I have carefully read the manual (User Guide for JBoss Negotiation) and set up the test network for using SPNEGO: - 1st host - Windows 2003 Adv Server (Active Directory and DNS) - 2nd host - Windows 2003 Adv Server (jboss-4.2.2.GA with all needed modules and negotiation toolkit) - 3rd host Windows XP (just for accessing from browser) Then I tried to run Negotiation Toolkit. Results: - Basic Negotiation - passed - Security Domain Test - passed - Secured - failed Could you explain me what is the problem ? Thanks in advance! The stack trace on the JBoss was: | 2008-08-01 16:41:52,621 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Logged in 'host' Login | Context | 2008-08-01 16:41:52,621 INFO [STDOUT] [Krb5LoginModule]: Entering logout | 2008-08-01 16:41:52,636 INFO [STDOUT] [Krb5LoginModule]: logged out Subject | 2008-08-01 16:41:52,636 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[] | 2008-08-01 16:41:52,636 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[Ad | ministrator(a)MYDOMAIN.COM] | 2008-08-01 16:41:52,636 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOAuthenticator] authenticated princi | pal = null | 2008-08-01 16:41:52,652 INFO [org.jboss.security.negotiation.spnego.SPNEGOAuthenticator] Header - Negotiate o | YIJszCCCa+iggmrBIIJp2CCCaMGCSqGSIb3EgECAgEAboIJkjCCCY6gAwIBBaEDAgEOogcDBQAgAAAAo4IDzWGCA8kwggPFoAMCAQWhDhsMTVl | ET01BSU4uQ09NoiowKKADAgECoSEwHxsESFRUUBsXdGVzdHNlcnZlci5teWRvbWFpbi5jb22jggOAMIIDfKADAgEXoQMCAQOiggNuBIIDao5og | | | 2008-08-01 16:41:52,775 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] serverSecurityDomain=h | ost | 2008-08-01 16:41:52,775 INFO [STDOUT] Debug is true storeKey true useTicketCache false useKeyTab true doNotP | rompt true ticketCache is null isInitiator true KeyTab is C:/testserver.host.keytab refreshKrb5Config is false | principal is host/testserver(a)MYDOMAIN.COM tryFirstPass is false useFirstPass is false storePass is false clea | rPass is false | 2008-08-01 16:41:52,791 INFO [STDOUT] principal's key obtained from the keytab | 2008-08-01 16:41:52,806 INFO [STDOUT] Acquire TGT using AS Exchange | 2008-08-01 16:41:52,806 INFO [STDOUT] principal is host/testserver(a)MYDOMAIN.COM | 2008-08-01 16:41:52,822 INFO [STDOUT] EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 83 B4 91 86 A1 5A E | 7 91 F1 1B B0 29 FB 59 A2 06 .....Z.....).Y.. | 2008-08-01 16:41:52,822 INFO [STDOUT] Added server's keyKerberos Principal host/testserver(a)MYDOMAIN.COMKey Ve | rsion 4key EncryptionKey: keyType=23 keyBytes (hex dump)= | 0000: 83 B4 91 86 A1 5A E7 91 F1 1B B0 29 FB 59 A2 06 .....Z.....).Y.. | 2008-08-01 16:41:52,837 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/testserver@MYDOMAI | N.COM to Subject | 2008-08-01 16:41:52,837 INFO [STDOUT] Commit Succeeded | 2008-08-01 16:41:52,853 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Subject = Subject: | Principal: host/testserver(a)MYDOMAIN.COM | Private Credential: Ticket (hex) = | | | | 0000: 61 82 01 0B 30 82 01 07 A0 03 02 01 05 A1 0E 1B a...0........... | 0010: 0C 4D 59 44 4F 4D 41 49 4E 2E 43 4F 4D A2 21 30 .MYDOMAIN.COM.!0 | 0020: 1F A0 03 02 01 02 A1 18 30 16 1B 06 6B 72 62 74 ........0...krbt | 0030: 67 74 1B 0C 4D 59 44 4F 4D 41 49 4E 2E 43 4F 4D gt..MYDOMAIN.COM | 0040: A3 81 CC 30 81 C9 A0 03 02 01 17 A1 03 02 01 02 ...0............ | 0050: A2 81 BC 04 81 B9 83 9F 30 17 16 3D 68 C8 99 0D ........0..=h... | 0060: 70 5F 7B F4 6A BD 6D 1E B5 F5 2F 44 18 9C 98 1C p_..j.m.../D.... | 0070: B5 98 C0 52 60 82 0B 22 67 38 19 CB B9 C4 C6 98 ...R`.."g8...... | 0080: 2C D9 E5 3B ED 55 ED 13 AB 45 43 1C D7 D4 1D AC ,..;.U...EC..... | 0090: 9D B8 61 7B 97 BD F4 29 0A F5 8E D4 ED BA B2 7C ..a....)........ | 00A0: FC 34 36 15 52 19 AE A8 64 7D 91 36 53 0F 93 98 .46.R...d..6S... | 00B0: DA 48 18 FA 83 0A 22 15 97 34 37 41 8A F7 6F 47 .H...."..47A..oG | 00C0: 1E D0 22 F2 B4 5F 0D 79 51 93 DD 42 33 96 0E 67 ..".._.yQ..B3..g | 00D0: 5F 8B B2 6E 87 0E 6A 9F 50 42 A1 4E 7F 85 3B 9C _..n..j.PB.N..;. | 00E0: 4D 01 94 A5 10 34 D8 1B A4 53 9A 5A 46 6A 85 91 M....4...S.ZFj.. | 00F0: 97 81 E6 F5 1B 62 C2 8D 8B 38 60 00 17 47 D9 00 .....b...8`..G.. | 0100: 4D AD D5 D4 48 95 A4 93 C0 3E DB 7D 6A 9B 4E M...H....