[jboss-jira] [JBoss JIRA] (WFLY-7994) Legacy Kerberos in management, EAP search for HTTPS/localhost ticket

Martin Choma (JIRA) issues at jboss.org
Mon Jan 30 08:39:00 EST 2017 

Martin Choma created WFLY-7994:
----------------------------------

             Summary: Legacy Kerberos in management, EAP search for HTTPS/localhost ticket
                 Key: WFLY-7994
                 URL: https://issues.jboss.org/browse/WFLY-7994
             Project: WildFly
          Issue Type: Bug
          Components: Security
            Reporter: Martin Choma
            Assignee: Darran Lofthouse
            Priority: Blocker


Accessing management interface secured by Kerberos + TLS causes EAP requests from KDC ticket HTTPS/localhost. Which was not necessary in EAP 7.0 and it worked fine with HTTP/localhost service name

{code:title=server.log}
14:20:19,321 TRACE [org.jboss.as.domain.management.security] (management task-7) No mapping for name 'https/localhost.localdomain' to KeytabService, attempting to use host only match.
14:20:19,322 TRACE [org.jboss.as.domain.management.security] (management task-7) Selected KeytabService with principal 'HTTP/localhost.localdomain at JBOSS.ORG' for host 'localhost.localdomain'
14:20:19,322 INFO  [stdout] (management task-7) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain at JBOSS.ORG
14:20:19,323 INFO  [stdout] (management task-7) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain at JBOSS.ORG
14:20:19,323 INFO  [stdout] (management task-7) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain at JBOSS.ORG
14:20:19,323 INFO  [stdout] (management task-7) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain at JBOSS.ORG
14:20:19,524 WARN  [org.apache.directory.server.protocol.shared.kerberos.StoreUtils] (NioDatagramAcceptor-3) No server entry found for kerberos principal name HTTPS/localhost.localdomain at JBOSS.ORG
14:20:19,524 WARN  [org.apache.directory.server.KERBEROS_LOG] (NioDatagramAcceptor-3) No server entry found for kerberos principal name HTTPS/localhost.localdomain at JBOSS.ORG
14:20:19,524 WARN  [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler] (NioDatagramAcceptor-3) Server not found in Kerberos database (7)
14:20:19,525 WARN  [org.apache.directory.server.KERBEROS_LOG] (NioDatagramAcceptor-3) Server not found in Kerberos database (7)
14:20:19,528 WARN  [org.apache.http.impl.auth.HttpAuthenticator] (main) NEGOTIATE authentication error: No valid credentials provided (Mechanism level: No valid credentials provided (Mechanism level: Server not found in Kerberos database (7) - Server not found in Kerberos database))
14:20:19,532 TRACE [org.jboss.as.domain.management.security] (management task-9) No mapping for name 'https/localhost.localdomain' to KeytabService, attempting to use host only match.
14:20:19,532 TRACE [org.jboss.as.domain.management.security] (management task-9) Selected KeytabService with principal 'HTTP/localhost.localdomain at JBOSS.ORG' for host 'localhost.localdomain'
14:20:19,533 INFO  [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain at JBOSS.ORG
14:20:19,533 INFO  [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain at JBOSS.ORG
14:20:19,533 INFO  [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain at JBOSS.ORG
14:20:19,533 INFO  [stdout] (management task-9) Found KeyTab /home/mchoma/workspace/git-repositories/tests-ldap-kerberos-eap7/eap7/target/krb/krb.2269988831769483313.keytab for HTTP/localhost.localdomain at JBOSS.ORG
		[Krb5LoginModule]: Entering logout
		[Krb5LoginModule]: logged out Subject
{code}

Also see network dump krb_https_management.pcap in attachement, where TGS-REQ for HTTPS/localhost is captured.




--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list