I have carefully read the manual (User Guide for JBoss Negotiation) and set up the test
network for using SPNEGO:
- 1st host - Windows 2003 Adv Server (Active Directory and DNS)
- 2nd host - Windows 2003 Adv Server (jboss-4.2.2.GA with all needed modules and
negotiation toolkit)
- 3rd host Windows XP (just for accessing from browser)
Then I tried to run Negotiation Toolkit. Results:
- Basic Negotiation - passed
- Security Domain Test - passed
- Secured - failed
Could you explain me what is the problem ?
Thanks in advance!
The stack trace on the JBoss was:
| 2008-08-01 16:41:52,621 DEBUG
[org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Logged in 'host' Login
| Context
| 2008-08-01 16:41:52,621 INFO [STDOUT] [Krb5LoginModule]: Entering logout
| 2008-08-01 16:41:52,636 INFO [STDOUT] [Krb5LoginModule]: logged out Subject
| 2008-08-01 16:41:52,636 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule]
Loaded properties, users=[]
| 2008-08-01 16:41:52,636 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule]
Loaded properties, users=[Ad
| ministrator(a)MYDOMAIN.COM]
| 2008-08-01 16:41:52,636 DEBUG
[org.jboss.security.negotiation.spnego.SPNEGOAuthenticator] authenticated princi
| pal = null
| 2008-08-01 16:41:52,652 INFO
[org.jboss.security.negotiation.spnego.SPNEGOAuthenticator] Header - Negotiate o
|
YIJszCCCa+iggmrBIIJp2CCCaMGCSqGSIb3EgECAgEAboIJkjCCCY6gAwIBBaEDAgEOogcDBQAgAAAAo4IDzWGCA8kwggPFoAMCAQWhDhsMTVl
|
ET01BSU4uQ09NoiowKKADAgECoSEwHxsESFRUUBsXdGVzdHNlcnZlci5teWRvbWFpbi5jb22jggOAMIIDfKADAgEXoQMCAQOiggNuBIIDao5og
|
|
| 2008-08-01 16:41:52,775 DEBUG
[org.jboss.security.negotiation.spnego.SPNEGOLoginModule] serverSecurityDomain=h
| ost
| 2008-08-01 16:41:52,775 INFO [STDOUT] Debug is true storeKey true useTicketCache
false useKeyTab true doNotP
| rompt true ticketCache is null isInitiator true KeyTab is C:/testserver.host.keytab
refreshKrb5Config is false
| principal is host/testserver(a)MYDOMAIN.COM tryFirstPass is false useFirstPass is false
storePass is false clea
| rPass is false
| 2008-08-01 16:41:52,791 INFO [STDOUT] principal's key obtained from the keytab
| 2008-08-01 16:41:52,806 INFO [STDOUT] Acquire TGT using AS Exchange
| 2008-08-01 16:41:52,806 INFO [STDOUT] principal is host/testserver(a)MYDOMAIN.COM
| 2008-08-01 16:41:52,822 INFO [STDOUT] EncryptionKey: keyType=23 keyBytes (hex
dump)=0000: 83 B4 91 86 A1 5A E
| 7 91 F1 1B B0 29 FB 59 A2 06 .....Z.....).Y..
| 2008-08-01 16:41:52,822 INFO [STDOUT] Added server's keyKerberos Principal
host/testserver(a)MYDOMAIN.COMKey Ve
| rsion 4key EncryptionKey: keyType=23 keyBytes (hex dump)=
| 0000: 83 B4 91 86 A1 5A E7 91 F1 1B B0 29 FB 59 A2 06 .....Z.....).Y..
| 2008-08-01 16:41:52,837 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal
host/testserver@MYDOMAI
| N.COM to Subject
| 2008-08-01 16:41:52,837 INFO [STDOUT] Commit Succeeded
| 2008-08-01 16:41:52,853 DEBUG
[org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Subject = Subject:
| Principal: host/testserver(a)MYDOMAIN.COM
| Private Credential: Ticket (hex) =
|
|
|
| 0000: 61 82 01 0B 30 82 01 07 A0 03 02 01 05 A1 0E 1B a...0...........
| 0010: 0C 4D 59 44 4F 4D 41 49 4E 2E 43 4F 4D A2 21 30 .MYDOMAIN.COM.!0
| 0020: 1F A0 03 02 01 02 A1 18 30 16 1B 06 6B 72 62 74 ........0...krbt
| 0030: 67 74 1B 0C 4D 59 44 4F 4D 41 49 4E 2E 43 4F 4D
gt..MYDOMAIN.COM
| 0040: A3 81 CC 30 81 C9 A0 03 02 01 17 A1 03 02 01 02 ...0............
| 0050: A2 81 BC 04 81 B9 83 9F 30 17 16 3D 68 C8 99 0D ........0..=h...
| 0060: 70 5F 7B F4 6A BD 6D 1E B5 F5 2F 44 18 9C 98 1C p_..j.m.../D....
| 0070: B5 98 C0 52 60 82 0B 22 67 38 19 CB B9 C4 C6 98 ...R`.."g8......
