[jboss-user] [Security & JAAS/JBoss] - Re: Problems with SPNEGO

Antei do-not-reply at jboss.com
Tue Aug 5 06:59:47 EDT 2008 

"darran.lofthouse at jboss.com" wrote : Developing the authenticator I did see a similar error, in my situation the client 
  | 
  | machine had cached an old ticket for the host so when the ticked was decoded there was a checksum problem.
  | 
  | In my situation logging out of the test client and back in caused the tickets to be correctly reloaded.
  | 
  | I would suggest doing this and possibly the same on the machine hosting JBoss as well.
  | 

Thank you, Darran, for your response.

Unfortunately you suggestion didn't help me.

I decided to describe the settings I made according your User Guide. May be you will point me what is wrong...

In my last experiment I had configuration as below:

1st host: Windows 2003 Server 
   Host Name: ws2003e
   Domain:    mydomain.com
   Software:
      - Active Directory
      - DNS

2nd host: Windows 2003 Server
   Host Name: testserver
   Domain:    mydomain.com
   Software:
      - Active Directory (just second controller)
      - jdk1.6.0_06
      - jboss-4.2.2.GA

3rd host: Windows XP SP2
   Software:
      - IE 6.0

To model real network configuration I am going to apply SPNEGO to I have 2 domain controllers. But it doesn't matter, I 

think. All tunes I made on the 2nd host.

1. I created 'testserver' user in Active Directory, entered valid password 'c,jhybr1' and selected 'Do not requires 

Kerberous preauthentication' option.

2. Then I executed the commands as in User Guide:

C:\Tools\MS Windows tools\support>setspn.exe -a host/testserver.mydomain.com testserver
  | Registering ServicePrincipalNames for CN=TESTSERVER,OU=Domain Controllers,DC=mydomain,DC=com
  |         host/testserver.mydomain.com
  | Updated object
  | 
  | C:\Tools\MS Windows tools\support>setspn.exe -a HTTP/testserver.mydomain.com testserver
  | Registering ServicePrincipalNames for CN=TESTSERVER,OU=Domain Controllers,DC=mydomain,DC=com
  |         HTTP/testserver.mydomain.com
  | Updated object
  | 
  | C:\Tools\MS Windows tools\support>setspn -l testserver
  | Registered ServicePrincipalNames for CN=TESTSERVER,OU=Domain Controllers,DC=mydomain,DC=com:
  |     HTTP/testserver.mydomain.com
  |     GC/testserver.mydomain.com/mydomain.com
  |     HOST/testserver.mydomain.com/mydomain.com
  |     HOST/testserver.mydomain.com/MYDOMAIN
  |     ldap/c5439fc5-8c99-4e04-9046-498d9d5c635d._msdcs.mydomain.com
  |     ldap/testserver.mydomain.com/MYDOMAIN
  |     ldap/TESTSERVER
  |     ldap/testserver.mydomain.com
  |     ldap/testserver.mydomain.com/mydomain.com
  |     E3514235-4B06-11D1-AB04-00C04FC2DCD2/c5439fc5-8c99-4e04-9046-498d9d5c635d/mydomain.com
  |     NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/testserver.mydomain.com
  |     HOST/TESTSERVER
  |     HOST/testserver.mydomain.com
  | 


C:\Tools\MS Windows tools\support>ktpass -princ host/testserver at mydomain.com -pass c,jhybr1 -mapuser 
  | 
  | MYDOMAIN\testserver -out C:\testserver.host.keytab
  | 
  | Using legacy password setting method
  | WARNING: realm "mydomain.com" has lowercase characters in it.
  |          We only currently support realms in UPPERCASE.
  |          assuming you mean "MYDOMAIN.COM"...
  | Successfully mapped host/testserver to testserver.
  | WARNING: pType and account type do not match. This might cause  problems.
  | Key created.
  | Output keytab to C:\testserver.host.keytab:
  | Keytab version: 0x502
  | keysize 63 host/testserver at MYDOMAIN.COM ptype 0 (KRB5_NT_UNKNOWN) vno 4 etype 0x17 (RC4-HMAC) keylen
  | gth 16 (0x83b49186a15ae791f11bb029fb59a206)
  | 

