2 Replies Latest reply on Aug 26, 2009 12:23 PM by na na

    JBoss Negotiation SPNEGO Problem

    Achim Rutsch Newbie

      Hi All,

      since a week I am trying to configure SSO in JBoss. I tried the User Guide for JBoss Negotiation, a couple of Howtos found by google, and a few more.
      Im a little bit frustrated now and i think im going to change my job. Iceman is a nice job I think.
      Okay seriously:

      I have a win2008 SP2 AD Domain and 2 Win XP SP2 Client.

      AD: pdc.test.net
      Jboss webserver.test.net with jboss-4.2.3.GA

      I add a new User "webserver" to the AD.

      I also done the following commands successful:

      setspn -a HTTP/webserver.test.net
      ktpass -princ HTTP/webserver.test.net@TES.NET -mapuser webserver -pass "Password
      ktab.exe -k c:\webserver.host.keytab -a HTTP/webserver.test.net

      Kinit works on the AD and Webserver Server.

      I look at the User properties for the User "webserver" and the Account Name change into HTTP/webserver.test.net. I also can see that delegation in allowed at the Delegation tab.

      The Webserver:

      The jboss-negotiation-2.0.3.GA.jar is stored in default/lib
      I configured the properties-service.xml, the jboss-service.xml, login.xml

      So if I running the Server and start my Firefox 3.10 or the Ie7 (configured for sso) and click the Basic Negotiation i just get to see is

      "Warning, this is: NTLM Negotiation
      WWW-Authenticate - Negotiate TlRMTVNTUAABAAAAB7IIogQABAAxAAAACQAJACgAAAAFASgKAAAAD1dFQlNFUlZFUlRFU1Q=
      
      NTLM - Negotiate_Message
      Warning, this is NTLM, only SPNEGO is supported!
      Negotiate Flags - (encryption56Bit)(sessionKeyExchange128Bit)(negotiateVersion)(ntlm2)(alwaysSign)(oemWorkstationSupplied)(oemDomainSupplied)(ntlm)(requestTarget)(oem)(unicode)
      
      Jboss:
      
      

      11:55:48,494 INFO [BasicNegotiationServlet] Authorization header received - decoding token.
      11:55:48,509 INFO [NTLMNegotiationServlet] Authorization header received - decoding token.
      11:55:48,509 INFO [NTLMNegotiationServlet] Using existing message.


      If I click on SecurityDomainTest it works. I get a Ticket. So Kerberos works (or not), but its look like i dont get a SPNEGO Ticket.

      With wfetch.exe i get the same Result.
      I tested the Troubleshooting Things list in the Userguide but I did not get more Informations. So any Ideas?

      P.S. I know my english isn t perfekt.