| 0080: 2C D9 E5 3B ED 55 ED 13 AB 45 43 1C D7 D4 1D AC ,..;.U...EC.....
| 0090: 9D B8 61 7B 97 BD F4 29 0A F5 8E D4 ED BA B2 7C ..a....)........
| 00A0: FC 34 36 15 52 19 AE A8 64 7D 91 36 53 0F 93 98 .46.R...d..6S...
| 00B0: DA 48 18 FA 83 0A 22 15 97 34 37 41 8A F7 6F 47 .H...."..47A..oG
| 00C0: 1E D0 22 F2 B4 5F 0D 79 51 93 DD 42 33 96 0E 67 ..".._.yQ..B3..g
| 00D0: 5F 8B B2 6E 87 0E 6A 9F 50 42 A1 4E 7F 85 3B 9C _..n..j.PB.N..;.
| 00E0: 4D 01 94 A5 10 34 D8 1B A4 53 9A 5A 46 6A 85 91 M....4...S.ZFj..
| 00F0: 97 81 E6 F5 1B 62 C2 8D 8B 38 60 00 17 47 D9 00 .....b...8`..G..
| 0100: 4D AD D5 D4 48 95 A4 93 C0 3E DB 7D 6A 9B 4E M...H....>..j.N
|
| Client Principal = host/testserver(a)MYDOMAIN.COM
| Server Principal = krbtgt/MYDOMAIN.COM(a)MYDOMAIN.COM
| Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=
| 0000: 92 C3 CB F8 67 D8 31 B9 FE E8 68 7A 0C E7 67 74 ....g.1...hz..gt
|
|
| Forwardable Ticket false
| Forwarded Ticket false
| Proxiable Ticket false
| Proxy Ticket false
| Postdated Ticket false
| Renewable Ticket false
| Initial Ticket false
| Auth Time = Fri Aug 01 16:42:01 EEST 2008
| Start Time = Fri Aug 01 16:42:01 EEST 2008
| End Time = Sat Aug 02 02:42:01 EEST 2008
| Renew Till = null
| Client Addresses Null
| Private Credential: Kerberos Principal host/testserver(a)MYDOMAIN.COMKey Version
4key EncryptionKey: key
| Type=23 keyBytes (hex dump)=
| 0000: 83 B4 91 86 A1 5A E7 91 F1 1B B0 29 FB 59 A2 06 .....Z.....).Y..
|
|
| 2008-08-01 16:41:52,853 DEBUG
[org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Logged in 'host' Login
| Context
| 2008-08-01 16:41:52,853 DEBUG
[org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Creating new GSSContex
| t.
| 2008-08-01 16:41:52,868 ERROR [STDERR] Checksum failed !
| 2008-08-01 16:41:52,868 ERROR
[org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Unable to authenticate
| GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
| at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
| at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
| at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
| at
org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java
| :295)
| at java.security.AccessController.doPrivileged(Native Method)
| at javax.security.auth.Subject.doAs(Subject.java:337)
| at
org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:113)
| at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
| at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
| at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
| at java.lang.reflect.Method.invoke(Method.java:597)
| at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
| at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
| at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
| at java.security.AccessController.doPrivileged(Native Method)
| at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
| at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
| at
org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
| at
org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
| at
org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
| at
org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
| at
org.jboss.security.negotiation.spnego.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:103
| )
| at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
| at
org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
| at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
| at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
| at
org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
| at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
| at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
| at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
| at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
| at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
| at java.lang.Thread.run(Thread.java:619)
| Caused by: KrbException: Checksum failed
| at
sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:85)
| at
sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:77)
| at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
| at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
| at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
| at
sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
| at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
| ... 32 more
| Caused by: java.security.GeneralSecurityException: Checksum failed
| at
sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:388)
| at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:74)
| at
sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:83)
| ... 38 more
| 2008-08-01 16:41:53,038 INFO [STDOUT] [Krb5LoginModule]: Entering logout
| 2008-08-01 16:41:53,038 INFO [STDOUT] [Krb5LoginModule]: logged out Subject
| 2008-08-01 16:41:53,038 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule]
Loaded properties, users=[]
| 2008-08-01 16:41:53,053 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule]
Loaded properties, users=[Ad
| ministrator(a)MYDOMAIN.COM]
| 2008-08-01 16:41:53,053 DEBUG
[org.jboss.security.negotiation.spnego.SPNEGOAuthenticator] authenticated princi
| pal = null
| 2008-08-01 16:42:48,778 DEBUG [com.arjuna.ats.arjuna.logging.arjLogger] Periodic
recovery - first pass <Fri, 1
| Aug 2008 16:42:48>
| 2008-08-01 16:42:48,778 DEBUG [com.arjuna.ats.arjuna.logging.arjLogger] StatusModule:
first pass
| 2008-08-01 16:42:48,778 DEBUG [com.arjuna.ats.txoj.logging.txojLoggerI18N]
[com.arjuna.ats.internal.txoj.recov
| ery.TORecoveryModule_3] - TORecoveryModule - first pass
|
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4168214#...
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...