[jboss-user] [Security & JAAS/JBoss] - Problems with SPNEGO

Antei do-not-reply at jboss.com
Fri Aug 1 11:53:58 EDT 2008


I have carefully read the manual (User Guide for JBoss Negotiation) and set up the test network for using SPNEGO:

- 1st host - Windows 2003 Adv Server (Active Directory and DNS)
- 2nd host - Windows 2003 Adv Server (jboss-4.2.2.GA with all needed modules and negotiation toolkit)
- 3rd host Windows XP (just for accessing from browser)

Then I tried to run Negotiation Toolkit. Results:
- Basic Negotiation - passed
- Security Domain Test - passed
- Secured - failed

Could you explain me what is the problem ? 
Thanks in advance!

The stack trace on the JBoss was:

  | 2008-08-01 16:41:52,621 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Logged in 'host' Login
  | Context
  | 2008-08-01 16:41:52,621 INFO  [STDOUT]          [Krb5LoginModule]: Entering logout
  | 2008-08-01 16:41:52,636 INFO  [STDOUT]          [Krb5LoginModule]: logged out Subject
  | 2008-08-01 16:41:52,636 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[]
  | 2008-08-01 16:41:52,636 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[Ad
  | ministrator at MYDOMAIN.COM]
  | 2008-08-01 16:41:52,636 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOAuthenticator] authenticated princi
  | pal = null
  | 2008-08-01 16:41:52,652 INFO  [org.jboss.security.negotiation.spnego.SPNEGOAuthenticator] Header - Negotiate o
  | YIJszCCCa+iggmrBIIJp2CCCaMGCSqGSIb3EgECAgEAboIJkjCCCY6gAwIBBaEDAgEOogcDBQAgAAAAo4IDzWGCA8kwggPFoAMCAQWhDhsMTVl
  | ET01BSU4uQ09NoiowKKADAgECoSEwHxsESFRUUBsXdGVzdHNlcnZlci5teWRvbWFpbi5jb22jggOAMIIDfKADAgEXoQMCAQOiggNuBIIDao5og
  | 
  | 
  | 2008-08-01 16:41:52,775 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] serverSecurityDomain=h
  | ost
  | 2008-08-01 16:41:52,775 INFO  [STDOUT] Debug is  true storeKey true useTicketCache false useKeyTab true doNotP
  | rompt true ticketCache is null isInitiator true KeyTab is C:/testserver.host.keytab refreshKrb5Config is false
  |  principal is host/testserver at MYDOMAIN.COM tryFirstPass is false useFirstPass is false storePass is false clea
  | rPass is false
  | 2008-08-01 16:41:52,791 INFO  [STDOUT] principal's key obtained from the keytab
  | 2008-08-01 16:41:52,806 INFO  [STDOUT] Acquire TGT using AS Exchange
  | 2008-08-01 16:41:52,806 INFO  [STDOUT] principal is host/testserver at MYDOMAIN.COM
  | 2008-08-01 16:41:52,822 INFO  [STDOUT] EncryptionKey: keyType=23 keyBytes (hex dump)=0000: 83 B4 91 86 A1 5A E
  | 7 91   F1 1B B0 29 FB 59 A2 06  .....Z.....).Y..
  | 2008-08-01 16:41:52,822 INFO  [STDOUT] Added server's keyKerberos Principal host/testserver at MYDOMAIN.COMKey Ve
  | rsion 4key EncryptionKey: keyType=23 keyBytes (hex dump)=
  | 0000: 83 B4 91 86 A1 5A E7 91   F1 1B B0 29 FB 59 A2 06  .....Z.....).Y..
  | 2008-08-01 16:41:52,837 INFO  [STDOUT]          [Krb5LoginModule] added Krb5Principal  host/testserver at MYDOMAI
  | N.COM to Subject
  | 2008-08-01 16:41:52,837 INFO  [STDOUT] Commit Succeeded
  | 2008-08-01 16:41:52,853 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Subject = Subject:
  |         Principal: host/testserver at MYDOMAIN.COM
  |         Private Credential: Ticket (hex) =
  | 
  | 
  | 
  | 0000: 61 82 01 0B 30 82 01 07   A0 03 02 01 05 A1 0E 1B  a...0...........
  | 0010: 0C 4D 59 44 4F 4D 41 49   4E 2E 43 4F 4D A2 21 30  .MYDOMAIN.COM.!0
  | 0020: 1F A0 03 02 01 02 A1 18   30 16 1B 06 6B 72 62 74  ........0...krbt