After 'ktpass' command 'C:\testserver.host.keytab' file was created and its lenght was 69 bytes.
Then I run 'ktab' command

C:\Program Files\Java\jdk1.6.0_06\bin>ktab -k c:\testserver.host.keytab -a testserver at MYDOMAIN.COM
  | Password for testserver at MYDOMAIN.COM:c,jhybr1
  | Done!
  | Service key for testserver at MYDOMAIN.COM is saved in c:\testserver.host.keytab
  | 

After 'ktab' 'C:\testserver.host.keytab' file was overwritten and its lenght became 366 bytes.


I made JBoss settings as below:

jboss-4.2.2.GA/server/default/deploy/properties-service.xml:
  <mbean code="org.jboss.varia.property.SystemPropertiesService" name="jboss:type=Service,name=SystemProperties">
  |     <attribute name="Properties">
  |       java.security.krb5.kdc=testserver.mydomain.com
  |       java.security.krb5.realm=MYDOMAIN.COM
  |     </attribute>
  |   </mbean>


jboss-4.2.2.GA/server/default/deploy/jboss-web.deployer/META-INF/jboss-service.xml:
<server> 
  |    <mbean code="org.jboss.web.tomcat.service.JBossWeb" name="jboss.web:service=WebServer" 
  | 
  | xmbean-dd="META-INF/webserver-xmbean.xml">
  |       
  |       <attribute name="Authenticators" serialDataType="jbxb">
  |          <java:properties xmlns:java="urn:jboss:java-properties" xmlns:xs="http://www.w3.org/2001/XMLSchema-instance"      
  | 
  | xs:schemaLocation="urn:jboss:java-properties resource:java-properties_1_0.xsd">
  | 
  |             ...
  | 
  |             <java:property>
  |                 <java:key>SPNEGO</java:key>
  |                 <java:value>org.jboss.security.negotiation.spnego.SPNEGOAuthenticator</java:value>
  |             </java:property>
  |          </java:properties>
  |       </attribute> 
  | ...


jboss-4.2.2.GA/server/default/conf/login-config.xml:
	<application-policy name="host">
  | 		<authentication>
  | 			<login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="required">
  | 				<module-option name="storeKey">true</module-option>
  | 				<module-option name="useKeyTab">true</module-option>
  | 				<module-option name="principal">host/testserver at MYDOMAIN.COM</module-option>
  | 				<module-option name="keyTab">C:/testserver.host.keytab</module-option>
  | 				<module-option name="doNotPrompt">true</module-option>
  | 				<module-option name="debug">true</module-option>
  | 			</login-module>
  | 		</authentication>
  | 	</application-policy>
  | 
  | 
  | 	<application-policy name="SPNEGO">
  | 		<authentication>
  | 
  | 			<login-module code="org.jboss.security.negotiation.spnego.SPNEGOLoginModule" flag="requisite">
  | 				<module-option name="password-stacking">useFirstPass</module-option>
  | 				<module-option name="serverSecurityDomain">host</module-option>
  | 			</login-module>
  | 
  | 			<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
  | 				<module-option name="password-stacking">useFirstPass</module-option>
  | 				<module-option name="usersProperties">props/spnego-users.properties</module-option>
  | 				<module-option name="rolesProperties">props/spnego-roles.properties</module-option>
  | 			</login-module>
  | 
  | 		</authentication>
  | 	</application-policy>


I run JBoss with parameter --host=testserver.mydomain.com
After that I tried to access http://testserver.mydomain.com:8080/jboss-negotiation-toolkit from 3rd host (Windows XP, IE 

6.0):
- Basic Negotiation - passed
- Security Domain Test - passed
- Secured - failed

What is wrong in my settings?
Thanx in advance.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4168698#4168698

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4168698

More information about the jboss-user mailing list