9:50 a.m.
Hello,
I am trying to set up SPNEGO authentication through Keycloak. I have installed Keycloak
on a windows server, configured a client as shown below and set up the realm in jboss.
But I consistently receive the error message GSSException: Defective token detected
(Mechanism level: GSSHeader did not find the right tag). I am using IE 11, and the url
for the web app is https://gig-jboss-dev.ajga.com:8443/CBN
[cid:image001.png@01D20DA5.5995CC40]
JBoss web app configuration in standalone.xml
======================================================
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment name="cbn-war-17.0.0.16-SNAPSHOT.war">
<realm>master</realm>
<resource>CBN</resource>
<public-client>true</public-client>
<realm-public-key>(key from keycloak)</realm-public-key>
<auth-server-url>http://gig-msnet-dev.ajga.com:8080/auth</auth-server-url>
<ssl-required>EXTERNAL</ssl-required>
</secure-deployment>
</subsystem>
Log file from keycloak server ========================================================
2016-09-13 10:47:31,792 INFO [stdout] (default task-19) Debug is true storeKey true
useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false
KeyTab is c:\temp\keycloak.keytab refreshKrb5Config is false principal is
HTTP/gig-msnet-dev.ajga.com(a)AJGA.COM tryFirstPass is false useFirstPass is false storePass
is false clearPass is false
2016-09-13 10:47:31,792 INFO [stdout] (default task-19) principal is
HTTP/gig-msnet-dev.ajga.com(a)AJGA.COM
2016-09-13 10:47:31,792 INFO [stdout] (default task-19) Will use keytab
2016-09-13 10:47:31,807 INFO [stdout] (default task-19) Commit Succeeded
2016-09-13 10:47:31,807 INFO [stdout] (default task-19)
2016-09-13 10:47:31,807 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator]
(default task-19) SPNEGO login failed: java.security.PrivilegedActionException:
GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right
tag)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at
org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:70)
at
org.keycloak.federation.kerberos.KerberosFederationProvider.validCredentials(KerberosFederationProvider.java:209)
at
org.keycloak.models.UserFederationManager.validCredentials(UserFederationManager.java:549)
at
org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:89)
at
org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:183)
at
org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:792)
at
org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:667)
at
org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:139)
at
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:341)
at
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:160)
at sun.reflect.GeneratedMethodAccessor360.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:792)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not find
the right tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at
org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.establishContext(SPNEGOAuthenticator.java:174)
at
org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:137)
at
org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:127)
... 60 more
2016-09-13 10:47:31,839 INFO [stdout] (default task-19)
[Krb5LoginModule]: Entering logout
2016-09-13 10:47:31,839 INFO [stdout] (default task-19)
[Krb5LoginModule]: logged out Subject
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Confidentiality Notice: The information contained in this communication, including all
attachments, is legally protected information, confidential or proprietary information, or
a trade secret intended solely for the use of the intended recipient. The information may
also be subject to legal privilege. If you are not the intended recipient, you are hereby
notified that any use, disclosure, dissemination, distribution, forwarding, or copying of
this communication is strictly prohibited. If you have received this communication in
error, please notify the sender by reply Fax or e-mail stating the communication was
"received in error" and delete or destroy all copies of this communication,
including all attachments.
3:52 p.m.
Hi Timothy,
I found something related to your issue here[1]. There's also some old
discussion about it[2]. If that does not help,
please provide more details about your setup like: JDK, Keycloak
and Windows version.
[1] -
http://stackoverflow.com/questions/2973355/defective-token-deteced-error-...
[2] - https://issues.jboss.org/browse/KEYCLOAK-828
On 2016-09-13, Timothy I. McGinnis wrote:
Hello,
I am trying to set up SPNEGO authentication through Keycloak. I have installed Keycloak
on a windows server, configured a client as shown below and set up the realm in jboss.
