
02:20:37,769 INFO [STDOUT] PA-DATA type = 19
02:20:37,770 INFO [STDOUT] PA-ETYPE-INFO2 etype = 18
02:20:37,770 INFO [STDOUT] >>>Pre-Authentication Data:
02:20:37,771 INFO [STDOUT] PA-DATA type = 13
02:20:37,771 INFO [STDOUT] KRBError received: NEEDED_PREAUTH
02:20:37,772 INFO [STDOUT] AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
02:20:37,772 INFO [STDOUT] >>>KrbAsReq salt is SCIGEMS.ORGhostserver1.scigems.org
02:20:37,772 INFO [STDOUT] Pre-Authenticaton: find key for etype = 18
02:20:37,774 INFO [STDOUT] AS-REQ: Add PA_ENC_TIMESTAMP now
02:20:37,775 INFO [STDOUT] >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
02:20:38,016 INFO [STDOUT] >>> KrbAsReq calling createMessage
02:20:38,017 INFO [STDOUT] >>> KrbAsReq in createMessage
02:20:38,017 INFO [STDOUT] >>> KrbKdcReq send: kdc=ks.scigems.org UDP:88, timeout=30000, number of retries =3, #bytes=241
02:20:38,018 INFO [STDOUT] >>> KDCCommunication: kdc=ks.scigems.org UDP:88, timeout=30000,Attempt =1, #bytes=241
02:20:38,027 INFO [STDOUT] >>> KrbKdcReq send: #bytes read=609
02:20:38,029 INFO [STDOUT] >>> KrbKdcReq send: #bytes read=609
02:20:38,031 INFO [STDOUT] >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
02:20:38,035 INFO [STDOUT] >>> KrbAsRep cons in KrbAsReq.getReply host/server1.scigems.org
02:20:38,072 INFO [STDOUT] principal is host/server1.scigems.org@SCIGEMS.ORG
02:20:38,073 INFO [STDOUT] EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 16 EA 98 02 F2 C4 51 9E
02:20:38,074 INFO [STDOUT] EncryptionKey: keyType=23 keyBytes (hex dump)=0000: EE CF CF 55 CD 38 50 00 3E 4E 6A 7A E5 44 24 96 ...U.8P.>Njz.D$.
02:20:38,075 INFO [STDOUT] EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 68 A7 70 31 31 01 45 3D AB 08 83 F2 20 67 EA 15 h.p11.E=.... g..
0010: 64 FB EF 1A 97 45 4A B0
02:20:38,075 INFO [STDOUT] EncryptionKey: keyType=17 keyBytes (hex dump)=0000: D8 C3 7C 67 C3 C7 60 60 56 43 31 96 67 3E 4A 53 ...g..``VC1.g>JS
02:20:38,076 INFO [STDOUT] EncryptionKey: keyType=18 keyBytes (hex dump)=0000: 7C 7F 21 2C E9 3C 08 E7 8A 8B 36 F3 44 D6 2C 1A ..!,.<....6.D.,.
0010: 96 16 75 46 62 04 60 22 C8 33 3E CD 15 6C 3E D7 ..uFb.`".3>..l>.
02:20:38,115 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org@SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: 16 EA 98 02 F2 C4 51 9E
02:20:38,122 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org@SCIGEMS.ORG to Subject
02:20:38,123 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org@SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: EE CF CF 55 CD 38 50 00 3E 4E 6A 7A E5 44 24 96 ...U.8P.>Njz.D$.
02:20:38,125 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org@SCIGEMS.ORG to Subject
02:20:38,126 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org@SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=16 keyBytes (hex dump)=
0000: 68 A7 70 31 31 01 45 3D AB 08 83 F2 20 67 EA 15 h.p11.E=.... g..
0010: 64 FB EF 1A 97 45 4A B0
02:20:38,126 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org@SCIGEMS.ORG to Subject
02:20:38,127 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org@SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=17 keyBytes (hex dump)=
0000: D8 C3 7C 67 C3 C7 60 60 56 43 31 96 67 3E 4A 53 ...g..``VC1.g>JS
02:20:38,127 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org@SCIGEMS.ORG to Subject
02:20:38,129 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org@SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=18 keyBytes (hex dump)=
0000: 7C 7F 21 2C E9 3C 08 E7 8A 8B 36 F3 44 D6 2C 1A ..!,.<....6.D.,.
0010: 96 16 75 46 62 04 60 22 C8 33 3E CD 15 6C 3E D7 ..uFb.`".3>..l>.
02:20:38,135 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org@SCIGEMS.ORG to Subject
02:20:38,136 INFO [STDOUT] Commit Succeeded
02:20:38,263 INFO [STDOUT] Found key for host/server1.scigems.org@SCIGEMS.ORG(18)
02:20:38,264 INFO [STDOUT] Found key for host/server1.scigems.org@SCIGEMS.ORG(1)
02:20:38,264 INFO [STDOUT] Found key for host/server1.scigems.org@SCIGEMS.ORG(23)
02:20:38,264 INFO [STDOUT] Found key for host/server1.scigems.org@SCIGEMS.ORG(16)
02:20:38,265 INFO [STDOUT] Found key for host/server1.scigems.org@SCIGEMS.ORG(17)
02:20:38,296 INFO [STDOUT] Entered Krb5Context.acceptSecContext with state=STATE_NEW
02:20:38,301 INFO [STDOUT] >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
02:20:38,306 ERROR [STDERR] Checksum failed !
02:20:38,311 ERROR [SPNEGOLoginModule] Unable to authenticate
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
 at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:757)
 at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:341)
 at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
 at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:294)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.Subject.doAs(Subject.java:357)
 at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:118)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 at java.lang.reflect.Method.invoke(Method.java:616)
 at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
 at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
 at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
 at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
 at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
 at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
 at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
 at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)
 at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)
 at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
 at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
 at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
 at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
 at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
 at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828)
 at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
 at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
 at java.lang.Thread.run(Thread.java:636)
Caused by: KrbException: Checksum failed
 at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102)
 at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:94)
 at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:176)
 at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
 at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:145)
 at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:103)
 at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:740)
 ... 36 more
Caused by: java.security.GeneralSecurityException: Checksum failed
 at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:446)
 at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:269)
 at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:76)
 at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:100)
 ... 42 more
02:20:38,316 INFO [STDOUT] [Krb5LoginModule]: Entering logout
02:20:38,317 INFO [STDOUT] [Krb5LoginModule]: logged out Subject

