1:47 a.m.
Hi all,
I am trying to config SPNEGO SSO for gatein 3.7 jboss packaging, i did
following the guideline at
https://docs.jboss.org/author/display/GTNPORTAL37/SPNEGO
- After installed Kerberos, the general authentication seems to work, i
logged in with root successfully, the result:
exo@exo:~$ kinit -A root
Password for root(a)local.network:
exo@exo:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: root(a)local.network
Valid starting Expires Service principal
24/04/2014 10:54:41 24/04/2014 20:54:41
krbtgt/local.network(a)local.network
renew until 25/04/2014 10:54:36
- Then i configured firefox and gatein as guideline, but when i access to
gatein and click to login, the authentication is failed and i see error in
console:
10:09:30,648 ERROR
[org.jboss.security.authentication.JBossCachedAuthenticationManager]
(http-server.local.network-192.168.56.101-8080-1) Login failure:
javax.security.auth.login.LoginException: Unable to authenticate - Failure
unspecified at GSS-API level (Mechanism level: EncryptedData is encrypted
using keytype DES3 CBC mode with SHA1-KD but decryption key is of type NULL)
at
org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:163)
[jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[rt.jar:1.7.0_21]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
[rt.jar:1.7.0_21]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.7.0_21]
at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_21]
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
[rt.jar:1.7.0_21]
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
[rt.jar:1.7.0_21]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
[rt.jar:1.7.0_21]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
[rt.jar:1.7.0_21]
at java.security.AccessController.doPrivileged(Native Method)
[rt.jar:1.7.0_21]
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
[rt.jar:1.7.0_21]
at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
[rt.jar:1.7.0_21]
at
org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449)
[picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at
org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383)
[picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at
org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371)
[picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at
org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160)
[picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at
org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214)
[jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at
org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:187)
[jboss-negotiation-common-2.2.0.SP1.jar:2.2.0.SP1]
at
org.gatein.sso.spnego.GateInNegotiationAuthenticator.authenticate(GateInNegotiationAuthenticator.java:56)
[spnego-1.4.0.Final.jar:1.4.0.Final]
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455)
[jbossweb-7.0.13.Final.jar:]
at
org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
[sso-integration-1.4.0.Final.jar:1.4.0.Final]
at
org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:94)
[exo.portal.component.web.security-jboss-3.7.1.Final-SNAPSHOT.jar:3.7.1.Final-SNAPSHOT]
at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
[jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
[jbossweb-7.0.13.Final.jar:]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
[jbossweb-7.0.13.Final.jar:]
at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_21]
I tried to find solution with google and it has some topic in jboss forum
https://community.jboss.org/thread/204614 and
https://community.jboss.org/thread/204876?tstart=0, they recommend i used
java 7, but when i switch to java 7 (jdk 1.7.0_21) i still see the same
error.
I'm deploying gatein on ubuntu 13.04 and java 7 (jdk 1.7.0_21)
Is there any idea for fixing my problem?
Thanks!
TuyenNT.
2:20 a.m.
Hi,
this kerberos setup is really tricky and unfortunately the setup is
platform dependent. Hard to say what exactly is causing issues in your
env, but if you really configure your krb5.conf and kdc.conf to use
"|rc4-hmac" |as suggested in docs, then it's strange why your ticket is
encrypted with DES3 CBC as mentioned in stacktrace. I would suggest to
drop kerberos DB and delete keytab and do all the steps in section
"SPNEGO Server configuration" from step 5 again (in other words,
generate DB again, create new Keytab and create users into Kerberos again).
Also if you have opportunity to test on different platforms/envs with
different kerberos versions and also with different JDK versions (JDK6,
JDK7, JDK8, Oracle vs. OpenJDK etc), it may help too. Good luck,
Marek
On 24.4.2014 08:47, Tuyen The Nguyen wrote:
Hi all,
I am trying to config SPNEGO SSO for gatein 3.7 jboss packaging, i did
following the guideline at
https://docs.jboss.org/author/display/GTNPORTAL37/SPNEGO
- After installed Kerberos, the general authentication seems to work,
i logged in with root successfully, the result:
exo@exo:~$ kinit -A root
Password for root(a)local.network:
exo@exo:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: root(a)local.network
Valid starting Expires Service principal
24/04/2014 10:54:41 24/04/2014 20:54:41
krbtgt/local.network(a)local.network
renew until 25/04/2014 10:54:36
- Then i configured firefox and gatein as guideline, but when i access
to gatein and click to login, the authentication is failed and i see
error in console:
10:09:30,648 ERROR
[org.jboss.security.authentication.JBossCachedAuthenticationManager]
(http-server.local.network-192.168.56.101-8080-1) Login failure:
javax.security.auth.login.LoginException: Unable to authenticate -
Failure unspecified at GSS-API level (Mechanism level: EncryptedData
is encrypted using keytype DES3 CBC mode with SHA1-KD but decryption
key is of type NULL)
at
org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:163)
[jboss-negotiation-spnego-2.2.0.SP1.jar:2.2.0.SP1]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[rt.jar:1.7.0_21]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
[rt.jar:1.7.0_21]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.7.0_21]
at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_21]
at
javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
[rt.jar:1.7.0_21]
at
javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
[rt.jar:1.7.0_21]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
[rt.jar:1.7.0_21]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
[rt.jar:1.7.0_21]
at java.security.AccessController.doPrivileged(Native Method)
[rt.jar:1.7.0_21]
at
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695)
[rt.jar:1.7.0_21]
at javax.security.auth.login.LoginContext.login(LoginContext.java:594)
[rt.jar:1.7.0_21]
at
org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449)
[picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at
org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383)
[picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at
org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371)
[picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at
org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160)
[picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
at
org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214)
[jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at
org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:187)
[jboss-negotiation-common-2.2.0.SP1.jar:2.2.0.SP1]
at
org.gatein.sso.spnego.GateInNegotiationAuthenticator.authenticate(GateInNegotiationAuthenticator.java:56)
[spnego-1.4.0.Final.jar:1.4.0.Final]
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455)
[jbossweb-7.0.13.Final.jar:]
at
org.gatein.sso.integration.SSODelegateValve.invoke(SSODelegateValve.java:155)
[sso-integration-1.4.0.Final.jar:1.4.0.Final]
at
org.gatein.portal.security.jboss.PortalClusteredSSOSupportValve.invoke(PortalClusteredSSOSupportValve.java:94)
[exo.portal.component.web.security-jboss-3.7.1.Final-SNAPSHOT.jar:3.7.1.Final-SNAPSHOT]
at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
[jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671)
[jbossweb-7.0.13.Final.jar:]
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
[jbossweb-7.0.13.Final.jar:]
at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_21]
I tried to find solution with google and it has some topic in jboss
forum https://community.jboss.org/thread/204614 and
https://community.jboss.org/thread/204876?tstart=0, they recommend i
used java 7, but when i switch to java 7 (jdk 1.7.0_21) i still see
the same error.
I'm deploying gatein on ubuntu 13.04 and java 7 (jdk 1.7.0_21)
Is there any idea for fixing my problem?
Thanks!
TuyenNT.
_______________________________________________
gatein-dev mailing list
gatein-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/gatein-dev
3911
days inactive
3911
days old
1 comments
2 participants
participants (2)
-
Marek Posolda -
Tuyen The Nguyen