Hello, My full story with FreeIPA and jboss negotiation could be found on my blog: ellis2323.blogspot.com To do short: - i have installed to VM with Fedora Core 10 - i have installed FreeIPA on the first - i have installed a server on the second Kerberos is working. I can use ssh without prompting ssh!!! My goal: build a webservice to browse a filesystem. I have already done it with python with "root" access. Now i want use impersonation with JAAS and Delegation with Kerberos to use the SSH service to access a filesystem. Now i have installed jboss and jboss-negotiation-toolkit.war (2.0.3GA). But i can't have the third test working. I have search during 3 days but no idea. The message is a checksum error : | 2:20:21,919 INFO [BasicNegotiationServlet] No Authorization Header, sending 401 | 02:20:22,027 INFO [BasicNegotiationServlet] Authorization header received - decoding token. | 02:20:37,558 INFO [STDOUT] Debug is true storeKey true useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator true KeyTab is /usr/java/jboss/server/default/conf/test.keytab refreshKrb5Config is false principal is host/server1.scigems.org(a)SCIGEMS.ORG tryFirstPass is false useFirstPass is false storePass is false clearPass is false | 02:20:37,582 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG | 02:20:37,583 INFO [STDOUT] >>> KeyTabInputStream, readName(): HTTP | 02:20:37,583 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org | 02:20:37,585 INFO [STDOUT] >>> KeyTab: load() entry length: 87; type: 18 | 02:20:37,585 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG | 02:20:37,586 INFO [STDOUT] >>> KeyTabInputStream, readName(): HTTP | 02:20:37,586 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org | 02:20:37,586 INFO [STDOUT] >>> KeyTab: load() entry length: 71; type: 17 | 02:20:37,587 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG | 02:20:37,588 INFO [STDOUT] >>> KeyTabInputStream, readName(): HTTP | 02:20:37,588 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org | 02:20:37,588 INFO [STDOUT] >>> KeyTab: load() entry length: 79; type: 16 | 02:20:37,589 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG | 02:20:37,589 INFO [STDOUT] >>> KeyTabInputStream, readName(): HTTP | 02:20:37,589 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org | 02:20:37,590 INFO [STDOUT] >>> KeyTab: load() entry length: 71; type: 23 | 02:20:37,590 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG | 02:20:37,590 INFO [STDOUT] >>> KeyTabInputStream, readName(): HTTP | 02:20:37,590 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org | 02:20:37,591 INFO [STDOUT] >>> KeyTab: load() entry length: 63; type: 1 | 02:20:37,591 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG | 02:20:37,591 INFO [STDOUT] >>> KeyTabInputStream, readName(): host | 02:20:37,591 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org | 02:20:37,593 INFO [STDOUT] >>> KeyTab: load() entry length: 87; type: 18 | 02:20:37,593 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG | 02:20:37,605 INFO [STDOUT] >>> KeyTabInputStream, readName(): host | 02:20:37,605 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org | 02:20:37,606 INFO [STDOUT] >>> KeyTab: load() entry length: 71; type: 17 | 02:20:37,607 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG | 02:20:37,607 INFO [STDOUT] >>> KeyTabInputStream, readName(): host | 02:20:37,608 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org | 02:20:37,609 INFO [STDOUT] >>> KeyTab: load() entry length: 79; type: 16 | 02:20:37,609 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG | 02:20:37,611 INFO [STDOUT] >>> KeyTabInputStream, readName(): host | 02:20:37,611 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org | 02:20:37,611 INFO [STDOUT] >>> KeyTab: load() entry length: 71; type: 23 | 02:20:37,612 INFO [STDOUT] >>> KeyTabInputStream, readName(): SCIGEMS.ORG | 02:20:37,612 INFO [STDOUT] >>> KeyTabInputStream, readName(): host | 02:20:37,613 INFO [STDOUT] >>> KeyTabInputStream, readName(): server1.scigems.org | 02:20:37,613 INFO [STDOUT] >>> KeyTab: load() entry length: 63; type: 1 | 02:20:37,621 INFO [STDOUT] Added key: 1version: 10 | 02:20:37,623 INFO [STDOUT] Added key: 23version: 10 | 02:20:37,623 INFO [STDOUT] Added key: 16version: 10 | 02:20:37,623 INFO [STDOUT] Added key: 17version: 10 | 02:20:37,624 INFO [STDOUT] Added key: 18version: 10 | 02:20:37,624 INFO [STDOUT] Ordering keys wrt default_tkt_enctypes list | 02:20:37,630 INFO [STDOUT] Using builtin default etypes for default_tkt_enctypes | 02:20:37,631 INFO [STDOUT] default etypes for default_tkt_enctypes: | 02:20:37,631 INFO [STDOUT] 3 | 02:20:37,631 INFO [STDOUT] 1 | 02:20:37,632 INFO [STDOUT] 23 | 02:20:37,632 INFO [STDOUT] 16 | 02:20:37,632 INFO [STDOUT] 17 | 02:20:37,633 INFO [STDOUT] 18 | 02:20:37,633 INFO [STDOUT] . | 02:20:37,634 INFO [STDOUT] principal's key obtained from the keytab | 02:20:37,635 INFO [STDOUT] Acquire TGT using AS Exchange | 02:20:37,643 INFO [STDOUT] Using builtin default etypes for default_tkt_enctypes | 02:20:37,645 INFO [STDOUT] default etypes for default_tkt_enctypes: | 02:20:37,646 INFO [STDOUT] 3 | 02:20:37,646 INFO [STDOUT] 1 | 02:20:37,647 INFO [STDOUT] 23 | 02:20:37,648 INFO [STDOUT] 16 | 02:20:37,648 INFO [STDOUT] 17 | 02:20:37,649 INFO [STDOUT] 18 | 02:20:37,650 INFO [STDOUT] . | 02:20:37,650 INFO [STDOUT] >>> KrbAsReq calling createMessage | 02:20:37,650 INFO [STDOUT] >>> KrbAsReq in createMessage | 02:20:37,664 INFO [STDOUT] >>> KrbKdcReq send: kdc=ks.scigems.org UDP:88, timeout=30000, number of retries =3, #bytes=169 | 02:20:37,741 INFO [STDOUT] >>> KDCCommunication: kdc=ks.scigems.org UDP:88, timeout=30000,Attempt =1, #bytes=169 | 02:20:37,753 INFO [STDOUT] >>> KrbKdcReq send: #bytes read=274 | 02:20:37,754 INFO [STDOUT] >>> KrbKdcReq send: #bytes read=274 | 02:20:37,755 INFO [STDOUT] >>> KDCRep: init() encoding tag is 126 req type is 11 | 02:20:37,759 INFO [STDOUT] >>>KRBError: | 02:20:37,760 INFO [STDOUT] cTime is Sun Sep 05 03:53:02 CEST 1976 210736382000 | 02:20:37,760 INFO [STDOUT] sTime is Sun Mar 01 02:20:37 CET 2009 1235870437000 | 02:20:37,760 INFO [STDOUT] suSec is 902837 | 02:20:37,761 INFO [STDOUT] error code is 25 | 02:20:37,763 INFO [STDOUT] error Message is Additional pre-authentication required | 02:20:37,763 INFO [STDOUT] crealm is SCIGEMS.ORG | 02:20:37,764 INFO [STDOUT] cname is host/server1.scigems.org | 02:20:37,764 INFO [STDOUT] realm is SCIGEMS.ORG | 02:20:37,765 INFO [STDOUT] sname is krbtgt/SCIGEMS.ORG | 02:20:37,765 INFO [STDOUT] eData provided. | 02:20:37,765 INFO [STDOUT] msgType is 30 | 02:20:37,767 INFO [STDOUT] >>>Pre-Authentication Data: | 02:20:37,767 INFO [STDOUT] PA-DATA type = 2 | 02:20:37,767 INFO [STDOUT] PA-ENC-TIMESTAMP | 02:20:37,769 INFO [STDOUT] >>>Pre-Authentication Data: | 02:20:37,769 INFO [STDOUT] PA-DATA type = 19 | 02:20:37,770 INFO [STDOUT] PA-ETYPE-INFO2 etype = 18 | 02:20:37,770 INFO [STDOUT] >>>Pre-Authentication Data: | 02:20:37,771 INFO [STDOUT] PA-DATA type = 13 | 02:20:37,771 INFO [STDOUT] KRBError received: NEEDED_PREAUTH | 02:20:37,772 INFO [STDOUT] AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ | 02:20:37,772 INFO [STDOUT] >>>KrbAsReq salt is SCIGEMS.ORGhostserver1.scigems.org | 02:20:37,772 INFO [STDOUT] Pre-Authenticaton: find key for etype = 18 | 02:20:37,774 INFO [STDOUT] AS-REQ: Add PA_ENC_TIMESTAMP now | 02:20:37,775 INFO [STDOUT] >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType | 02:20:38,016 INFO [STDOUT] >>> KrbAsReq calling