1. Re: Error 401 in jboss Negotiation war for the secured test

ellis2323 Mar 1, 2009 11:30 AM (in response to ellis2323)

i have changed my krb5.conf with :

[libdefaults]
 default_realm = SCIGEMS.ORG
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes
 default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
 default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
 permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1

But this isn't better.

17:25:45,212 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org@SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=1 keyBytes (hex dump)=
0000: 16 EA 98 02 F2 C4 51 9E
17:25:45,212 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org@SCIGEMS.ORG to Subject
17:25:45,212 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org@SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=23 keyBytes (hex dump)=
0000: EE CF CF 55 CD 38 50 00 3E 4E 6A 7A E5 44 24 96 ...U.8P.>Njz.D$.
17:25:45,213 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org@SCIGEMS.ORG to Subject
17:25:45,213 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org@SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=16 keyBytes (hex dump)=
0000: 68 A7 70 31 31 01 45 3D AB 08 83 F2 20 67 EA 15 h.p11.E=.... g..
0010: 64 FB EF 1A 97 45 4A B0
17:25:45,213 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org@SCIGEMS.ORG to Subject
17:25:45,213 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org@SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=17 keyBytes (hex dump)=
0000: D8 C3 7C 67 C3 C7 60 60 56 43 31 96 67 3E 4A 53 ...g..``VC1.g>JS
17:25:45,213 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org@SCIGEMS.ORG to Subject
17:25:45,214 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org@SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=18 keyBytes (hex dump)=
0000: 7C 7F 21 2C E9 3C 08 E7 8A 8B 36 F3 44 D6 2C 1A ..!,.<....6.D.,.
0010: 96 16 75 46 62 04 60 22 C8 33 3E CD 15 6C 3E D7 ..uFb.`".3>..l>.
17:25:45,216 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org@SCIGEMS.ORG to Subject
17:25:45,217 INFO [STDOUT] Commit Succeeded
17:25:45,282 INFO [STDOUT] Found key for host/server1.scigems.org@SCIGEMS.ORG(18)
17:25:45,282 INFO [STDOUT] Found key for host/server1.scigems.org@SCIGEMS.ORG(1)
17:25:45,283 INFO [STDOUT] Found key for host/server1.scigems.org@SCIGEMS.ORG(23)
17:25:45,283 INFO [STDOUT] Found key for host/server1.scigems.org@SCIGEMS.ORG(16)
17:25:45,284 INFO [STDOUT] Found key for host/server1.scigems.org@SCIGEMS.ORG(17)
17:25:45,286 INFO [STDOUT] Entered Krb5Context.acceptSecContext with state=STATE_NEW
17:25:45,291 INFO [STDOUT] >>> EType: sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType
17:25:45,294 ERROR [SPNEGOLoginModule] Unable to authenticate
GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
 at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:757)
 at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:341)
 at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
 at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:294)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.Subject.doAs(Subject.java:357)
 at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:118)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
 at java.lang.reflect.Method.invoke(Method.java:616)
 at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
 at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
 at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
 at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552)
 at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486)
 at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
 at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
 at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384)
 at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127)
 at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
 at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
 at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
 at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
 at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
 at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828)
 at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
 at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
 at java.lang.Thread.run(Thread.java:636)
Caused by: KrbException: Checksum failed
 at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:96)
 at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:88)
 at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:176)
 at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278)
 at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:145)
 at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:103)
 at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:740)
 ... 36 more
Caused by: java.security.GeneralSecurityException: Checksum failed
 at sun.security.krb5.internal.crypto.dk.DkCrypto.decrypt(DkCrypto.java:362)
 at sun.security.krb5.internal.crypto.Des3.decrypt(Des3.java:79)
 at sun.security.krb5.internal.crypto.Des3CbcHmacSha1KdEType.decrypt(Des3CbcHmacSha1KdEType.java:94)
 ... 42 more
17:25:45,298 INFO [STDOUT] [Krb5LoginModule]: Entering logout
17:25:45,298 INFO [STDOUT] [Krb5LoginModule]: logged out Subject

2. Re: Error 401 in jboss Negotiation war for the secured test

ellis2323 Mar 13, 2009 6:34 PM (in response to ellis2323)

Solved.

It was a mistake in my kerberos configuration. The encoding algorithms defined in krb5.conf on the kerberos server must be present in the krb5.conf on the client. Otherwise, Jboss (or Glashfish) used aes256 as default encoding.

Ellis
Actions

Go to original post