Hi,

this kerberos setup is really tricky and unfortunately the setup is platform dependent. Hard to say what exactly is causing issues in your env, but if you really configure your krb5.conf and kdc.conf to use "rc4-hmac" as suggested in docs, then it's strange why your ticket is encrypted with DES3 CBC as mentioned in stacktrace. I would suggest to drop kerberos DB and delete keytab and do all the steps in section "SPNEGO Server configuration" from step 5 again (in other words, generate DB again, create new Keytab and create users into Kerberos again).

Also if you have opportunity to test on different platforms/envs with different kerberos versions and also with different JDK versions (JDK6, JDK7, JDK8, Oracle vs. OpenJDK etc), it may help too. Good luck,
Marek

On 24.4.2014 08:47, Tuyen The Nguyen wrote:
Hi all,

I am trying to config SPNEGO SSO for gatein 3.7 jboss packaging, i did following the guideline at https://docs.jboss.org/author/display/GTNPORTAL37/SPNEGO

- After installed Kerberos, the general authentication seems to work, i logged in with root successfully, the result:
  exo@exo:~$ kinit -A root
  Password for root@local.network
  exo@exo:~$ klist
  Ticket cache: FILE:/tmp/krb5cc_1000
  Default principal: root@local.network

  Valid starting       Expires              Service principal
  24/04/2014 10:54:41  24/04/2014 20:54:41  krbtgt/local.network@local.network
 renew until 25/04/2014 10:54:36

- Then i configured firefox and gatein as guideline, but when i access to gatein and click to login, the authentication is failed and i see error in console:

10:09:30,648 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http-server.local.network-192.168.56.101-8080-1) Login failure: javax.security.auth.login.LoginException: Unable to authenticate - Failure unspecified at GSS-API level (Mechanism level: EncryptedData is encrypted using keytype DES3 CBC mode with SHA1-KD but decryption key is of type NULL)
at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:163) [jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_21]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_21]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_21]
at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_21]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784) [rt.jar:1.7.0_21]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_21]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698) [rt.jar:1.7.0_21]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696) [rt.jar:1.7.0_21]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_21]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695) [rt.jar:1.7.0_21]
at javax.security.auth.login.LoginContext.login(LoginContext.java:594) [rt.jar:1.7.0_21]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:187) [jboss-negotiation-common-2.2.0.SP1.jar:2.2.0.SP1]
at org.gatein.sso.spnego.GateInNegotiationAuthenticator.authenticate(GateInNegotiationAuthenticator.java:56) [spnego-1.4.0.Final.jar:1.4.0.Final]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.13.Final.jar:]
at org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155) [sso-integration-1.4.0.Final.jar:1.4.0.Final]
at org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:94) [exo.portal.component.web.security-jboss-3.7.1.Final-SNAPSHOT.jar:3.7.1.Final-SNAPSHOT]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_21]

  
I tried to find solution with google and it has some topic in jboss forum https://community.jboss.org/thread/204614 and https://community.jboss.org/thread/204876?tstart=0, they recommend i used java 7, but when i switch to java 7 (jdk 1.7.0_21) i still see the same error.

I'm deploying gatein on ubuntu 13.04 and java 7 (jdk 1.7.0_21)

Is there any idea for fixing my problem?

Thanks!

TuyenNT.


_______________________________________________
gatein-dev mailing list
gatein-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/gatein-dev