createMessage | 02:20:38,017 INFO [STDOUT] >>> KrbAsReq in createMessage | 02:20:38,017 INFO [STDOUT] >>> KrbKdcReq send: kdc=ks.scigems.org UDP:88, timeout=30000, number of retries =3, #bytes=241 | 02:20:38,018 INFO [STDOUT] >>> KDCCommunication: kdc=ks.scigems.org UDP:88, timeout=30000,Attempt =1, #bytes=241 | 02:20:38,027 INFO [STDOUT] >>> KrbKdcReq send: #bytes read=609 | 02:20:38,029 INFO [STDOUT] >>> KrbKdcReq send: #bytes read=609 | 02:20:38,031 INFO [STDOUT] >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType | 02:20:38,035 INFO [STDOUT] >>> KrbAsRep cons in KrbAsReq.getReply host/server1.scigems.org | 02:20:38,072 INFO [STDOUT] principal is host/server1.scigems.org(a)SCIGEMS.ORG | 02:20:38,073 INFO [STDOUT] EncryptionKey: keyType=1 keyBytes (hex dump)=0000: 16 EA 98 02 F2 C4 51 9E | 02:20:38,074 INFO [STDOUT] EncryptionKey: keyType=23 keyBytes (hex dump)=0000: EE CF CF 55 CD 38 50 00 3E 4E 6A 7A E5 44 24 96 ...U.8P.>Njz.D$. | 02:20:38,075 INFO [STDOUT] EncryptionKey: keyType=16 keyBytes (hex dump)=0000: 68 A7 70 31 31 01 45 3D AB 08 83 F2 20 67 EA 15 h.p11.E=.... g.. | 0010: 64 FB EF 1A 97 45 4A B0 | 02:20:38,075 INFO [STDOUT] EncryptionKey: keyType=17 keyBytes (hex dump)=0000: D8 C3 7C 67 C3 C7 60 60 56 43 31 96 67 3E 4A 53 ...g..``VC1.g>JS | 02:20:38,076 INFO [STDOUT] EncryptionKey: keyType=18 keyBytes (hex dump)=0000: 7C 7F 21 2C E9 3C 08 E7 8A 8B 36 F3 44 D6 2C 1A ..!,.<....6.D.,. | 0010: 96 16 75 46 62 04 60 22 C8 33 3E CD 15 6C 3E D7 ..uFb.`".3>..l>. | 02:20:38,115 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org(a)SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=1 keyBytes (hex dump)= | 0000: 16 EA 98 02 F2 C4 51 9E | 02:20:38,122 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org(a)SCIGEMS.ORG to Subject | 02:20:38,123 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org(a)SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=23 keyBytes (hex dump)= | 0000: EE CF CF 55 CD 38 50 00 3E 4E 6A 7A E5 44 24 96 ...U.8P.>Njz.D$. | 02:20:38,125 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org(a)SCIGEMS.ORG to Subject | 02:20:38,126 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org(a)SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=16 keyBytes (hex dump)= | 0000: 68 A7 70 31 31 01 45 3D AB 08 83 F2 20 67 EA 15 h.p11.E=.... g.. | 0010: 64 FB EF 1A 97 45 4A B0 | 02:20:38,126 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org(a)SCIGEMS.ORG to Subject | 02:20:38,127 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org(a)SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=17 keyBytes (hex dump)= | 0000: D8 C3 7C 67 C3 C7 60 60 56 43 31 96 67 3E 4A 53 ...g..``VC1.g>JS | 02:20:38,127 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org(a)SCIGEMS.ORG to Subject | 02:20:38,129 INFO [STDOUT] Added server's keyKerberos Principal host/server1.scigems.org(a)SCIGEMS.ORGKey Version 10key EncryptionKey: keyType=18 keyBytes (hex dump)= | 0000: 7C 7F 21 2C E9 3C 08 E7 8A 8B 36 F3 44 D6 2C 1A ..!,.<....6.D.,. | 0010: 96 16 75 46 62 04 60 22 C8 33 3E CD 15 6C 3E D7 ..uFb.`".3>..l>. | 02:20:38,135 INFO [STDOUT] [Krb5LoginModule] added Krb5Principal host/server1.scigems.org(a)SCIGEMS.ORG to Subject | 02:20:38,136 INFO [STDOUT] Commit Succeeded | 02:20:38,263 INFO [STDOUT] Found key for host/server1.scigems.org(a)SCIGEMS.ORG(18) | 02:20:38,264 INFO [STDOUT] Found key for host/server1.scigems.org(a)SCIGEMS.ORG(1) | 02:20:38,264 INFO [STDOUT] Found key for host/server1.scigems.org(a)SCIGEMS.ORG(23) | 02:20:38,264 INFO [STDOUT] Found key for host/server1.scigems.org(a)SCIGEMS.ORG(16) | 02:20:38,265 INFO [STDOUT] Found key for host/server1.scigems.org(a)SCIGEMS.ORG(17) | 02:20:38,296 INFO [STDOUT] Entered Krb5Context.acceptSecContext with