  | 0030: 67 74 1B 0C 4D 59 44 4F   4D 41 49 4E 2E 43 4F 4D  gt..MYDOMAIN.COM
  | 0040: A3 81 CC 30 81 C9 A0 03   02 01 17 A1 03 02 01 02  ...0............
  | 0050: A2 81 BC 04 81 B9 83 9F   30 17 16 3D 68 C8 99 0D  ........0..=h...
  | 0060: 70 5F 7B F4 6A BD 6D 1E   B5 F5 2F 44 18 9C 98 1C  p_..j.m.../D....
  | 0070: B5 98 C0 52 60 82 0B 22   67 38 19 CB B9 C4 C6 98  ...R`.."g8......
  | 0080: 2C D9 E5 3B ED 55 ED 13   AB 45 43 1C D7 D4 1D AC  ,..;.U...EC.....
  | 0090: 9D B8 61 7B 97 BD F4 29   0A F5 8E D4 ED BA B2 7C  ..a....)........
  | 00A0: FC 34 36 15 52 19 AE A8   64 7D 91 36 53 0F 93 98  .46.R...d..6S...
  | 00B0: DA 48 18 FA 83 0A 22 15   97 34 37 41 8A F7 6F 47  .H...."..47A..oG
  | 00C0: 1E D0 22 F2 B4 5F 0D 79   51 93 DD 42 33 96 0E 67  ..".._.yQ..B3..g
  | 00D0: 5F 8B B2 6E 87 0E 6A 9F   50 42 A1 4E 7F 85 3B 9C  _..n..j.PB.N..;.
  | 00E0: 4D 01 94 A5 10 34 D8 1B   A4 53 9A 5A 46 6A 85 91  M....4...S.ZFj..
  | 00F0: 97 81 E6 F5 1B 62 C2 8D   8B 38 60 00 17 47 D9 00  .....b...8`..G..
  | 0100: 4D AD D5 D4 48 95 A4 93   C0 3E DB 7D 6A 9B 4E     M...H....>..j.N
  | 
  | Client Principal = host/testserver at MYDOMAIN.COM
  | Server Principal = krbtgt/MYDOMAIN.COM at MYDOMAIN.COM
  | Session Key = EncryptionKey: keyType=23 keyBytes (hex dump)=
  | 0000: 92 C3 CB F8 67 D8 31 B9   FE E8 68 7A 0C E7 67 74  ....g.1...hz..gt
  | 
  | 
  | Forwardable Ticket false
  | Forwarded Ticket false
  | Proxiable Ticket false
  | Proxy Ticket false
  | Postdated Ticket false
  | Renewable Ticket false
  | Initial Ticket false
  | Auth Time = Fri Aug 01 16:42:01 EEST 2008
  | Start Time = Fri Aug 01 16:42:01 EEST 2008
  | End Time = Sat Aug 02 02:42:01 EEST 2008
  | Renew Till = null
  | Client Addresses  Null
  |         Private Credential: Kerberos Principal host/testserver at MYDOMAIN.COMKey Version 4key EncryptionKey: key
  | Type=23 keyBytes (hex dump)=
  | 0000: 83 B4 91 86 A1 5A E7 91   F1 1B B0 29 FB 59 A2 06  .....Z.....).Y..
  | 
  | 
  | 2008-08-01 16:41:52,853 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Logged in 'host' Login
  | Context
  | 2008-08-01 16:41:52,853 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Creating new GSSContex
  | t.
  | 2008-08-01 16:41:52,868 ERROR [STDERR] Checksum failed !
  | 2008-08-01 16:41:52,868 ERROR [org.jboss.security.negotiation.spnego.SPNEGOLoginModule] Unable to authenticate
  | GSSException: Failure unspecified at GSS-API level (Mechanism level: Checksum failed)
  |         at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:741)
  |         at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:323)
  |         at sun.security.jgss.GSSContextImpl.acceptSecContext(GSSContextImpl.java:267)
  |         at org.jboss.security.negotiation.spnego.SPNEGOLoginModule$AcceptSecContext.run(SPNEGOLoginModule.java
  | :295)
  |         at java.security.AccessController.doPrivileged(Native Method)
  |         at javax.security.auth.Subject.doAs(Subject.java:337)
  |         at org.jboss.security.negotiation.spnego.SPNEGOLoginModule.login(SPNEGOLoginModule.java:113)
  |         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  |         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  |         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  |         at java.lang.reflect.Method.invoke(Method.java:597)
  |         at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
  |         at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