But I consistently receive the error message GSSException: Defective token detected
(Mechanism level: GSSHeader did not find the right tag). I am using IE 11, and the url
for the web app is https://gig-jboss-dev.ajga.com:8443/CBN
[cid:image001.png@01D20DA5.5995CC40]
JBoss web app configuration in standalone.xml
======================================================
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment name="cbn-war-17.0.0.16-SNAPSHOT.war">
<realm>master</realm>
<resource>CBN</resource>
<public-client>true</public-client>
<realm-public-key>(key from keycloak)</realm-public-key>
<auth-server-url>http://gig-msnet-dev.ajga.com:8080/auth</auth-server-url>
<ssl-required>EXTERNAL</ssl-required>
</secure-deployment>
</subsystem>
Log file from keycloak server ========================================================
2016-09-13 10:47:31,792 INFO [stdout] (default task-19) Debug is true storeKey true
useTicketCache false useKeyTab true doNotPrompt true ticketCache is null isInitiator false
KeyTab is c:\temp\keycloak.keytab refreshKrb5Config is false principal is
HTTP/gig-msnet-dev.ajga.com(a)AJGA.COM tryFirstPass is false useFirstPass is false storePass
is false clearPass is false
2016-09-13 10:47:31,792 INFO [stdout] (default task-19) principal is
HTTP/gig-msnet-dev.ajga.com(a)AJGA.COM
2016-09-13 10:47:31,792 INFO [stdout] (default task-19) Will use keytab
2016-09-13 10:47:31,807 INFO [stdout] (default task-19) Commit Succeeded
2016-09-13 10:47:31,807 INFO [stdout] (default task-19)
2016-09-13 10:47:31,807 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator]
(default task-19) SPNEGO login failed: java.security.PrivilegedActionException:
GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right
tag)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at
org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:70)
at
org.keycloak.federation.kerberos.KerberosFederationProvider.validCredentials(KerberosFederationProvider.java:209)
at
org.keycloak.models.UserFederationManager.validCredentials(UserFederationManager.java:549)
at
org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:89)
at
org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:183)
at
org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:792)
at
org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:667)
at
org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:139)
at
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:341)
at
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:160)
at sun.reflect.GeneratedMethodAccessor360.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:792)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not
find the right tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at
org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.establishContext(SPNEGOAuthenticator.java:174)
at
org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:137)
at
org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:127)
... 60 more
2016-09-13 10:47:31,839 INFO [stdout] (default task-19)
[Krb5LoginModule]: Entering logout
2016-09-13 10:47:31,839 INFO [stdout] (default task-19)
[Krb5LoginModule]: logged out Subject
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Confidentiality Notice: The information contained in this communication, including all
attachments, is legally protected information, confidential or proprietary information, or
a trade secret intended solely for the use of the intended recipient. The information may
also be subject to legal privilege. If you are not the intended recipient, you are hereby
notified that any use, disclosure, dissemination, distribution, forwarding, or copying of
this communication is strictly prohibited. If you have received this communication in
error, please notify the sender by reply Fax or e-mail stating the communication was
"received in error" and delete or destroy all copies of this communication,
including all attachments.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
abstractj
PGP: 0x84DC9914
4:09 p.m.
Thanks Bruno.
Neither of these really helped. I've been doing a lot more research and now I believe
the problem is my browser is sending back a NTLM token instead of the Kerberos ticket.
When I run it with fiddler I see the 401 response from keycloak with the WWW-Authenticate:
Negotiate header. The next request then sends the Authorization: Negotiate TIRMTVNT.....
I believe this is the NTLM token since it starts with TIRM.
We are using JDK 1.8u31, windows 2012 on the keycloak server, and windows 2008 R2 on the
AD server and keycloak 2.0.0 Final
-----Original Message-----
From: Bruno Oliveira [mailto:bruno@abstractj.org]
Sent: Tuesday, September 13, 2016 4:52 PM
To: Timothy I. McGinnis
Cc: 'keycloak-user(a)lists.jboss.org'
Subject: Re: [keycloak-user] Cannot get SPNEGO authentication working
Hi Timothy,
I found something related to your issue here[1]. There's also some old discussion
about it[2]. If that does not help, please provide more details about your setup like:
JDK, Keycloak and Windows version.
[1] -
https://urldefense.proofpoint.com/v2/url?u=http-3A__stackoverflow.com_que...
[2] -
https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_bro...
On 2016-09-13, Timothy I. McGinnis wrote:
Hello,
I am trying to set up SPNEGO authentication through Keycloak. I have
installed Keycloak on a windows server, configured a client as shown
below and set up the realm in jboss. But I consistently receive the
error message GSSException: Defective token detected (Mechanism level:
GSSHeader did not find the right tag). I am using IE 11, and the url
for the web app is
https://urldefense.proofpoint.com/v2/url?u=https-3A__gig-2Djboss-2Ddev
.ajga.com-3A8443_CBN&d=DQIBaQ&c=Qb0olE_IjIsLMNlH6b5YluTmGZiju-02UIvJXb
EjONI&r=kKLILH0GYnhZuFSDftuLgF3Jc50qGTYbQARhBMkNMLo&m=Fs7mlIk55kxRF6sK
lYgSx4xVC2ovkEJKqekpFqJxzoE&s=0kT5k5hHs-h4uTXTxTND_ucBvdIZ7qXVSEiIxFcl
bZQ&e=
[cid:image001.png@01D20DA5.5995CC40]
JBoss web app configuration in standalone.xml
======================================================
<subsystem xmlns="urn:jboss:domain:keycloak:1.1">
<secure-deployment name="cbn-war-17.0.0.16-SNAPSHOT.war">
<realm>master</realm>
<resource>CBN</resource>
<public-client>true</public-client>
<realm-public-key>(key from keycloak)</realm-public-key>
<auth-server-url>https://urldefense.proofpoint.com/v2/url?u=http-3A__gi...