state=STATE_NEW | 02:20:38,301 INFO [STDOUT] >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType | 02:20:38,306 ERROR [STDERR] Checksum failed ! | 02:20:38,311 ERROR [SPNEGOLoginModule] Unable to authenticate | GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed) | at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:757) | at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:341) | at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285) | at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java:294) | at java.security.AccessController.doPrivileged(Native Method) | at javax.security.auth.Subject.doAs(Subject.java:357) | at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:118) | at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) | at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) | at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) | at java.lang.reflect.Method.invoke(Method.java:616) | at javax.security.auth.login.LoginContext.invoke(LoginContext.java:784) | at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) | at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698) | at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696) | at java.security.AccessController.doPrivileged(Native Method) | at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:695) | at javax.security.auth.login.LoginContext.login(LoginContext.java:594) | at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:552) | at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:486) | at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365) | at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160) | at org.jboss.web.tomcat.security.JBossWebRealm.authenticate(JBossWebRealm.java:384) | at org.jboss.security.negotiation.NegotiationAuthenticator.authenticate(NegotiationAuthenticator.java:127) | at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491) | at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92) | at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126) | at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70) | at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) | at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) | at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158) | at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) | at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330) | at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828) | at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601) | at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) | at java.lang.Thread.run(Thread.java:636) | Caused by: KrbException: Checksum failed | at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:102) | at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:94) | at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:176) | at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:278) | at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:145) | at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:103) | at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:740) | ... 36 more | Caused by: java.security.GeneralSecurityException: Checksum failed | at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:446) | at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:269) | at sun.security.krb5.internal.crypto.Aes256.decrypt(Aes256.java:76) | at sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType.decrypt(Aes256CtsHmacSha1EType.java:100) | ... 42 more | 02:20:38,316 INFO [STDOUT] [Krb5LoginModule]: Entering logout | 02:20:38,317 INFO [STDOUT] [Krb5LoginModule]: logged out Subject | View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4213977#... Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&a...