  |         at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
  |         at java.security.AccessController.doPrivileged(Native Method)
  |         at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
  |         at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
  |         at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
  |         at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
  |         at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
  |         at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
  |         at org.jboss.security.negotiation.spnego.SPNEGOAuthenticator.authenticate(SPNEGOAuthenticator.java:103
  | )
  |         at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
  |         at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
  |         at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
  |         at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
  |         at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
  |         at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
  |         at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
  |         at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
  |         at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
  |         at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
  |         at java.lang.Thread.run(Thread.java:619)
  | Caused by: KrbException: Checksum failed
  |         at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:85)
  |         at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:77)
  |         at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:168)
  |         at sun.security.krb5.KrbApReq.authenticate(KrbApReq.java:267)
  |         at sun.security.krb5.KrbApReq.<init>(KrbApReq.java:134)
  |         at sun.security.jgss.krb5.InitSecContextToken.<init>(InitSecContextToken.java:79)
  |         at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:724)
  |         ... 32 more
  | Caused by: java.security.GeneralSecurityException: Checksum failed
  |         at sun.security.krb5.internal.crypto.dk.ArcFourCrypto.decrypt(ArcFourCrypto.java:388)
  |         at sun.security.krb5.internal.crypto.ArcFourHmac.decrypt(ArcFourHmac.java:74)
  |         at sun.security.krb5.internal.crypto.ArcFourHmacEType.decrypt(ArcFourHmacEType.java:83)
  |         ... 38 more
  | 2008-08-01 16:41:53,038 INFO  [STDOUT]          [Krb5LoginModule]: Entering logout
  | 2008-08-01 16:41:53,038 INFO  [STDOUT]          [Krb5LoginModule]: logged out Subject
  | 2008-08-01 16:41:53,038 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[]
  | 2008-08-01 16:41:53,053 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[Ad
  | ministrator at MYDOMAIN.COM]
  | 2008-08-01 16:41:53,053 DEBUG [org.jboss.security.negotiation.spnego.SPNEGOAuthenticator] authenticated princi
  | pal = null
  | 2008-08-01 16:42:48,778 DEBUG [com.arjuna.ats.arjuna.logging.arjLogger] Periodic recovery - first pass <Fri, 1
  |  Aug 2008 16:42:48>
  | 2008-08-01 16:42:48,778 DEBUG [com.arjuna.ats.arjuna.logging.arjLogger] StatusModule: first pass
  | 2008-08-01 16:42:48,778 DEBUG [com.arjuna.ats.txoj.logging.txojLoggerI18N] [com.arjuna.ats.internal.txoj.recov
  | ery.TORecoveryModule_3] - TORecoveryModule - first pass
  | 

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4168214#4168214

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4168214



More information about the jboss-user mailing list