</auth-server-url>
<ssl-required>EXTERNAL</ssl-required>
</secure-deployment>
</subsystem>
Log file from keycloak server
========================================================
2016-09-13 10:47:31,792 INFO [stdout] (default task-19) Debug is
true storeKey true useTicketCache false useKeyTab true doNotPrompt
true ticketCache is null isInitiator false KeyTab is
c:\temp\keycloak.keytab refreshKrb5Config is false principal is
HTTP/gig-msnet-dev.ajga.com(a)AJGA.COM tryFirstPass is false
useFirstPass is false storePass is false clearPass is false
2016-09-13 10:47:31,792 INFO [stdout] (default task-19) principal is
HTTP/gig-msnet-dev.ajga.com(a)AJGA.COM
2016-09-13 10:47:31,792 INFO [stdout] (default task-19) Will use
keytab
2016-09-13 10:47:31,807 INFO [stdout] (default task-19) Commit
Succeeded
2016-09-13 10:47:31,807 INFO [stdout] (default task-19)
2016-09-13 10:47:31,807 WARN [org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator]
(default task-19) SPNEGO login failed: java.security.PrivilegedActionException:
GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right
tag)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at
org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:70)
at
org.keycloak.federation.kerberos.KerberosFederationProvider.validCredentials(KerberosFederationProvider.java:209)
at
org.keycloak.models.UserFederationManager.validCredentials(UserFederationManager.java:549)
at
org.keycloak.authentication.authenticators.browser.SpnegoAuthenticator.authenticate(SpnegoAuthenticator.java:89)
at
org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:183)
at
org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:792)
at
org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:667)
at
org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:139)
at
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:341)
at
org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:160)
at sun.reflect.GeneratedMethodAccessor360.invoke(Unknown Source)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:285)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:264)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:175)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:792)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: GSSException: Defective token detected (Mechanism level: GSSHeader did not
find the right tag)
at sun.security.jgss.GSSHeader.<init>(GSSHeader.java:97)
at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:306)
at
sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:285)
at
org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator.establishContext(SPNEGOAuthenticator.java:174)
at
org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:137)
at
org.keycloak.federation.kerberos.impl.SPNEGOAuthenticator$AcceptSecContext.run(SPNEGOAuthenticator.java:127)
... 60 more
2016-09-13 10:47:31,839 INFO [stdout] (default task-19)
[Krb5LoginModule]: Entering logout
2016-09-13 10:47:31,839 INFO [stdout] (default task-19)
[Krb5LoginModule]: logged out Subject
----------------------------------------------------------------------
----------------------------------------------------------------------
----------------------------------------------------------------------
Confidentiality Notice: The information contained in this communication, including all
attachments, is legally protected information, confidential or proprietary information, or
a trade secret intended solely for the use of the intended recipient. The information may
also be subject to legal privilege. If you are not the intended recipient, you are hereby
notified that any use, disclosure, dissemination, distribution, forwarding, or copying of
this communication is strictly prohibited. If you have received this communication in
error, please notify the sender by reply Fax or e-mail stating the communication was
"received in error" and delete or destroy all copies of this communication,
including all attachments.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m
ailman_listinfo_keycloak-2Duser&d=DQIBaQ&c=Qb0olE_IjIsLMNlH6b5YluTmGZi
ju-02UIvJXbEjONI&r=kKLILH0GYnhZuFSDftuLgF3Jc50qGTYbQARhBMkNMLo&m=Fs7ml
Ik55kxRF6sKlYgSx4xVC2ovkEJKqekpFqJxzoE&s=WeKzK_B2KaMi7P2yHJVMRGoh9OULb
hct7V2SgvfOcvo&e=
--
abstractj
PGP: 0x84DC9914
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Confidentiality Notice: The information contained in this communication, including all
attachments, is legally protected information, confidential or proprietary information, or
a trade secret intended solely for the use of the intended recipient. The information may
also be subject to legal privilege. If you are not the intended recipient, you are hereby
notified that any use, disclosure, dissemination, distribution, forwarding, or copying of
this communication is strictly prohibited. If you have received this communication in
error, please notify the sender by reply Fax or e-mail stating the communication was
"received in error" and delete or destroy all copies of this communication,
including all attachments.
3040
days inactive
3040
days old
2 comments
2 participants
participants (2)
-
Bruno Oliveira -
Timothy I. McGinnis