>..j.N | | Client Principal = host/testserver(a)MYDOMAIN.COM | Server Principal = krbtgt/MYDOMAIN.COM(a)MYDOMAIN.COM | Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)= | 0000: 92 C3 CB F8 67 D8 31 B9 FE E8 68 7A 0C E7 67 74 ....g.1...hz..gt | | | Forwardable Ticket false | Forwarded Ticket false | Proxiable Ticket false | Proxy Ticket false | Postdated Ticket false | Renewable Ticket false | Initial Ticket false | Auth Time = Fri Aug 01 16:42:01 EEST 2008 | Start Time = Fri Aug 01 16:42:01 EEST 2008 | End Time = Sat Aug 02 02:42:01 EEST 2008 | Renew Till = null | Client Addresses Null | Private Credential: Kerberos Principal host/testserver(a)MYDOMAIN.COMKey Version 4key EncryptionKey: key | Type=23 keyBytes (hex dump)= | 0000: 83 B4 91 86 A1 5A E7 91 F1 1B B0 29 FB 59 A2 06 .....Z.....).Y.. | | | 2008-08-01 16:41:52,853 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Logged in 'host' Login | Context | 2008-08-01 16:41:52,853 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Creating new GSSContex | t. | 2008-08-01 16:41:52,868 ERROR [STDERR] Checksum failed ! | 2008-08-01 16:41:52,868 ERROR [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Unable to authenticate | GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed) | at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741) | at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323) | at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267) | at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java | :295) | at java.security.AccessController.doPrivileged(Native Method) | at javax.security.auth.Subject.doAs(Subject.java:337) | at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:113) | at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) | at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) | at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) | at java.lang.reflect.Method.invoke(Method.java:597) | at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) | at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) | at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) | at java.security.AccessController.doPrivileged(Native Method) | at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) | at javax.security.auth.login.LoginContext.login(LoginContext.java:579) | at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603) | at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537) | at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344) | at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491) | at org.jboss.security.negotiation.spnego.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:103 | ) | at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490) | at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84) | at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) | at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) | at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) | at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) | at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262) | at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844) | at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) | at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446) | at java.lang.Thread.run(Thread.java:619) | Caused by: KrbException: Checksum failed | at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:85) | at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:77) | at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168) | at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267) | at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134) | at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79) | at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724) | ... 32 more | Caused by: java.security.GeneralSecurityException: Checksum failed | at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:388) | at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:74) | at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:83) | ... 38 more | 2008-08-01 16:41:53,038 INFO [STDOUT] [Krb5LoginModule]: Entering logout | 2008-08-01 16:41:53,038 INFO [STDOUT] [Krb5LoginModule]: logged out Subject | 2008-08-01 16:41:53,038 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[] | 2008-08-01 16:41:53,053 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[Ad | ministrator(a)MYDOMAIN.COM] | 2008-08-01 16:41:53,053 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOAuthenticator] authenticated princi | pal = null | 2008-08-01 16:42:48,778 DEBUG [com.arjuna.ats.arjuna.logging.arjLogger] Periodic recovery - first pass <Fri, 1 | Aug 2008 16:42:48> | 2008-08-01 16:42:48,778 DEBUG [com.arjuna.ats.arjuna.logging.arjLogger] StatusModule: first pass | 2008-08-01 16:42:48,778 DEBUG [com.arjuna.ats.txoj.logging.txojLoggerI18N] [com.arjuna.ats.internal.txoj.recov | ery.TORecoveryModule_3] - TORecoveryModule - first pass | View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4168214#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...